You are not logged in.
I haven't found a similar topic anywhere on this forum and so I decided to write a simple guide of how to implement a pin-like password for a screensaver. I hope it will help someone, or at least be reference for myself when I will need to do it again.
I have a long main password and often hate typing it just to unlock my laptop, especially considering the fact that I have several keyboard layouts. Therefore, I prefer to have a short pin-like-4-digit password for my lock screen identical on all layouts, while still keeping a strong password for everything else. This can be achieved by installing a libpam_pwdfile package from AUR (https://github.com/tiwe-de/libpam-pwdfile). First, you need to generate a passwd file containing your credentials, and second tell your locking program to use it.
The password file basically looks like passwd(5): one line for each user with two or more colon-separated fields. First field contains the username, the second the crypt()ed password. It can be generated and saved to pin.passwd file, for example, using openssl:
echo "$USER:$(openssl passwd -1 1234)" > pin.passwdwhere 1234 is your pin-like password.
The PAM file that controls unlocking depends on the screensaver, but is usually located in /etc/pam.d/ directory. For example, in the case of i3lock, in order to enable pin password add this line before all other to /etc/pam.d/i3lock:
auth sufficient pam_pwdfile.so pwdfile=/path/to/your/pin.passwdThis tells your screensaver to check the input with your pin password first, but still allows unlocking on your user password.
Offline

This seems like an extraordinary way to lower the bar where it comes to security.
What permissions are required of that file?
Have we learned nothing about the storing of passwords rather than hashes?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way
Offline
This seems like an extraordinary way to lower the bar where it comes to security.
Well, it is, but only for unlocking. This does not influence login or sudo privileges.
What permissions are required of that file?
I am not sure about the absolutely minimally required permissions, but for me it has the same permissions as /etc/pam.d/shadow, so I presume it can't be that much of a security concern.
Have we learned nothing about the storing of passwords rather than hashes?
openssl passwd -1 password in fact generates a hash, that is then stored to pin.passwd, not the actual password. As I understand, pin.passwd has the same structure as /etc/pam.d/shadow.
Unfortunately, I cannot say anything about the security of libpam_pwdfile package itself, but so far I haven't found any other way, maybe using built-in PAM modules.
Last edited by drybalka (2019-05-28 22:10:54)
Offline
Thanks for sharing, been meaning to implement something like this.
Offline