Should not ask for fingerprint for non local sessions / seats
## Submitted by dra..@..il.com **[Link to original bug (#69423)](https://bugs.freedesktop.org/show_bug.cgi?id=69423)** ## Description`<drago01>` halfline: ok, have a pam question`<halfline>` shoot`<drago01>` halfline: I configured the fprint reader on my laptap ... and tried to poweroff my laptop over ssh today`<drago01>` halfline: and it asked me (at the ssh print) to enroll my fingerprint`<drago01>` halfline: which is ....`<drago01>` halfline: how am I supposed to do that?`<halfline>` that shouldn't be happning /etc/pam.d/sshd references the password-auth file not the system-auth`<halfline>` so pam_fprintd shouldn't be ending up in the ssh pam stack`<halfline>` so the first thing i'd ask is for you to check /etc/pam.d/sshd`<halfline>` and make sure it references password-auth`<halfline>` and if so, then check /etc/pam.d/password-auth`<drago01>` halfline: ok let me check`<halfline>` and make sure pam_fprintd didn't somehow sneak into it`<halfline>` ohh`<halfline>` wait`<halfline>` i think i misunderstood what you were saying`<halfline>` you run systemctl shutdown or something`<halfline>` it wasn't when you were sshing in, but after you were already ssh'd in`<drago01>` halfline: yes it was "poweroff" from withiin an ssh session`<halfline>` and systemctl shutdown, then used polkit to authenticate your request`<halfline>` so the issue, I guess, is polkit uses system-auth for it's pam stack`<drago01>` even a "sudo foo"`<drago01>` (in the ssh session)`<drago01>` asks me to enroll my fingerprint`<halfline>` yea, seems wrong`<drago01>` halfline: where / against what should I file this?`<drago01>` halfline: pam? fprintd?`<halfline>` hmm`<halfline>` i guess the most fool proof way to fix it would be for pam_fprintd to check if the pam conversation is on a local seat`<halfline>` so probably best to file against pam_fprintd`<drago01>` ok, will do thanks`<halfline>` the typical way to check "am I remote or not" in PAM is to look at the RHOST pam item`<halfline>` bu that won't help here`<halfline>` since sudo an pkexec etc aren't going to set RHOST