I was getting frustrated sudo’ing when using an external monitor and laptop lid closed, because I had set up fingerprint authentication for general use (pretty vanilla fedora 36).
I found this resource very useful, with a couple tweaks: ubuntu - How to disable fingerprint authentication when laptop lid is closed? - Unix & Linux Stack Exchange
The guide said to use ‘/sys/class/drm/card0-HDMI-A-1/status’ to detect a connected external monitor, but I had to use ‘/sys/class/drm/card1-DP-3/status’ (I have the HDMI expansion card connected to my lower left slot).
I had to install the acpid service with ‘sudo dnf install acpid’.
Now when requesting elevated permissions, the system prompts for fingerprint when the laptop lid is open, and otherwise prompts for password (with an external monitor is attached).
It is not working for me, on fedora. The script works well, as in the service
fprintd is masked, but sudo-ing still asks for the fingerprint. Any idea why?
Assuming you used systemctl enable to make the services launch on boot, I’d try rebooting with the monitor connected, and the lid open. Then try a few combinations of closing and opening the lid, and checking the two status variables on each, to see if the script logic matches the expected state. It worked OK for me after reboot.
…So someone / anyone can downgrade (depends on resolution / complexity) your authentication factor from biometric to static string…by closing the lid?
I’m not sure what you’re driving at. Are you implying that you have increased authentication security in the first place, just by virtue of enabling fingerprint auth for an account? From my experience, you don’t.
With vanilla Fedora 36, if you enable the fingerprint scanner from the default ‘Users’ control panel pane, that setting doesn’t stop you from entering a text password instead. If you, say, close the lid, then re-open, before unlocking the screen you are prompted to EITHER enter password OR swipe your finger. You’re not forced into a biometric check, just adds a second option for authentication.
The same goes for terminal ‘sudo’ operations: with fingerprint enabled, you just have to hit ctrl-c, and instead of being forced to use the biometric scan, you can enter a text password.
The only advantage of enabling it, in my experience, is the convenience of being able to use a single swipe, versus typing 11 characters.