diff options
author | Benjamin Berg <bberg@redhat.com> | 2021-06-29 20:27:35 +0200 |
---|---|---|
committer | Benjamin Berg <bberg@redhat.com> | 2021-07-01 12:59:11 +0200 |
commit | 9ec1747b84256751f60b997fad8cee2332de1dd1 (patch) | |
tree | 933acde82ff82874d07f01f8b89f55d1fccdf281 | |
parent | 6482e2dbd410ea04a9f18e3b793e17e2b5ee616f (diff) |
Revert "pam_fprintd: Just return a PAM_AUTH_ERROR on unknown errors"
This reverts commit ecf6b7c323fd5dd419f869c278e14f48f90e9952.
The idea of the commit was to make device failures less fatal to the
system. Unfortunately, we can fail quickly in this case, and returning
PAM_AUTH_ERR means that the user might run into a retry limit due to
this.
Go back to reporting PAM_AUTHINFO_UNAVAIL, it appears as the lesser evil
right now. Ideally we want to a way to tell the upper stack to retry
authentication whenever there is a good opportunity, but to not consider
it as an authentication failure.
-rw-r--r-- | pam/pam_fprintd.c | 2 | ||||
-rw-r--r-- | tests/pam/test_pam_fprintd.py | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/pam/pam_fprintd.c b/pam/pam_fprintd.c index c7bb617..58d15d7 100644 --- a/pam/pam_fprintd.c +++ b/pam/pam_fprintd.c @@ -565,7 +565,7 @@ do_verify (sd_bus *bus, } else if (str_equal (data->result, "verify-unknown-error")) { - return PAM_AUTH_ERR; + return PAM_AUTHINFO_UNAVAIL; } else if (str_equal (data->result, "verify-disconnected")) { diff --git a/tests/pam/test_pam_fprintd.py b/tests/pam/test_pam_fprintd.py index a874b64..be66818 100644 --- a/tests/pam/test_pam_fprintd.py +++ b/tests/pam/test_pam_fprintd.py @@ -97,7 +97,7 @@ class TestPamFprintd(dbusmock.DBusTestCase): ] self.device_mock.SetVerifyScript(script) - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_AUTH_ERR) + tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_AUTHINFO_UNAVAIL) res = pypamtest.run_pamtest("toto", "fprintd-pam-test", [tc], [ 'unused' ]) self.assertRegex(res.info[0], r'Swipe your left little finger across the fingerprint reader') |