fingerprint login can't access encrypted home user account

According to Gilles (http://linux.derkeiler.com/Mailing-Lists/Ubuntu/2012-05/msg00053.html)

There are 2 issues at hand, here...

1) The .fprint directory, which stores the fingerprint database of a user, is stored in the encrypted home directory. So is not available to the greeter application to recognize prints. This is what causes the "Could not locate any suitable fingerprints matched with available hardware" message on the login prompt.

2) If you decide to copy these files to /home/YourUser from a command line, without the encrypted home there, then you can actually login from the greeter session, with recognized prints. But then a second phenomenon appears. Since you didn't type your password, there is nothing to unlock your home directory encryption key... which means it doesn't get decrypted... which means you get kicked out of your session immediately as no configuration files are available.

In the fingerprint GUI you will have to store your password on an external device (only USB works in my case. Memory Card is not seen as an external device sadly).

After you have saved it to an USB stick i can login to an encrypted home dir. The stick will always have to be plugged for login into an encrypted home directory.

I hope this is of help.

@Evertjjan
Thanks for the tip. Did you tried to do it maybe to another partition on the hard disk?

Status changed to 'Confirmed' because the bug affects multiple users.

@Evertjjan I think this workaround is not usable for end user with no skill.
I think we need a real fix to solve this issue.

Is there any possibilitiy to store the fingerprint database of a user inside the / partition rather than the encrypted /home?

I have not tried to store the key on another partition. I fact i removed the fingerprint functionality, for it is too buggy at the moment. Fingerprints are not recognised a lot of times. Only one scan per finger as reference causes this i suspect. Also it crashed several times and caused a white block in the bottom half of the screen. The graphics of the interface are also outdated and not in the same style of Ubuntu. Thats why i disabled it again. Maybe in the future i will try again.

Seeing this also with Precise and a Dell XPS m1530. I've been thinking of how we could get around the problem without a kludge.

It occurs to be that the authenticated fingerprint could issue a unique hash that could be used by ecryptfs as a second passphrase - rather like cryptsetup with LUKS can have multiple key slots for the same protected volume. I need to dig into ecryptfs to find out if this would be possible.

@TJ I hope you'll find the way.

What about new encrypted installation method of Ubuntu 12.10 related to this bug ?

Any news regarding this ?

I am using 13.04 with the fingerprint-gui 1.05 (from https://launchpad.net/~fingerprint/+archive/fingerprint-gui)

At the last step of the fingerprint password creation, you will need a removable media to store the password, which will solve this issue. I believe this might be the workaround at the moment.

You will need to have the USB (or removeable media) insert to the system during login process

since I like the functionality of the fingerprint-gui even if I can't decrypt my Home at login, it would be good to have a configuration to disable the functionality in the Login Screen (lightdm) but keep it in the other authentification dialogs (screensaver, sudo and so on)

Would this be possible?

Hi,

In fact, I use the USB method as a workaround. Nevertheless, it doesn't solve the problem because you must have it connected. If you keep it connected all the time, it is a security risk because the paraphrase to unencrypt the home folder is there. So makes it kind of inconvenient, and to plug the USB on every login is not really the optimal solution.

What TJ (tj) said sound like a possible solution.

@semidark if what are you asking is too disable decrypt in the login, is not possible. The encryption is set when creating the user, you can decide to not encrypt the home folder and you won't have this trouble. Or if you already have the home folder encrypted, you could decrypt it.

This problem still exists in 13.10.

I have an encrypted home folder.
When I installed the fprint system, it asked me which authentications to tie to fingerprint, and it included ecrypt.
However, when I log in, with or without typing password, at the login screen, it dumps me into a nonresponsive black screen.

This is not a friendly outcome.

If I log in through tty, I am told of the problem and told to try running
ecryptfs-mount-private

which takes my normal password and then mounts my home folder. After that, if I kill the gnome-session I can subsequently log in.

In fact, the above sounds like a better workaround than having an external USB? Log in first using tty, do the above sequence, and then return to the GUI login screen.

I will never, ever, ever add support to eCryptfs for fingerprint
readers. Sorry. For more information, see:

http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
:-Dustin

On Sat, Dec 14, 2013 at 3:53 PM, Christopher Barrington-Leigh
<email address hidden> wrote:
> This problem still exists in 13.10.
>
> I have an encrypted home folder.
> When I installed the fprint system, it asked me which authentications to tie to fingerprint, and it included ecrypt.
> However, when I log in, with or without typing password, at the login screen, it dumps me into a nonresponsive black screen.
>
> This is not a friendly outcome.
>
> If I log in through tty, I am told of the problem and told to try running
> ecryptfs-mount-private
>
> which takes my normal password and then mounts my home folder. After
> that, if I kill the gnome-session I can subsequently log in.
>
> In fact, the above sounds like a better workaround than having an
> external USB? Log in first using tty, do the above sequence, and then
> return to the GUI login screen.
>
>
> ** Summary changed:
>
> - fingerprint login in ubuntu 12.04 can't access encrypted home user account
> + fingerprint login can't access encrypted home user account
>
> --
> You received this bug notification because you are subscribed to
> ecryptfs-utils in Ubuntu.
> https://bugs.launchpad.net/bugs/998367
>
> Title:
> fingerprint login can't access encrypted home user account
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/fingerprint-gui/+bug/998367/+subscriptions

Ok... I get your point. I understand your idea about the fingerprints.

Nevertheless, I think is fair to give the opportunity to the user to choose either use or not to use the fingerprints to identify. The information that you shared makes a valid point, but in my opinion the final decision must be taken by the user, understanding the risk that it involves.

Therefore, I think is necessary to solve this bug.

There is no point in encrypting your data if you're going to use fingerprints to "authenticate".

How about NOT displaying the finderprint prompt at login when the home is encrypted?

This provides exactly that workaround: http://fun.kyco.de/2011/12/25/finger-print-reader-vs-encrypted-home/ -- also see comment #10 at https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/255799 for a similar approach.

I tried the workaround as described and unfortunately it didn't work. But thanks for the info.

Bug still exists in 16.04. Comment #22 would just solve the problem.

I just run into exact that issue running Linux Mint 18.3 with encrypted home folder and set up fingerprints to "login" :-)

To understand why this issue is still unresolved I also have read Dustin Kirkland's blog post and now I understand.

So, as a solution to the underlying problem we have here I vote for comment #22, too.

we all know that encryption is very important nowadays. I have to ask a question that if anyone wants to store the fingerprint database of a user inside the partition, not in the encrypted home. i also visit https://www.gmailtechnicalsupportnumbers.com/blog/gmail-server-error-007/ for Gmail help.

This is should not be an issue anymore as fprintd saves the prints in /var/lib/fprintd

I still see the issue with 20.04

After a reboot, I get the 'swipe finger to login' message.
I swipe, it tries to login and immediately logouts.
I then have to wait for the timeout to enter the password, I login and logout, and the fingerprint now works without any issue.

Message on syslog is the same as above mentioned
fprintd[1154]: Device responded with error: 789
fprintd[1154]: Ignoring device due to initialization error: The driver encountered a protocol error with the device.

Lenovo ThinkPad T14
Linux 5.6.0-1036-oem #39-Ubuntu SMP Wed Dec 2 08:54:16 UTC 2020
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal