I want to achieve the following on Fedora 44 on Thinkpad x1c gen 10,
- fingerprint auth is allowed in sudo
- fingerprint auth not allowed anywhere else
- fingerprint auth is skipped when laptop lid is closed.
I did the following
check current authselect config
authselect current
If the result contains with-fingerprint, disable it
sudo authselect disable-feature with-fingerprint
cat /etc/pam.d/system-auth to verify that fprintd is not listed
This disables fingerprint auth for everything
Then add these two lines in /etc/pam.d/sudo, immediately below the #%PAM-1.0 line
auth [success=ok default=1] pam_exec.so quiet quiet_log /bin/grep -q open /proc/acpi/button/lid/LID/state
auth sufficient pam_fprintd.so
This two lines enables fingerprint auth only when the laptop lid is open.
Lastly, run fprintd-enroll to enroll fingerprints.
References
https://www.man7.org/linux/man-pages/man8/pam_exec.8.html
https://www.man7.org/linux/man-pages/man5/pam.conf.5.html
No comments:
Post a Comment