If a FIDO/U2F key is required for LightDM in PAM, we should wait for a bit of time to wait for it to authenticate for PolKit; typically I see somewhere in the range of 10–30 seconds for web services and LightDM. We should show a message and spinner of some sort during this time to prompt the user to insert and authenticate the key.

Right now it looks like the agent just immediately returns a failure which means you can't enable a security key in PAM for LightDM, and then use anything that uses polkit.

Update CI process for pantheon-agent-polkit to include a vala-lint step.

Just look at the screenshots

The other day, I noticed a strange bug. If there are several users on elementaryOS, then when authenticating the 2nd user, you can use the password from the first one. This doesn't work on the login screen or in terminal, when I running "sudo su", but works when upgraded in AppCenter or when pantheon-files are opened in Administrator mode. Here's a detailed explanation of how it all works:

Test: first account, account type - administrator, exists in sudo group, password - qwerty
Test2: second account, account type - standard, doesn't exists in sudo group, password - 123456

I can press "unlock", enter the password from the first account "qwerty" (But, I'm sitting from the second account!?), and I'll get more permissions (root).

I ran tests on two PCs: first PC - my main computer, and on second PC, elementaryOS was installed from scratch. On both PCs installed elementaryOS 0.4.1 stable. With all the upgrades. This bug appeared on both machines. This does not give any advantages to attackers, because it still requires a password, but this is an unpleasant problem that should not be.

PC specs:

Thanks for attention, I hope this problem will be solved :)

The agent binary is installed to /usr/lib/policykit-1-pantheon, where the "/lib" part is hardcoded in the CMake config files. The correct location for binaries like this is /usr/libexec/PROG/BINARY if you really don't want it to show up in $PATH, otherwise just install it to /usr/bin/*. Just use *LIBEXECDIR or *BINDIR from CMake's GNUInstallDirs module to let it handle that automatically.

I'm not sure how all of the PAM stuff works, but if a fingerprint is registered for the user, we should prefer that for authentication flows. It could look something like this:

"Use Password" would show the current password dialog instead.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

If short after having passed the greeter you want to install a program, you are requested for your password again. It's really annoying. The amount of times GNU/Linux users are requested for their passwords it's crazy. elementary OS is greatly about user experience, and this would improve it enormously!

Would be a little prettier and less technical. Could probably put the username in parentheses in case of duplicate real names. Since these are on the login screen, I don't think there's a privacy issue.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

We should provide it. :)

It looks kinda funny that the entry has an icon but the combobox doesn't. We should probably squeeze an avatar-default-symbolic in there for symmetry

On a multi-user system, the agent currently always defaults to the first user account in the dropdown. Instead, it should default to the current user.

The agent needs a .desktop file in the /etc/xdg/autostart folder to start up in a pantheon session, but this file is not part of the official release (maybe a part of the debian packaging files?).

Please include this file in the next release and install it to the correct location.

-- The C compiler identification is GNU 7.2.1
-- The CXX compiler identification is GNU 7.2.1
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.2")
-- Checking for modules 'gtk+-3.0;polkit-agent-1;polkit-gobject-1'
-- Found gtk+-3.0, version 3.22.26
-- Found polkit-agent-1, version 0.114
-- Found polkit-gobject-1, version 0.114
CMake Error at CMakeLists.txt:25 (find_package):
By not providing "FindVala.cmake" in CMAKE_MODULE_PATH this project has
asked CMake to find a package configuration file provided by "Vala", but
CMake did not find one.

Could not find a package configuration file provided by "Vala" with any of
the following names:

ValaConfig.cmake
vala-config.cmake

Add the installation prefix of "Vala" to CMAKE_PREFIX_PATH or set
"Vala_DIR" to a directory containing one of the above files. If "Vala"
provides a separate development package or SDK, be sure it has been
installed.

-- Configuring incomplete, errors occurred!

