Update PAM defaults

2026-04-03 20:32:07 -04:00 · 2026-03-10 01:01:21 -04:00
parent 713b36662c
commit 44e6701796
3 changed files with 19 additions and 22 deletions
--- a/core/cmd/dms/commands_greeter.go
+++ b/core/cmd/dms/commands_greeter.go
@@ -1631,8 +1631,9 @@ func checkGreeterStatus() error {
 				}
 			} else {
 				if fprintAvailableForCurrentUser {
-					fmt.Printf("  ⚠ Fingerprint auth is active via included %s while DMS fingerprint toggle is off.\n", includedFprintFile)
-					fmt.Printf("    %s\n", systemPamManagerRemediationHint())
+					fmt.Printf("  ℹ Fingerprint auth is active via included %s while DMS fingerprint toggle is off.\n", includedFprintFile)
+					fmt.Println("    Password login will work but may be delayed while the fingerprint module runs first.")
+					fmt.Printf("    To eliminate the delay, %s\n", systemPamManagerRemediationHint())
 				} else {
 					fmt.Printf("  ℹ pam_fprintd is present via included %s, but no enrolled fingerprints were detected for user %s.\n", includedFprintFile, currentUser.Username)
 					fmt.Println("    Password auth remains the effective login path.")
--- a/core/internal/greeter/installer.go
+++ b/core/internal/greeter/installer.go
@@ -1506,8 +1506,9 @@ func syncGreeterPamConfig(homeDir string, logFunc func(string), sudoPassword str
 			}
 		} else {
 			if fprintAvailableForCurrentUser {
-				logFunc("⚠ Fingerprint auth is active via included " + includedFprintFile + " while DMS fingerprint toggle is off.")
-				logFunc("  " + pamManagerHintForCurrentDistro())
+				logFunc("ℹ Fingerprint auth is active via included " + includedFprintFile + " while DMS fingerprint toggle is off.")
+				logFunc("  Password login will work but may be delayed while the fingerprint module runs first.")
+				logFunc("  To eliminate the delay, " + pamManagerHintForCurrentDistro())
 			} else {
 				logFunc("ℹ pam_fprintd is present via included " + includedFprintFile + ", but no enrolled fingerprints were detected for the current user.")
 				logFunc("  Password auth remains the effective login path.")
--- a/quickshell/Modules/Greetd/GreeterContent.qml
+++ b/quickshell/Modules/Greetd/GreeterContent.qml
@@ -35,8 +35,8 @@ Item {
    property bool pendingPasswordResponse: false
    property bool passwordSubmitRequested: false
    property bool cancelingExternalAuthForPassword: false
-    property int defaultAuthTimeoutMs: 12000
-    property int externalAuthTimeoutMs: 45000
+    property int defaultAuthTimeoutMs: 10000
+    property int externalAuthTimeoutMs: 36000
    property int memoryFlushDelayMs: 120
    property string pendingLaunchCommand: ""
    property var pendingLaunchEnv: []
@@ -54,9 +54,8 @@ Item {
    property int maxPasswordSessionTransitionRetries: 2
    readonly property bool greeterPamHasFprint: pamModuleEnabled(greetdPamText, "pam_fprintd") || (greetdPamText.includes("system-auth") && pamModuleEnabled(systemAuthPamText, "pam_fprintd")) || (greetdPamText.includes("common-auth") && pamModuleEnabled(commonAuthPamText, "pam_fprintd")) || (greetdPamText.includes("password-auth") && pamModuleEnabled(passwordAuthPamText, "pam_fprintd"))
    readonly property bool greeterPamHasU2f: pamModuleEnabled(greetdPamText, "pam_u2f") || (greetdPamText.includes("system-auth") && pamModuleEnabled(systemAuthPamText, "pam_u2f")) || (greetdPamText.includes("common-auth") && pamModuleEnabled(commonAuthPamText, "pam_u2f")) || (greetdPamText.includes("password-auth") && pamModuleEnabled(passwordAuthPamText, "pam_u2f"))
-    readonly property bool greeterExternalAuthCapable: greeterPamHasFprint || greeterPamHasU2f
-    readonly property bool greeterExternalAuthEnabledByToggle: (greeterPamHasFprint && GreetdSettings.greeterEnableFprint) || (greeterPamHasU2f && GreetdSettings.greeterEnableU2f)
-    readonly property bool greeterExternalAuthAvailable: greeterExternalAuthCapable
