Enable finger print authentication, but not for the first login

fingerprint.md

Enable fingerprint authentication, but not for the first login

Install and enable the fingerprint authentication in pam

First, install the required packages and enable fingerprint support in the PAM configuration:

# Install the module
sudo apt install fprintd libpam-fprintd

# Use the spacebar to enable fprintd
sudo pam-auth-update

This ensures that fingerprint authentication is set up as an optional method for login and privilege escalation.

Enroll and test the finger prints

Before using fingerprint authentication, enroll your fingerprints with fprintd:

fprintd-enroll -f [finger-name]

Finger name must be one of any: left-thumb, left-index-finger, left-middle-finger, left-ring-finger, left-little-finger, right-thumb, right-index-finger, right-middle-finger, right-ring-finger, right-little-finger

You can verify your fingerprint works with:

fprintd-verify -f [finger-name]

---

Disable fingerprint authentication on the login screen

When using eCryptfs to encrypt the home folder, login using only the fingerprint will fail because the system needs the user password to decrypt the home directory. To fix this, we configure PAM so the login screen defaults to password authentication while keeping fingerprint authentication for other scenarios, such as sudo.

Replace the LightDM PAM Configuration

Make a backup and replace the LightDM PAM config:

sudo cp /etc/pam.d/lightdm /etc/pam.d/lightdm.bak

Create a new custom configuration file:

sudo vi /etc/pam.d/lightdm-custom

Paste the following content:

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_unix.so
auth    optional        pam_ecryptfs.so unwrap
auth    optional        pam_gnome_keyring.so
account required        pam_unix.so
session required        pam_limits.so
session required        pam_env.so readenv=1
session required        pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
session required        pam_unix.so
session optional        pam_ecryptfs.so
session optional        pam_gnome_keyring.so auto_start
session optional        pam_systemd.so

What Each Line Does:

• auth requisite pam_nologin.so: Blocks login if /etc/nologin exists, used for maintenance purposes.
• auth required pam_unix.so: Enforces password-based authentication.
• auth optional pam_ecryptfs.so unwrap: Ensures the password is passed to decrypt the eCryptfs-encrypted home directory.
• auth optional pam_gnome_keyring.so: Initializes the GNOME Keyring for secure password storage.
• account required pam_unix.so: Ensures the user's account exists and is not locked.
• session required pam_limits.so: Enforces system limits on resources for the user session.
• session required pam_env.so readenv=1: Sets up environment variables.
• session required pam_unix.so: Establishes the user session after authentication.
• session optional pam_ecryptfs.so: Finalizes access to the decrypted home directory.
• session optional pam_gnome_keyring.so auto_start: Starts the GNOME Keyring session automatically.
• session optional pam_systemd.so: Registers the session with systemd, required for privilege escalation and session tracking.

Replace the default LightDM PAM file with your custom configuration:

sudo ln -sf /etc/pam.d/lightdm-custom /etc/pam.d/lightdm

With this setup, the system will default to password authentication on the login screen but retain fingerprint authentication for sudo or other privileged actions.

Having an issue with the "sudo vi /etc/pam.d/lightdm-custom" command. Is there a little more to know about executing this? Posting a couple pictures here showing the message I get when I try to execute this now, and the next result after I hit enter.

Hello Craig! I dunno why you got that .swp file but you can safely delete it as instructed by the message.
In the blank screen that follow, you have to paste the contents as the instruction of the gist. To paste in vi, you have first to press INSERT to be able to insert text and then CTRL+SHIFT+V to paste the text. To save and exit, press ESC and then type :wq.

If you find difficult to use vi, you can edit the file with other editor, for example: sudo vi /etc/pam.d/lightdm-custom. I hope this helps you to replicate my configuration.

Regards

FellipeC

Ahh yes, the INSERT, ESC, then :wq is definitely where I went wrong. Thank you very much! I just made the jump from windows to linux on my laptop and the terminal is my biggest hurdle. It is working perfect now.

vi is a powerful editor, but famous to not be beginner-friendly. Every time you see something telling you to use vi (or the variants vim, nvim) you can safely use other editor like nano, that is not so powerful but much more intuitive.

Glad is working for you now.