After setting up fingerprint sudo prompts for both password and fingerprint

partkyle · 12 July 2024 00:47

After I set up fingerprints on my system, sudo began asking for both password and fingerprint.

sudo echo doot                                                                                              ✔ 
[sudo] password for partkyle: 
Place your finger on the fingerprint reader
doot

Is this intended? I would prefer only to need 1 method, and to use the fingerprint first.

litelo · 5 October 2024 13:51

I ran into the same issue. You have to update the PAM config to control what is authenticated by password, fingerprint or both.
Go to /etc/pam.d/ where you will find a file for all the services using PAM.
You want to edit the file named ‘sudo’ in this directory. You want to have the following line at the top of this file:
auth sufficient pam_fprintd.so

If any other lines exist with ‘pam_fprintd.so’ then you can remove them. This line at the top will make sure that fingerprint is ‘sufficient’ for authenticating sudo commands and no other auth is needed after this.

Fair warning though, the fprint documentation on ArchWiki says that there is a vulnerability using fingerprint for sudo (check ArchWiki for fprint for more details). I have this line commented in my ‘sudo’ file so that only password is sufficient and it never asks for fingerprint.

cristids · 22 January 2025 19:11

A little bit late to this but make sure the pam.d/sudo has the include after the auth:

#%PAM-1.0
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_env.so
auth required pam_deny.so

auth include system-auth
account include system-auth
session include system-auth

If you move the pam_fprintd after the pam_unix you get asked for pass but you can press enter and then use your finger.

nb549 · 22 March 2025 06:32

Does my file have to look exactly like yours because it came up in a different way in my pam.d file. LIke this:

This is after I reordered according to your post. I still get asked for password first (which I have to type it in, just pressing enter doesn’t work) and then my fingerprint.

Do I have to remove the Manjaro defualts line and move the bottom auth lines to the top?

Thanks.

nishan-chatterjee · 10 April 2025 02:55

#%PAM-1.0

auth       sufficient   pam_fprintd.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth

Something like this should work.