Is system auth and lock on system idle supposed to work?

[mihalyr]

Steps To Reproduce

• try system auth
• try lock on system idle

Expected Result

• it works

Actual Result

• it does not work

Screenshots or Videos

No response

Additional Context

I tried system auth on the desktop app (AppImage) but didn't work, it just asks the master password every time. Then I set lock on system idle, then left the computer alone for hours, when I unlocked my vault was wide open. Are these features supposed to work?

Operating System

Linux

Operating System Version

Fedora 40

Installation method

Direct Download (from bitwarden.com)

Build Version

Version 2024.8.2 Shell 31.3.1 Renderer 126.0.6478.185 Node 20.15.1 Architecture x64

Issue Tracking Info

• I understand that work is tracked outside of GitHub. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[Krychaz]

Hello there,

Biometric unlock is not currently available with the Linux desktop app.

Can you confirm that your system actually locks so that you need to enter your system password? That is when your app should lock too.

[mihalyr]

Hi @Krychaz this issue is not about biometrics, but system auth and system idle (not system lock). But yes, I can confirm that even after lock it wasn't locked when I unlocked the system.

So there are two things I provided in the description that do not work here:

• using system authentication to unlock, the option doesn't do anything and it keeps asking for master password
• lock on system idle, after an hour and locked system the vault is still wide open (note that the option says system idle and not system lock, if you expect to lock on system lock, the option should be just called that, IMO)

This is on Fedora 40 Sericea on Sway WM (Wayland) with sway-lock.

[quexten]

Bitwarden desktop offers both lock on System idle and system lock. On linux support for these is hit-and-miss. On x11 based DE's system lock is always available. On Wayland, as of 2024.08 we do support lock on system lock, but only if your DE implements org.freedesktop.screensaver (gnome and KDE for instance do). Sway does not. Because of this, the option is missing from the dropdown, since it detects that it is unsupported.

For system idle, we evidently don't detect support properly yet and hide the option. Bitwarden desktop currently uses Xwayland, which has a bug which does not let idle time get properly detected. We do have #10359 which enables native wayland support, but this is blocked by an electron bug. After merging that, I suspect lock on idle should work again.

[mihalyr]

This issue is about system auth and system idle and not system lock as the title and description tell it.

It seems that my suspicion was correct and this functionality does not work yet and the option is showing up because of failure to detect support.

I'll follow #10359 and see if that fixes things once it is out. Thank you for the details.

[mihalyr]

But you didn't mention if system auth is supposed to work. That didn't seem to work for me either.

[quexten]

Sorry about that, I meant to address system auth in the comment too but it slipped past me. System auth is the same as biometrics (polkit can be configured to use biometrics in PAM; this is the default on gnome for instance; but password fallback is possible).

To make it work, your system needs:

• A polkit agent (not installed by default on sway)
• A keyring (not installed by default on sway)
• Write access to /usr/share/polkit-1/actions/ so that Bitwarden desktop can install the polkit policy

If the above are fulfilled, and setup is not working that is a bug. These are fulfilled by default on most distros. However, QA and devs cannot test every distro, and if a particular DE / distro does not provide the above, I cannot provide support here. You would have to manually ensure that the above are met, if your distro does not provide these.

I do wonder why it even let you set it up though, if the sytsem is not supported, it should really hide the option.

[mihalyr]

I do have polkit and gnome-keyring installed, I think those came in Sericea by default.

Write access to /usr/share/polkit-1/actions/ so that Bitwarden desktop can install the polkit policy

I don't think this works on Atomic from an AppImage. When I run pkaction I can see for example the 1password policies listed (have to use it for work), but I have that installed from an RPM.

# pkaction | grep -i 1pass
com.1password.1Password.authorizeCLI
com.1password.1Password.authorizeSshAgent
com.1password.1Password.unlock

(and I think the 1password system auth doesn't work either for me properly even with the policies above)

I can try installing Bitwarden from RPM and see if it works. But I will lose updates. I was wondering if a Flatpak version would work, but there is only an unofficial version on FlatHub, which I am hesitant to use.

I think, I'll give the RPM a try next at least to test if the functionality works if it's installed properly.