5

How to configure PAM to require both password and fingerprint to log in?

I can do a password / fingerprint login but not both by changing /etc/pam.d/common-auth

  1. For password only

    auth    [success=2 default=ignore]  pam_unix.so nullok_secure

  2. For fingerprint only

    auth [success=2 default=ignore] pam_fprintd.so

How to combine both?

Improve this question
3
  • related post: unix.stackexchange.com/questions/207360/… Commented Dec 22, 2016 at 12:13
  • login with ssh? Commented Dec 22, 2016 at 14:14
  • 1
    Don't mess up the PAM configuration file, or you'll have to boot into a LiveCD to fix it like I did :) Commented Jun 26 at 14:28

1 Answer 1

Reset to default
3

If you use the success=2 control flag PAM skips the next 2 items in the stack on success. And default=ignore means you ignore bad results, so depending on your configuration you should probably use success=ok on the first entry and default=bad on both as they are executed in order.

auth    [success=ok default=bad]  pam_unix.so nullok_secure
auth    [success=2 default=bad]   pam_fprintd.so

This would require both password (pam_unix) and fingerprint (pam_fprintd) and only succeeds if both are successful. If you want to cancel the checks after first failure, you can also use default=die which is equivalent to bad but terminates the PAM stack immediately.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.