Ubuntu – How to disable sudo authentication via fingerprint in fprint

15.10fingerprint readersudothinkpad

I have installed fprint for my laptop (thinkpad t450s) and it works very well.

But i mainly want to use it for login, and being able to authenticate sudo with fingerprint is a great addition.

But when using sudo and i want to use my password instead of fingerprint i have to:

  • wait 10 seconds
  • swipe wrong finger

I know there isn't a way have both fingerprint and password at the same time (known issue at fprint launchpad)

Is there any way to disable fingerprint authentication only for sudo?

Best Answer

You can easily reduce the timeout from 10 Seconds to 3 seconds by changing the timeout value in /etc/pam.d/common-auth. That would allow you to still use the fingerprint reader for sudo just with a less annoying timeout.

By default the authentification method for sudo matches your common-auth settings. But you can change that in the file /etc/pam.d/sudo.

  • copy the file /etc/pam.d/common-auth to /etc/pam.d/common-auth-nofingerprint
  • remove the line that references pam_fprintd.so from your new file.
  • edit /etc/pam.d/sudo and use @include common-auth-nofingerprint instead of @include common-auth

/etc/pam.d/common-auth

auth    [success=2 default=ignore]  pam_fprintd.so max_tries=1 timeout=10 # debug
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
auth    requisite           pam_deny.so
auth    required            pam_permit.so

/etc/pam.d/sudo

#%PAM-1.0

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive

For background information why fingerprint and password does not work in parallel see: https://launchpad.net/~fingerprint/+archive/ubuntu/fprint in section Known (minor) issues - 1. No fingerprint and password at the same time

Related Question