Configure PAM to only use fingerprint authentication when lid is open

schard · 2024-01-18 06:51:44

I have a laptop with a fingerprint sensor, which I use for authentication when working with the laptop when I am traveling or not having it docked.
On the other hand, in the office I always have the laptop docked and its lid is closed so that I cannot (easily) access the fingerprint sensor (without reaching over and opening the lid).

I wonder whether it is possible to configure PAM in such a way, that the fingerprint authentication is only used when the lid is open.
The laptop does (as do most) have a sensor to detect that.

Currently, when the laptop is docked, and I run some "sudo" command, I first need to press Ctrl+C to cancel the fprint prompt to get password authentication, which is slightly annoying.
The same thing goes for polkit. When some of my Gnome programs need privilege escalation, I currently have to reach over to the laptop, open it, and put my finger on the reader, since the polkit dialog does not offer to enter a password when fprint is configured.

Here's my current, relevant PAM config:

/etc/pam.d> cat gdm-fingerprint sudo su polkit-1 system-local-login su-l                                                                                                                                                                                                                                                                                                 2024-01-18T07:50:52
#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth
auth       required                    pam_fprintd.so
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       [success=ok default=1]      pam_gdm.so
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   required                    pam_deny.so

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start
#%PAM-1.0
auth            sufficient      pam_fprintd.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth
#%PAM-1.0
auth            sufficient      pam_fprintd.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session	        required        pam_unix.so
password        include         system-auth
#%PAM-1.0

auth       sufficient   pam_fprintd.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
#%PAM-1.0

auth      sufficient  pam_unix.so try_first_pass likeauth nullok
auth      sufficient  pam_fprintd.so
auth      include     system-login
account   include     system-login
password  include     system-login
session   include     system-login
#%PAM-1.0
auth            sufficient      pam_fprintd.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session	        required        pam_unix.so
password        include         system-auth
/etc/pam.d>                                                                                                                                                                                                                                                                                                                                                              2024-01-18T07:51:17

Edit:
And, yes, I read the part about pam-fprint-grosshack which I want to avoid at all costs.
Not only is the name frightening, but I specifically want authentication to work differently depending on the lid's state.

Last edited by schard (2024-01-18 06:57:01)

seth · 2024-01-18 09:28:47

pam-fprint-slightlylessgrosshack:
Put a dash in front of it and move the module away when the lid is closed (or system booted w/ closed lid) #duckundweg

schard · 2024-01-18 11:04:47

To be honest, I even thought about forking pam_fprintd and adding lid detection to it, but I currently do not have the time to dive into its codebase.

seth · 2024-01-18 14:05:50

https://gitlab.freedesktop.org/libfprin … issues/403
If anything you'd want to move this upstream - forking pam in your basement is probably the least advisable approach here…

schard · 2024-01-18 14:26:12

Oooh. Nice finding. So I am not the first one with this luxury problem.
I'll look into the proposed solutions for this in more detail over the weekend.

Update 2024-01-22
For whatever reason, just now I got a polkit prompt that let me enter a password.
Trying to reproduce it, I found that /etc/pam.d/polkit-1 was renamed to /etc/pam.d/polkit-1.pacsave.
I did not see any news entry about this breaking change.
Where do I configure PAM for polkit now?

Last edited by schard (2024-01-22 06:53:51)

android_forum · 2024-01-22 16:34:32

I have a very simliar issue. Same as for you - my file renamed to `etc/pam.d/polkit-1.pacsave` a few days ago.

EDIT: I think I was wrong with this statement:
I guess the new location is

/usr/lib/pam.d/polkit-1

___

Just renaming `etc/pam.d/polkit-1.pacsave` to `etc/pam.d/polkit-1` fixed my problem.

Last edited by android_forum (2024-01-24 10:03:06)

schard · 2024-01-24 07:45:02

The problem is, that /usr/lib/pam.d/polkit-1 is not in backup.
So overriding it is futile.

Last edited by schard (2024-01-24 07:46:00)

seth · 2024-01-24 09:02:06

Send the borg a sleep command: "chattr +i"

Arch Linux

#1 2024-01-18 06:51:44

Configure PAM to only use fingerprint authentication when lid is open

#2 2024-01-18 09:28:47

Re: Configure PAM to only use fingerprint authentication when lid is open

#3 2024-01-18 11:04:47

Re: Configure PAM to only use fingerprint authentication when lid is open

#4 2024-01-18 14:05:50

Re: Configure PAM to only use fingerprint authentication when lid is open

#5 2024-01-18 14:26:12

Re: Configure PAM to only use fingerprint authentication when lid is open

#6 2024-01-22 16:34:32

Re: Configure PAM to only use fingerprint authentication when lid is open

#7 2024-01-24 07:45:02

Re: Configure PAM to only use fingerprint authentication when lid is open

#8 2024-01-24 09:02:06

Re: Configure PAM to only use fingerprint authentication when lid is open

Board footer