How to disable sudo authentication via fingerprint in fprint

I have installed fprint for my laptop (thinkpad t450s) and it works very well.

But i mainly want to use it for login, and being able to authenticate sudo with fingerprint is a great addition.

But when using sudo and i want to use my password instead of fingerprint i have to:

  • wait 10 seconds
  • swipe wrong finger

I know there isn't a way have both fingerprint and password at the same time (known issue at fprint launchpad)

Is there any way to disable fingerprint authentication only for sudo?


Solution 1:

You can easily reduce the timeout from 10 Seconds to 3 seconds by changing the timeout value in /etc/pam.d/common-auth. That would allow you to still use the fingerprint reader for sudo just with a less annoying timeout.

By default the authentification method for sudo matches your common-auth settings. But you can change that in the file /etc/pam.d/sudo.

  • copy the file /etc/pam.d/common-auth to /etc/pam.d/common-auth-nofingerprint
  • remove the line that references pam_fprintd.so from your new file.
  • edit /etc/pam.d/sudo and use @include common-auth-nofingerprint instead of @include common-auth

/etc/pam.d/common-auth

auth    [success=2 default=ignore]  pam_fprintd.so max_tries=1 timeout=10 # debug
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
auth    requisite           pam_deny.so
auth    required            pam_permit.so

/etc/pam.d/sudo

#%PAM-1.0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

For background information why fingerprint and password does not work in parallel see: https://launchpad.net/~fingerprint/+archive/ubuntu/fprint in section Known (minor) issues - 1. No fingerprint and password at the same time