Block fprint unlock on gdm

[boredsquirrel]

SDDM doesnt, but GDM supports login with fingerprint.

SDDM may support this soon too, it was planned for Plasma 6.

A better option would be something like GrapheneOS, which afaik locks the fingerprint after 3 failed attempts.

On my hardware this is nearly always the case though, because that sensor sucks. It will be more secure though.

Also, fprint-enroll is broken somehow on Silverblue-main-hardened, but I havent tried regular silverblue-main. It works perfectly fine in the TUI, which smells like an upstream bug.

[RoyalOughtness]

I'm confused by this cause it seems like multiple issues in one 😄

On the one hand, you're asking for fprint unlock to be blocked for some reason (why?).

On the other hand, you're reporting a bug. Can you please clarify the core goal for this issue?

[boredsquirrel]

so, I was

1. requesting a security hardening of fprintd to lock after less tries (if not already done)
2. relativizing that request by the fact that the sensor doesnt work well anyways, so not even I can unlock my laptop like that.

I think the default timeout is 2 failed tries at least in the terminal for sudo. This may be different on gdm (and in the future sddm) and also different in plasma and gnome screenlocker.

[RoyalOughtness]

for 1, I'm confused. if it already locks after a few failures, that seems like desired behavior. potentially #127 is related

for 2, please check upstream silverblue-main like you mentioned and if you can't repro there, reopen this issue. Otherwise this is likely an issue with the package itself and you can report it to the maintainers.

[34N0]

Yes this is a PAM issue. The relevant PAM service stacks are unchanged from Fedora. This hsould be tested on a normal Silverblue VM.