N Winkel <nw1...@outlook.com> writes:
> Hi Tramp Development Team,
Hi Neri,
> Would it be possible to add the prompts sudo gives for fingerprint
> authentication to the prompts for tramp? Currently it does accept the
> fingerprint, however it doesn't show a prompt or give an option to
> cancel it and go to password authentication instead, instead timing
> out and erroring.
>
> When sudo prompts for fingerprint is gives "Place your finger on the
> fingerprint reader", times out with the message "Verification timed
> out" after 30 seconds and sends to password verification (at least
> when run from shell). Alternatively if you want to cancel fingerprint
> auth and go straight to password, you can send Ctrl+C.
>
> Currently when I try to use tramp (and don't use the fingerprint
> reader) it times out after 15 seconds with tramp-error: Timeout
> reached, see buffer ´*tramp/sudo root@localhost*´ for details, a
> buffer which contains "Place your finger on the fingerprint reader".
> With fprintd enabled in my /etc/pam.d/sudo I currently have no way of
> using password in tramp (unless I add a script that detects being
> within tramp and skips fprint).
>
> I hope this can be implemented! I should be able to test an
> implementation if someone can work on it (provided I find out how to)
> if needed.
>
> N.B. I initially asked this on Emacs StackExchange where it was
> suggested to request here.
It was me who has pointed you to the tramp-devel ML :-)
Meanwhile, I've tried to add some bits. Appended is a patch (for
tramp.el and tramp-sh.el), which is just my naïve implementation of the
feature. Note, that I have no fingerprint reader on my laptop; I've
grepped the respective fprintd messages from the sources. I cannot test myself.
The patch adds a new user option tramp-use-fingerprint. If it is non-nil
(the default), Tramp tries to support you in using the fingerprint
reader by a respective message. If the user option is nil, Tramp tries
to send ^C to the remote, cancelling the fingerprint session, in order
to fallback to password authentication.
Please install the recent Tramp 2.7.1.4 from GNU ELPA, and apply the
patch. Then test test test. I'm interested in both the successful and
failing cases.
Before running the tests, set tramp-verbose to 10. In case of problems,
pls send the respective Tramp debug buffer(s).
> Many Thanks,
> Neri
Best regards, Michael.
diff --git a/lisp/tramp-sh.el b/lisp/tramp-sh.el
index de566ecd..9b914663 100644
--- a/lisp/tramp-sh.el
+++ b/lisp/tramp-sh.el
@@ -597,6 +597,7 @@ shell from reading its init file."
'((tramp-login-prompt-regexp tramp-action-login)
(tramp-password-prompt-regexp tramp-action-password)
(tramp-otp-password-prompt-regexp tramp-action-otp-password)
+ (tramp-fingerprint-prompt-regexp tramp-action-fingerprint)
(tramp-wrong-passwd-regexp tramp-action-permission-denied)
(shell-prompt-pattern tramp-action-succeed)
(tramp-shell-prompt-pattern tramp-action-succeed)
@@ -622,6 +623,7 @@ corresponding PATTERN matches, the ACTION function is called.")
(defconst tramp-actions-copy-out-of-band
'((tramp-password-prompt-regexp tramp-action-password)
(tramp-otp-password-prompt-regexp tramp-action-otp-password)
+ (tramp-fingerprint-prompt-regexp tramp-action-fingerprint)
(tramp-wrong-passwd-regexp tramp-action-permission-denied)
(tramp-copy-failed-regexp tramp-action-permission-denied)
(tramp-security-key-confirm-regexp tramp-action-show-and-confirm-message)
diff --git a/lisp/tramp.el b/lisp/tramp.el
index 863422a6..986fde31 100644
--- a/lisp/tramp.el
+++ b/lisp/tramp.el
@@ -703,12 +703,51 @@ The regexp should match at end of buffer."
"No supported authentication methods left to try!"
(: "Login " (| "Incorrect" "incorrect"))
(: "Connection " (| "refused" "closed"))
- (: "Received signal " (+ digit)))
+ (: "Received signal " (+ digit))
+ ;; Fingerprint.
+ "Verification timed out"
+ "Failed to match fingerprint"
+ "An unknown error occurred")
(* nonl))
"Regexp matching a `login failed' message.
The regexp should match at end of buffer."
:type 'regexp)
+;; <https://gitlab.freedesktop.org/libfprint/fprintd/-/blob/master/pam/fingerprint-strings.h?ref_type=heads>
+(defcustom tramp-fingerprint-prompt-regexp
+ (rx (| "Place your finger on"
+ "Swipe your finger across"
+ "Place your left thumb on"
+ "Swipe your left thumb across"
+ "Place your left index finger on"
+ "Swipe your left index finger across"
+ "Place your left middle finger on"
+ "Swipe your left middle finger across"
+ "Place your left ring finger on"
+ "Swipe your left ring finger across"
+ "Place your left little finger on"
+ "Swipe your left little finger across"
+ "Place your right thumb on"
+ "Swipe your right thumb across"
+ "Place your right index finger on"
+ "Swipe your right index finger across"
+ "Place your right middle finger on"
+ "Swipe your right middle finger across"
+ "Place your right ring finger on"
+ "Swipe your right ring finger across"
+ "Place your right little finger on"
+ "Swipe your right little finger across"
+ "Place your finger on the reader again"
+ "Swipe your finger again"
+ "Swipe was too short, try again"
+ "Your finger was not centred, try swiping your finger again"
+ "Remove your finger, and try swiping your finger again")
+ (* nonl))
+ "Regexp matching fingerprint prompts.
+The regexp should match at end of buffer."
+ :version "30.2"
+ :type 'regexp)
+
(defcustom tramp-yesno-prompt-regexp
(rx "Are you sure you want to continue connecting (yes/no"
(? "/[fingerprint]") ")?"
@@ -5693,6 +5732,22 @@ of."
(narrow-to-region (point-max) (point-max))))
t)
+(defcustom tramp-use-fingerprint t
+ "Whether fingerprint prompts shall be used for authentication."
+ :version "30.2"
+ :type 'boolean)
+
+(defun tramp-action-fingerprint (proc vec)
+ "Query the user for a fingerprint verification.
+Interrupt the query if `tramp-use-fingerprint' is nil."
+ (with-current-buffer (process-buffer proc)
+ (if tramp-use-fingerprint
+ (tramp-action-show-message proc vec)
+ (process-send-string proc "�"))
+ ;; Hide message.
+ (narrow-to-region (point-max) (point-max)))
+ t)
+
(defun tramp-action-succeed (_proc _vec)
"Signal success in finding shell prompt."
(throw 'tramp-action 'ok))
@@ -5739,6 +5794,15 @@ The terminal type can be configured with `tramp-terminal-type'."
(tramp-send-string vec (concat tramp-terminal-type tramp-local-end-of-line))
t)
+(defun tramp-action-show-message (proc vec)
+ "Show the user a message for action."
+ (with-current-buffer (process-buffer proc)
+ (let (inhibit-message)
+ (tramp-message vec 6 "\n%s" (buffer-string))
+ (tramp-check-for-regexp proc tramp-process-action-regexp)
+ (message (string-trim (match-string 0)))))
+ t)
+
(defun tramp-action-confirm-message (_proc vec)
"Return RET in order to confirm the message."
(tramp-message