+    readonly property bool greeterExternalAuthAvailable: (greeterPamHasFprint && GreetdSettings.greeterEnableFprint) || (greeterPamHasU2f && GreetdSettings.greeterEnableU2f)
+    readonly property bool greeterPamHasExternalAuth: greeterPamHasFprint || greeterPamHasU2f

    function initWeatherService() {
        if (weatherInitialized)
@@ -412,10 +411,7 @@ Item {
        if (Greetd.state !== GreetdState.Inactive) {
            if (pendingPasswordResponse && hasPasswordBuffer)
                submitBufferedPassword();
-            else if (awaitingExternalAuth && hasPasswordBuffer) {
-                passwordSubmitRequested = true;
-                requestPasswordSessionTransition();
-            } else if (hasPasswordBuffer)
+            else if (hasPasswordBuffer)
                passwordSubmitRequested = true;
            return;
        }
@@ -424,11 +420,11 @@ Item {
                passwordSubmitRequested = true;
            return;
        }
-        if (!hasPasswordBuffer && !root.greeterExternalAuthEnabledByToggle)
+        if (!hasPasswordBuffer && !root.greeterExternalAuthAvailable)
            return;
        pendingPasswordResponse = false;
        passwordSubmitRequested = hasPasswordBuffer;
-        awaitingExternalAuth = !hasPasswordBuffer && root.greeterExternalAuthEnabledByToggle;
+        awaitingExternalAuth = !hasPasswordBuffer && root.greeterExternalAuthAvailable;
        authTimeout.interval = awaitingExternalAuth ? externalAuthTimeoutMs : defaultAuthTimeoutMs;
        authTimeout.restart();
        Greetd.createSession(GreeterState.username);
@@ -437,7 +433,7 @@ Item {
    function maybeAutoStartExternalAuth() {
        if (!GreeterState.showPasswordInput || !GreeterState.username)
            return;
-        if (!root.greeterExternalAuthEnabledByToggle)
+        if (!root.greeterExternalAuthAvailable)
            return;
        if (GreeterState.unlocking || Greetd.state !== GreetdState.Inactive)
            return;
@@ -958,7 +954,7 @@ Item {
                            anchors.verticalCenter: parent.verticalCenter
                            iconName: root.greeterPamHasFprint ? "fingerprint" : "key"
                            buttonSize: 32
-                            visible: GreeterState.showPasswordInput && root.greeterExternalAuthEnabledByToggle && GreeterState.passwordBuffer.length === 0 && (Greetd.state === GreetdState.Inactive || awaitingExternalAuth || pendingPasswordResponse) && !GreeterState.unlocking
+                            visible: GreeterState.showPasswordInput && root.greeterExternalAuthAvailable && GreeterState.passwordBuffer.length === 0 && (Greetd.state === GreetdState.Inactive || awaitingExternalAuth || pendingPasswordResponse) && !GreeterState.unlocking
                            enabled: visible
                            onClicked: root.startAuthSession()
                        }
@@ -1594,13 +1590,12 @@ Item {
                return;
            }
            pendingPasswordResponse = false;
-            if (passwordSubmitRequested && GreeterState.passwordBuffer && GreeterState.passwordBuffer.length > 0 && awaitingExternalAuth && !cancelingExternalAuthForPassword) {
-                requestPasswordSessionTransition();
-                return;
-            }
            if (!passwordSubmitRequested)
                awaitingExternalAuth = root.isExternalAuthPrompt(message, responseRequired);
-            authTimeout.interval = awaitingExternalAuth ? externalAuthTimeoutMs : defaultAuthTimeoutMs;
+            if (awaitingExternalAuth || (passwordSubmitRequested && root.isExternalAuthPrompt(message, responseRequired)))
+                authTimeout.interval = externalAuthTimeoutMs;
+            else
+                authTimeout.interval = defaultAuthTimeoutMs;
            authTimeout.restart();
            Greetd.respond("");
        }