Hi there!
First off, thanks a ton for libfprint! It works very well for me.
I've run into the issue where I'm connected to my machine over ssh, and
type 'sudo foo', and end up with an unresponsive connection because sudo
is privileged and pam_fprint is waiting on someone to scan their finger.
My first naive approach was to do the following:
In pam_fprint.c, in do_verify before the do-while.
const char *ssh = getenv("SSH_TTY");
if(ssh == NULL) {
send_info_msg(pamh,"It looks like you're connected over SSH,
skipping fingerprint verification.");
return PAM_AUTHINFO_UNAVAIL;
}
That relies on your sshd setting SSH_TTY, so it's certainly not
portable. On top of that, someone who knew the password could just set
the environment variable to bypass the fingerprint and go straight to
password verification. Since I use fingerprint reading to avoid having
to type my password (not for security), I don't mind this.
Is there a nice way of doing this? I imagine a timeout might work, but I
see that fp_verify_finger seems to block. I also read some reasons
against this in your archives. You could potentially fork a thread and
kill the child after a certain amount of time. Would libfprint leave the
reader in an unspecified condition / would other things go bad if
fp_verify_finger were unexpectedly interrupted by a thread kill?
Thanks in advance,
RJ Ryan
_______________________________________________
fprint mailing list
[email protected]
http://lists.reactivated.net/mailman/listinfo/fprint