So that users get clearer updates and issue URLs are available

Follow up to #15. It might look nice to pull in the user avatars. Since they're already on the login screen, I don't think there's a privacy issue.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

The Howdy project seems to have near perfect integration with Windows Hello™️ compatable hardware, and integrates well with PAM.
The issue is similar to yubikey and nitrokey support, where there isn't any proper UX to show when it is trying to authenticate, or even to show you when it is scanning. I propose something similar to that of iOS, where there is a repeating animation when it is scanning, and a green tick/red cross to dispay whether it succeeded or failed. Maybe have a notification like bubble drop down from the north edge of the screen, since thats about where laptop cameras generally are

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

A bit related to #33
Is it possible to just have Allow or Deny button but no password box (if currently logged in user is the one being authenticated using polkit)? Similar to Windows. Does polkit require entering password or is it the polkit agent?

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

What it says on the tin. See https://github.com/elementary/camera for a decent template

This only happens sometime. This happens when a app requests root from the terminal on launch.
Steps:

1. run snap refresh (more possibility of reproducing it when using tab completion)
2. Primary action is executed and Authentication failed message is shown.

Affects Juno beta 1

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

What it says on the tin!
This issue is thematically well suited to the following discussions:
#33
elementary/greeter#230
elementary/mail#345
elementary/switchboard-plug-onlineaccounts#89
elementary/files#862
elementary/installer#368
elementary/appcenter#936

Unlike a Yubikey, it is Free Hardware and Free Software, which is mostly manufactured locally (in Berlin, Germany).

Here you can find more general information: https://www.nitrokey.com/ & https://github.com/nitrokey

This integration can also be used to decrypt your hard disks - see LUKS/LUKS2 - or as a solution for Two-factor authentication in the Installer or Switchboard Online Accounts Plug. Integration with Files (to sign, encrypt and decrypt files) or Mail (to sign, encrypt and decrypt emails) and for installing Software with AppCenter it's also very useful.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

For reference, since it addresses the same concern for me: elementary/greeter#352

Hi,
I have found something strange in the Settings Manager -> Security and Privacy window. In particular when I try to unlock firewall settings, the usual login window for root privileges appear but it is constatly moving and refreshing, preventing me to correctly insert the required password.
The following screenshot captured just one frame, but as you can see is reporting an Incorrect permissions error of PolicyKit.

OS: Elementary OS 5.0
Uname: Linux 4.15.0-36-generic elementary/switchboard-plug-security-privacy#39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Language: Italian
Hardware Configuration: Intel Core i5 750 @ 2.67 GHz, 8 GB of RAM and AMD Radeon RX580.

Are there any further information I can report here to be helpful?

Thanks.

When trying to execute something like pkexec io.elementary.files, if instead of entering a password Cancel is pressed, the authentication dialog is closed but pkexec does not return (it should return with exit code 126).

I think PolkitAgent.Listener expects the implementation to throw Polkit.Error.CANCELED as a result of the user pressing the cancel button.

Prerequisites

• I have searched open and closed issues for duplicates.

Describe the bug

With enabled fingerprint for authentication the password field is showing input in plain text.

To Reproduce

Steps to reproduce the behavior:

1. Install & enable fingerprint
2. Enroll fingerprint
3. Go to e.g. 'AppCenter'
4. Click on install button of some application
5. Enter some text into password field
6. See password field is showing input

Expected behavior

Entered password characters are replaced by stars / dots.

Screenshots or screen recordings

Platform Information

• I'm using the latest version from git that I've manually compiled
• I'm using the latest released stable version

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

For some reason building locally with meson gives a proper installation to /usr/libexec but building with debuild from packaging installs to /usr/lib/x86_64-linux-gnu/

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Simple things such as installing programs becomes tedious due to the amount of times you are requested to enter your password. By default, the expiration timeout is 5 minutes, which I find too short. It should be longer and/or be configurable.

openSUSE seems to have been able to achieve it, see https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Hi, could you add translation files for Silesian?

ISO 639-3: szl
Plurals: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);

Thank you!

What Happened

When the dialogue fails to auth, it only seems to do a frame-by-frame movement back and fourth rather than the fluid motion the greeter card has when it fails.

Expected Behavior

The dialogue animates fluidly

Steps to Reproduce

1. execute pkexec apt update in Terminal
2. press enter without entering password

Platform Information

elementary OS Odin Beta 2