Russell Ryan wrote:
> Hi there!
>
> First off, thanks a ton for libfprint! It works very well for me.
>
> I've run into the issue where I'm connected to my machine over ssh,
> and type 'sudo foo', and end up with an unresponsive connection
> because sudo is privileged and pam_fprint is waiting on someone to
> scan their finger.
>
> My first naive approach was to do the following:
>
> In pam_fprint.c, in do_verify before the do-while.
>
> const char *ssh = getenv("SSH_TTY");
> if(ssh == NULL) {
> send_info_msg(pamh,"It looks like you're connected over SSH,
> skipping fingerprint verification.");
> return PAM_AUTHINFO_UNAVAIL;
> }
and of course, here I meant ssh != NULL...
>
> That relies on your sshd setting SSH_TTY, so it's certainly not
> portable. On top of that, someone who knew the password could just set
> the environment variable to bypass the fingerprint and go straight to
> password verification. Since I use fingerprint reading to avoid having
> to type my password (not for security), I don't mind this.
>
> Is there a nice way of doing this? I imagine a timeout might work, but
> I see that fp_verify_finger seems to block. I also read some reasons
> against this in your archives. You could potentially fork a thread and
> kill the child after a certain amount of time. Would libfprint leave
> the reader in an unspecified condition / would other things go bad if
> fp_verify_finger were unexpectedly interrupted by a thread kill?
>
>
> Thanks in advance,
> RJ Ryan
>
_______________________________________________
fprint mailing list
[email protected]
http://lists.reactivated.net/mailman/listinfo/fprint
