Since Fedora 32, I was able to enable login and sudo with fingerprints in Gnome settings. However, when my laptop is docked and the lid closed, sudo still prompts from my fingerprints. I have to wait for a few seconds for the fingerprint reader to time out before I can input my password.
I would like to change sudo to skip fingerprint authentication when the laptop lid is closed. I came up with two options,
- Enable the fingerprint reader when I open the lid and disable it when I close the lid.
- Change PAM config to check for lid status and skip pam_fprintd.so when the lid is closed.
For either options to work, they need to know the lid status. On my ThinkPad X1 7th gen laptop, /proc/acpi/button/lid/LID/state has the lid status. I think the second option is better. But I did not figure out how to tell PAM to skip pam_fprintd.so conditionally. So I implemented the first solution.
On Linux, you can enable/disable an USB device by setting the authorized bit in sysfs.
I also found a acpid program that monitors ACPI events and runs scripts when certain events happen. I installed it and create these two files.
/etc/acpi/events/lid
event=button/lid.*
action=/etc/acpi/actions/lid.sh
/etc/acpi/actions/lid.sh
#!/usr/bin/sh
PATH=/usr/sbin:/usr/bin
grep -q close /proc/acpi/button/lid/LID/state
if [ $? = 0 ]; then
echo 0 > /sys/bus/usb/devices/1-9:1.0/authorized
fi
grep -q open /proc/acpi/button/lid/LID/state
if [ $? = 0 ]; then
echo 1 > /sys/bus/usb/devices/1-9:1.0/authorized
fi
exit 0
So every time the lid status changes, acpid will run lid.sh and it will check the lid status and the disable/enable the fingerprint reader. To prevent acpid conflicting with Gnome, I removed all other files in /etc/acpi/events.
Hi, I have the same setup, so thank you for this post. but I want to ask how do you find which entry in the "/sys/bus/usb/devices/*" that's being used by the fingerprint reader?
ReplyDeleteThis comment has been removed by the author.
Delete# lsusb|grep Finger
DeleteBus 001 Device 003: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader
# grep 06cb /sys/bus/usb/devices/*/idVendor
/sys/bus/usb/devices/1-9/idVendor:06cb
#!/bin/bash
ReplyDeleteexport PATH="/usr/bin"
if grep -q close /proc/acpi/button/lid/LID0/state; then
sed -i 's/^\(.*pam_fprintd.so.*\)$/#\1/' /etc/pam.d/common-auth
else
sed -i 's/^#\(.*pam_fprintd.so.*\)$/\1/' /etc/pam.d/common-auth
fi
exit 0