[RESPONDED] OpenSUSE Tumbleweed Fingerprint Authentication in Gnome

Jeremiah_Jones · August 27, 2023, 1:16pm

I’ve been reading several of the topics on the fingerprint reader but I’ve hit a bit of a wall. I’ve installed Tumbleweed over my previous Ubuntu install, deleted old fingerprints, enabled pam-config, and enrolled my new fingerprints.

I’ve been able to successfully log in using the fingerprint, which is great! Now I want to be able to use my fingerprints for gnome’s authentication window popup (I believe this is gnomesu?) and when sudo-ing in the terminal. For those two items I still get asked to enter my password.

Any hints or ideas?

Matt_Hartley · August 28, 2023, 10:09pm

Hi @Jeremiah_Jones,

If this is a 13th Gen Framework 13, there was a switch in firmware discussed here.

The current manual firmware update workaround until it lands in LVFS is found here.

Jeremiah_Jones · August 28, 2023, 11:57pm

Hi @Matt_Hartley!

This is a Framework 13 12th gen, 1240P. I was able to get the fingerprints to register, and so I can use it for logging in, but I don’t get the prompts for sudo commands or the gnome authentication popup. I’m not suspecting a firmware issue.

This is opensuse-specific, so I understand this is an as-available request. But if anyone has any places I might look to understand why Ubuntu gives me a fingerprint message for sudo but Tumbleweed does not, I’d welcome any help.

Matt_Hartley · August 30, 2023, 6:06pm

For PAM duties (sudo, etc), click here and the bottom of the page.

That would be for Ubuntu.

For SuSE, try this: SDB:Using fingerprint authentication - openSUSE Wiki

I have not personally tested it, but this should get you in the right direction.

Jeremiah_Jones · September 1, 2023, 2:23pm

For anyone else looking into this, I realized that the issue is the lack of a pam configuration file for sudo. Ubuntu ships a sudo configuration in /etc/pam while opensuse does not.

Since the configuration of pam is too complex and interconnected for me to take on, I gave up on this. Many hours of searching did not find any package that configures pam for sudo in opensuse.

I switched back to Ubuntu because this is too big of a QoL improvement to give up.

Matt_Hartley · September 1, 2023, 5:18pm

Appreciate the update

terrapin · January 24, 2024, 3:35pm

If others would like this functionality, I have it working on openSUSE Tumbleweed installed on Framework Laptop 13 AMD Ryzen 7040 Series.

As @Jeremiah_Jones mentioned, in openSUSE, /etc/pam.d/ contains no sudo config file. They do however include a base config for sudo in /usr/lib/pam.d/ for users to copy to /etc/pam.d/ and modify. You can do this as follows.

cat /usr/lib/pam.d/sudo

#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  optional       pam_keyinit.so revoke
session  include        common-session-nonlogin
#session  optional       pam_xauth.so

cp /usr/lib/pam.d/sudo /etc/pam.d/

Now edit the file /etc/pam.d/sudo by adding the following two lines on line 2, immediately after #%PAM-1.0

auth    sufficient      pam_unix.so try_first_pass likeauth nullok
auth    sufficient      pam_fprintd.so

The entire file should now look like this:

#%PAM-1.0
auth     sufficient     pam_unix.so try_first_pass likeauth nullok
auth     sufficient     pam_fprintd.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  optional       pam_keyinit.so revoke
session  include        common-session-nonlogin
session  optional       pam_xauth.so

You may of course make whatever other modifications are appropriate for your system, save the file, and exit.

Upon saving the file the auth changes should take place immediately. Keep in mind for this to work root needs to have a fingerprint enrolled (via fprintd-enroll); as of libfprint v1.94.6 it seems as if that finger still needs to be different from the finger enrolled in the user account.

Now, when using sudo in the terminal you can press Enter as soon as you’re prompted for a password (effectively entering a null password) and your terminal will output a message instructing you to place the finger enrolled for root onto the fingerprint sensor for authentication.

Hope this helps others!

Nikola_Glavina · January 29, 2024, 9:14pm

Hello. Thank you @terrapin for writing this out. I am in the same basket as you are/were. But something was a bit strange, since when I ran sudo, it was asking me for root password, and not password for my user.

It seems like Tumbleweed by default has some extra lines in sudoers file:

## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system.
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

##
## Runas alias specification
##

These defaults are always asking for root password AFAIK. In other to fix the duplicate fingerprint problem, we need to tell system that fingerprint (and password) from current user can be used.

First, make sure your user is in wheel group. Run:

groups

If you are not in wheel, add yourself:

sudo usermod -a -G wheel REPLACE_WITH_YOUR_USERNAME

Next, use visudo and comment out these defaults, and uncomment line for wheel group. To edit file run:

sudo visudo

Your file should look something like this:

...
# In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system.
#Defaults targetpw   # ask for the password of the target user i.e. root
#ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

##
## Runas alias specification
##

##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL  # UNCOMMENT THIS LINE

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Read drop-in files from /usr/etc/sudoers.d
@includedir /usr/etc/sudoers.d
@includedir /etc/sudoers.d

After saving file (esc-:wq-enter), sudo should now ask you for your fingerprint and/or password, if you are in wheel group.

Bonus info:

If you want system to ask you for fingerprint first, and then password, just swap first two lines from previous post in /etc/pam.d/sudo:

#%PAM-1.0
auth     sufficient     pam_fprintd.so
auth     sufficient     pam_unix.so try_first_pass likeauth nullok
auth     include        common-auth
...

Cheers!