I have enrolled my fingerprint on a Thinkpad with fingerprint scanner. I can now swipe a finger to sudo, su and login etc.
However, if I swipe to login, a password box pops up anyway because the keyring needs to be unlocked so that NetworkManager can log on to the wifi network. If I login with a password it is reused to unlock the keyring. Therefore it is quicker to login by typing a password once than to swipe and then also type a password.
Is there some way of also unlocking the keyring when I swipe to login? One swipe should log me in and also unlock the keyring.
Thanks to feedback, I guess what's needed is the following:
- a laptop with a TPM chip (thinkpad, + any modern laptop, due to trusted boot?)
- the package trousers to talk to the TPM (seems to be installed by default)
- a pam session module which decrypts your password with TPM and unlocks keyring/ssh keys
Running a command like:
repoquery --whatrequires trousers
...I see a bunch of packages which make use of the TPM chip, none of which look like pam modules. I guess this doesn't exist in Fedora. Has anyone written this software? Does this all look right?
There also needs to be some kind of UI such that when you enrole your fingerprint you are also asked for your password, which is then encrypted with a key stored in the TPM.
All of the above also applies to other auth methods, such as the newly integrated for F20 external keys -- any way you authenticate that does not involve typing in your password immediately involves typing in your password anyway as access to the network, and therefore your keyring is a prerequisite for doing anything useful.