Use fingerprint authentication not only for login
37,209
Run
sudo pam-auth-update
And use the space bar to enable Fingerprint authentication
in the dialog:
Related videos on Youtube
Author by
Hendrik
Updated on September 18, 2022Comments
-
Hendrik over 1 year
I'm on 18.04 and have successfully enabled fingerprint login. I would like to use my fingerprint not only to login but if possible also to:
- Authenticate in the terminal when I do a
sudo
command - Authenticate in Gnome (i.e. when installing an application etc)
- Unlocking keyring items (this is the only point I could find info about and apparently this one is not possible)
Output of
grep print /etc/pam.d -R
:/etc/pam.d/gdm-fingerprint:auth required pam_fprintd.so /etc/pam.d/gdm-fingerprint:password required pam_fprintd.so
Content of
/etc/pam.d/gdm-fingerprint
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_succeed_if.so user != root quiet_success auth required pam_fprintd.so auth optional pam_gnome_keyring.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible # that a module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so # SELinux needs to intervene at login time to ensure that the process # starts in the proper default security context. Only sessions which are # intended to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_limits.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale @include common-session session optional pam_gnome_keyring.so auto_start password required pam_fprintd.so
Content of
/etc/pam.d/sudo
#%PAM-1.0 session required pam_env.so readenv=1 user_readenv=0 session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 @include common-auth @include common-account @include common-session-noninteractive
-
muru about 6 yearsHow have you enabled fingerprint login?
-
Hendrik about 6 yearsVia settings>details>users. There you can enable fingerprint login and enroll a finger.
-
muru about 6 yearsAdd the output of
grep print /etc/pam.d -R
to the question, please. -
Hendrik about 6 yearsupdated the question upon your request
-
muru about 6 yearsI haven't used fprintd in recent times, but what I can suggest is to add those lines at similar locations in
/etc/pam.d/sudo
. Keepsudo -i
open in a TTY so that you can revert the changes if they don't work out. -
Hendrik about 6 yearsI tried a few variants of what you suggested and they did have some effect. Not quite what I was looking for though. First I added both lines in places that seemed appropriate. This seemed to lead to a dual solution: first I was authenticated by fingerprint, but then still had to input my password. Secondly I tried only adding the
auth:required
line at the top of the sudo file. With this solution it kept not recognizing my fingerprint. The third alternative did not do anything. -
muru about 6 yearspost both PAM files, maybe we can figure out the best place. In my experience, it has always shown the password prompt in addition to an instruction to use my fingerprint, and the fingerprint finished authentication without me having to enter a password at the prompt.
- Authenticate in the terminal when I do a
-
CpILL over 3 yearsI did this but nothing seems to have changed? How do i get the GUI on 20.04?
-
b247_eu over 3 years@CpILL, just reboot your computer then you will be able to use fingerprint for auth purposes in both terminal and Gnome. Of course you have to enroll your fingerprint using either "Gnome Settings->Users" either fprintd-enroll from a terminal.
-
axolotl over 2 yearsIs there anyway to force use a password without having to wait for the fprintd dialog to timeout? Suppose I am using an external keyboard and monitor, and unable to reach the fingerprint sensor without reaching (typical work dock setup).
-
leoheck about 2 yearsThanks, but for the way it works, using it with sudo is pretty annoying. The prompt should show the message "Use the fingerprint sensor OR type the password". So it would allow both ways. The way it is it just shows the message and the keyboard input is not protected. If the users wants to type or types the password by mistake it will be visible for everyone observing the screen. I am using an external monitor right now... so I have to get out of my chair to be able to poke the fingerprint sensor.. in this case I would like to use the password instead, easily...
-
Admin almost 2 yearsAt least as of Ubuntu 22.04, you can press Ctrl+C to cancel the fingerprint prompt and drop you to a password prompt. Otherwise, it defaults to waiting 10 seconds before timing out. You can customize the timeout by editing the /etc/pam.d/common-auth file and changing the
timeout=10
part.