i usually feel paranoid when typing my sudo password in public places, and i have a fingerprint reader on my thinkpad t14gen1, so let's make some use of it.
install:
sudo apt install fprintd libpam-fprintd
add the fingerprint:
sudo fprintd-enroll alex # replace "alex" with your login
check that scanner works:
$ sudo fprintd-verify alex
Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
- #0: right-index-finger
Verify started!
Verifying: right-index-finger
Verify result: verify-match (done)
edit /etc/pam.d/sudo, add the following line at the very beginning,
so the file might look like this:
#%PAM-1.0
auth sufficient pam_fprintd.so # <<< ADD THIS
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
sudo will try to use fprintd, then fallack to "common-auth" if no fingerprint provided. to skip fingerprint auth and use password, hit "ctrl+c" on "place your finger" prompt.
restart fprintd service:
sudo systemctl restart fprintd.service
spawn a new terminal, and see how sudo is doing now:
$ sudo echo test
Place your right index finger on the fingerprint reader
test
references: