How to disable sudo authentication via fingerprint in fprint
I have installed fprint for my laptop (thinkpad t450s) and it works very well.
But i mainly want to use it for login, and being able to authenticate sudo with fingerprint is a great addition.
But when using sudo and i want to use my password instead of fingerprint i have to:
- wait 10 seconds
- swipe wrong finger
I know there isn't a way have both fingerprint and password at the same time (known issue at fprint launchpad)
Is there any way to disable fingerprint authentication only for sudo?
Solution 1:
You can easily reduce the timeout from 10 Seconds to 3 seconds by changing the timeout value in /etc/pam.d/common-auth. That would allow you to still use the fingerprint reader for sudo just with a less annoying timeout.
By default the authentification method for sudo matches your common-auth settings. But you can change that in the file /etc/pam.d/sudo.
- copy the file
/etc/pam.d/common-authto/etc/pam.d/common-auth-nofingerprint - remove the line that references
pam_fprintd.sofrom your new file. - edit
/etc/pam.d/sudoand use@include common-auth-nofingerprintinstead of@include common-auth
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/sudo
#%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
For background information why fingerprint and password does not work in parallel see: https://launchpad.net/~fingerprint/+archive/ubuntu/fprint in section Known (minor) issues - 1. No fingerprint and password at the same time