53

I'm on 18.04 and have successfully enabled fingerprint login. I would like to use my fingerprint not only to login but if possible also to:

  1. Authenticate in the terminal when I do a sudo command
  2. Authenticate in Gnome (i.e. when installing an application etc)
  3. Unlocking keyring items (this is the only point I could find info about and apparently this one is not possible)

Output of grep print /etc/pam.d -R:

/etc/pam.d/gdm-fingerprint:auth required    pam_fprintd.so
/etc/pam.d/gdm-fingerprint:password required       pam_fprintd.so

Content of /etc/pam.d/gdm-fingerprint

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required    pam_succeed_if.so user != root quiet_success
auth    required    pam_fprintd.so
auth    optional        pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without this it is possible 
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session required        pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
session optional        pam_gnome_keyring.so auto_start
password required       pam_fprintd.so

Content of /etc/pam.d/sudo

#%PAM-1.0
session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
Hendrik
  • 633
  • 1
  • 5
  • 6
  • How have you enabled fingerprint login? – muru Mar 16 '18 at 10:20
  • Via settings>details>users. There you can enable fingerprint login and enroll a finger. – Hendrik Mar 16 '18 at 10:22
  • Add the output of grep print /etc/pam.d -R to the question, please. – muru Mar 16 '18 at 10:24
  • updated the question upon your request – Hendrik Mar 16 '18 at 10:28
  • I haven't used fprintd in recent times, but what I can suggest is to add those lines at similar locations in /etc/pam.d/sudo. Keep sudo -i open in a TTY so that you can revert the changes if they don't work out. – muru Mar 16 '18 at 10:32
  • I tried a few variants of what you suggested and they did have some effect. Not quite what I was looking for though. First I added both lines in places that seemed appropriate. This seemed to lead to a dual solution: first I was authenticated by fingerprint, but then still had to input my password. Secondly I tried only adding the auth:required line at the top of the sudo file. With this solution it kept not recognizing my fingerprint. The third alternative did not do anything. – Hendrik Mar 16 '18 at 14:03
  • post both PAM files, maybe we can figure out the best place. In my experience, it has always shown the password prompt in addition to an instruction to use my fingerprint, and the fingerprint finished authentication without me having to enter a password at the prompt. – muru Mar 16 '18 at 14:07

1 Answers1

109

Run

sudo pam-auth-update

And use the space bar to enable Fingerprint authentication in the dialog:

package configuration for PAM

adempewolff
  • 11,958
b247_eu
  • 1,205
  • I did this but nothing seems to have changed? How do i get the GUI on 20.04? – CpILL Dec 10 '20 at 03:57
  • @CpILL, just reboot your computer then you will be able to use fingerprint for auth purposes in both terminal and Gnome. Of course you have to enroll your fingerprint using either "Gnome Settings->Users" either fprintd-enroll from a terminal. – b247_eu Dec 10 '20 at 07:56
  • 3
    Is there anyway to force use a password without having to wait for the fprintd dialog to timeout? Suppose I am using an external keyboard and monitor, and unable to reach the fingerprint sensor without reaching (typical work dock setup). – axolotl Aug 28 '21 at 04:14
  • 3
    Thanks, but for the way it works, using it with sudo is pretty annoying. The prompt should show the message "Use the fingerprint sensor OR type the password". So it would allow both ways. The way it is it just shows the message and the keyboard input is not protected. If the users wants to type or types the password by mistake it will be visible for everyone observing the screen. I am using an external monitor right now... so I have to get out of my chair to be able to poke the fingerprint sensor.. in this case I would like to use the password instead, easily... – leoheck Apr 13 '22 at 19:21
  • 3
    At least as of Ubuntu 22.04, you can press Ctrl+C to cancel the fingerprint prompt and drop you to a password prompt. Otherwise, it defaults to waiting 10 seconds before timing out. You can customize the timeout by editing the /etc/pam.d/common-auth file and changing the timeout=10 part. – Ari Jun 09 '22 at 14:37
  • For anyone wondering why reducing the timeout mentioned by @Ari, man pam_fprintd says "The default timeout is 30 seconds, with 10 seconds being the minimum." – ricab Jan 31 '23 at 18:17