Unlocking Ubuntu with a pin instead of a long password

Question

I am trying to set up a pin unlock for my laptop running Ubuntu 19.10. Everything is going very smooth except that I don't know how to do it. I found a page that has the procedure. https://bbs.archlinux.org/viewtopic.php?id=246734

I think this should work but I am very new to Ubuntu/Linux and I am unable to understand the instructions properly.

Can anyone explain me how to do it?

EDIT: I am halfway through the process. Created the the file and installed the package. But don't know what to do with the file. Please Help

Thank You in advance.

score 6 · Answer 1 · edited Jan 27 '22 at 05:50

For posterity's sake:

So first:

sudo apt install -y libpam-pwdfile

If you don't have the "mkpasswd" command, then you need to install "whois" first

sudo apt install whois

Then take the username you use to log in, let's say "ben" and do this:

sudo -i
cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password_ORIGINAL
echo "ben:$(mkpasswd -5)" > /etc/custompinfile
chmod 400 /etc/custompinfile

Then you need to edit /etc/pam.d/gdm-password (or other desktop manager or whatever, who cares, you'll figure it out, the thing that manages your logins, mine is gdm-password)

and add this line near the top, the top of my /etc/pam.d/gdm-password looks like this

#%PAM-1.0
auth    sufficient  pam_pwdfile.so pwdfile=/etc/custompinfile

Ue whatever, gedit, nano, vim, but you need sudo privileges to edit it.

Then I saved and quit and logged out and when I logged back in it only required the pin on the lock screen, but it didn't accept the pin when asking for sudo privileges, which is what we wanted, otherwise we would have simply set the password to 1234.

If you mess everything up, you can boot in recovery mode (if you don't have a dual boot with Windows, I think it is something like pressing Shift while it's starting up, then there will be a menu to choose recovery mode, in recovery mode you can simply access the shell as root and revert the /etc/pam.d/gdm-password back to it's original state, if you remember it ;-) That's why it's maybe a good idea to make a backup of the original gdm-password file like cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password_ORIGINAL

Remember, the /etc/custompinfile can be called anything, but the contents inside need to be in this format: user:hashedpassword And the hashed password is obtained using mkpasswd -5 when you install the whois package and run it.

If someone did want to use the pin authentication for sudo, they could add the same line auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfileto the top of /etc/pam.d/sudo — miigotu, Mar 06 '21 at 09:11
Please notice that whoever has read access to /etc/custompinfile can EASILY brute force the PIN. Therefore make sure that the file is owned by root and nobody else has access to it (440 mod I think).
Also, if the drive where /etc/custompinfile is stored isn't encrypted - in case somebody gains physical access to the drive he will be able to access the file (and brute force the PIN) regardless of the permissions you've set to the file. — Ezra Steinmetz, May 01 '22 at 09:47
On my system, the echo command only worked when written this way: sudo bash -c 'echo "ben:$(mkpasswd -5)" > /etc/custompinfile' — Joseph Folen, Jan 23 '24 at 18:25

score 1 · Answer 2 · answered Mar 22 '20 at 08:44

1

First of all, this is a bad thing security wise!

And you are using a Arch Linux instruction on Ubuntu....

The Ubuntu way is:

Step 1

Run update command to update package repositories and get latest package information.

sudo apt-get update -y

Step 2

Run the install command with -y flag to quickly install the packages and dependencies.

sudo apt-get install -y libpam-pwdfile

Ref.: https://zoomadmin.com/HowToInstall/UbuntuPackage/libpam-pwdfile

answered Mar 22 '20 at 08:44

Mats Karlsson

192

1

Can you explain how to create the password file to unlock via pin? – Kshitij Radotra Mar 22 '20 at 08:49
1

That info is available already in the link in your question – Mats Karlsson Mar 22 '20 at 08:52
Sorry but i'm fairly new to ubuntu/linux and i am unable to understand that very well. Can you elaborate the process of creating the file a little bit more. It would be very helpful. – Kshitij Radotra Mar 22 '20 at 08:59
Ok so i was able to generate the file but the next part (what i have to do with the file) is where i am confused. – Kshitij Radotra Mar 22 '20 at 09:06
1

Well you got an answer, but didnt vote for it... – Mats Karlsson Mar 26 '20 at 15:31
Check out this answer https://askubuntu.com/questions/180402/how-to-set-a-short-password-on-ubuntu/1001983#1001983 – MatsK Mar 27 '20 at 10:04
Unfortunately the link you shared is for LightDM. Ubuntu 19.10 uses GDM by default. – Kshitij Radotra Mar 28 '20 at 08:58
1

It answer your question "Can you elaborate the process of creating the file a little bit more", It clearly explains the file syntax! – Mats Karlsson Mar 28 '20 at 09:27
@MatsKarlsson when I have 125 reputations, I will down vote your answer for being unclear to newbies. – Shadi Alnamrouti Jan 02 '21 at 08:57
@ShadiNamrouti You are welcome to do that if you think that will gain you. – Mats Karlsson Jan 08 '21 at 11:06

score -1 · Answer 3 · answered Dec 24 '21 at 13:09

-1

Check this simplest method, hope it helps!

sudo -izenx@zenx-V330-20ICB-AIO:~$ sudo -i

[sudo] password for zenx: (Type your zenx existing password)

root@zenx-V330-20ICB-AIO:~# cat /etc/passwd

zenx:x:1000:1000:Anupam:/home/zenx:/bin/bash

systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

root@zenx-V330-20ICB-AIO:~# passwd zenx

New password: 8888

Retype new password: 8888

passwd: password updated successfully

answered Dec 24 '21 at 13:09

Anupam Jha

1

2

This explains how to change your password to a 4-digit number. Password and pin should be separate and apart from one another. – Avery Freeman Dec 19 '22 at 08:04

Unlocking Ubuntu with a pin instead of a long password

3 Answers3