How to disable sudo authentication via fingerprint in fprint
I have installed fprint for my laptop (thinkpad t450s) and it works very well.
But i mainly want to use it for login, and being able to authenticate sudo
with fingerprint is a great addition.
But when using sudo
and i want to use my password instead of fingerprint i have to:
- wait 10 seconds
- swipe wrong finger
I know there isn't a way have both fingerprint and password at the same time (known issue at fprint launchpad)
Is there any way to disable fingerprint authentication only for sudo
?
Solution 1:
You can easily reduce the timeout from 10 Seconds to 3 seconds by changing the timeout value in /etc/pam.d/common-auth
. That would allow you to still use the fingerprint reader for sudo just with a less annoying timeout.
By default the authentification method for sudo matches your common-auth
settings. But you can change that in the file /etc/pam.d/sudo
.
- copy the file
/etc/pam.d/common-auth
to/etc/pam.d/common-auth-nofingerprint
- remove the line that references
pam_fprintd.so
from your new file. - edit
/etc/pam.d/sudo
and use@include common-auth-nofingerprint
instead of@include common-auth
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/sudo
#%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
For background information why fingerprint and password does not work in parallel see: https://launchpad.net/~fingerprint/+archive/ubuntu/fprint in section Known (minor) issues
- 1. No fingerprint and password at the same time