After I set up fingerprints on my system, sudo began asking for both password and fingerprint.
sudo echo doot ✔
[sudo] password for partkyle:
Place your finger on the fingerprint reader
doot
Is this intended? I would prefer only to need 1 method, and to use the fingerprint first.
I ran into the same issue. You have to update the PAM config to control what is authenticated by password, fingerprint or both.
Go to /etc/pam.d/ where you will find a file for all the services using PAM.
You want to edit the file named ‘sudo’ in this directory. You want to have the following line at the top of this file:
auth sufficient pam_fprintd.so
If any other lines exist with ‘pam_fprintd.so’ then you can remove them. This line at the top will make sure that fingerprint is ‘sufficient’ for authenticating sudo commands and no other auth is needed after this.
Fair warning though, the fprint documentation on ArchWiki says that there is a vulnerability using fingerprint for sudo (check ArchWiki for fprint for more details). I have this line commented in my ‘sudo’ file so that only password is sufficient and it never asks for fingerprint.
4 Likes
A little bit late to this but make sure the pam.d/sudo has the include after the auth:
#%PAM-1.0
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_env.so
auth required pam_deny.so
auth include system-auth
account include system-auth
session include system-auth
If you move the pam_fprintd after the pam_unix you get asked for pass but you can press enter and then use your finger.