Use fingerprint authentication not only for login

37,209

Run

sudo pam-auth-update

And use the space bar to enable Fingerprint authentication in the dialog:

37,209

Hendrik

Updated on September 18, 2022

Comments

Hendrik over 1 year
I'm on 18.04 and have successfully enabled fingerprint login. I would like to use my fingerprint not only to login but if possible also to:
1. Authenticate in the terminal when I do a sudo command
2. Authenticate in Gnome (i.e. when installing an application etc)
3. Unlocking keyring items (this is the only point I could find info about and apparently this one is not possible)
Output of grep print /etc/pam.d -R:
```
/etc/pam.d/gdm-fingerprint:auth required    pam_fprintd.so
/etc/pam.d/gdm-fingerprint:password required       pam_fprintd.so
```
Content of /etc/pam.d/gdm-fingerprint
```
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required    pam_succeed_if.so user != root quiet_success
auth    required    pam_fprintd.so
auth    optional        pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without this it is possible 
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session required        pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
session optional        pam_gnome_keyring.so auto_start
password required       pam_fprintd.so
```
Content of /etc/pam.d/sudo
```
#%PAM-1.0
session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
```
- muru about 6 years
  
  How have you enabled fingerprint login?
- Hendrik about 6 years
  
  Via settings>details>users. There you can enable fingerprint login and enroll a finger.
- muru about 6 years
  
  Add the output of grep print /etc/pam.d -R to the question, please.
- Hendrik about 6 years
  
  updated the question upon your request
- muru about 6 years
  
  I haven't used fprintd in recent times, but what I can suggest is to add those lines at similar locations in /etc/pam.d/sudo. Keep sudo -i open in a TTY so that you can revert the changes if they don't work out.
- Hendrik about 6 years
  
  I tried a few variants of what you suggested and they did have some effect. Not quite what I was looking for though. First I added both lines in places that seemed appropriate. This seemed to lead to a dual solution: first I was authenticated by fingerprint, but then still had to input my password. Secondly I tried only adding the auth:required line at the top of the sudo file. With this solution it kept not recognizing my fingerprint. The third alternative did not do anything.
- muru about 6 years
  
  post both PAM files, maybe we can figure out the best place. In my experience, it has always shown the password prompt in addition to an instruction to use my fingerprint, and the fingerprint finished authentication without me having to enter a password at the prompt.
CpILL over 3 years

I did this but nothing seems to have changed? How do i get the GUI on 20.04?
b247_eu over 3 years

@CpILL, just reboot your computer then you will be able to use fingerprint for auth purposes in both terminal and Gnome. Of course you have to enroll your fingerprint using either "Gnome Settings->Users" either fprintd-enroll from a terminal.
axolotl over 2 years

Is there anyway to force use a password without having to wait for the fprintd dialog to timeout? Suppose I am using an external keyboard and monitor, and unable to reach the fingerprint sensor without reaching (typical work dock setup).
leoheck about 2 years

Thanks, but for the way it works, using it with sudo is pretty annoying. The prompt should show the message "Use the fingerprint sensor OR type the password". So it would allow both ways. The way it is it just shows the message and the keyboard input is not protected. If the users wants to type or types the password by mistake it will be visible for everyone observing the screen. I am using an external monitor right now... so I have to get out of my chair to be able to poke the fingerprint sensor.. in this case I would like to use the password instead, easily...
Admin almost 2 years

At least as of Ubuntu 22.04, you can press Ctrl+C to cancel the fingerprint prompt and drop you to a password prompt. Otherwise, it defaults to waiting 10 seconds before timing out. You can customize the timeout by editing the /etc/pam.d/common-auth file and changing the timeout=10 part.