Using Fingerprint auth for Polkt

iori · April 15, 2024, 6:50am

hi,

I am trying to use the user password instead of the root password for all of the kde polkit authentication, i looked through the wiki and managed to apply this to sudo but not the gui popups that i get when opening yast or using systemctl without sudo. The installation is pretty much a brand new tumbleweed. While using Linux i never managed to understand PAM, if there is any comprehensive documentation on it it would be great too
Thanks for any help!

arvidjaar · April 15, 2024, 7:48am

Polkit and PAM are two different things.

If “it” means “polkit” - start with low hanging fruits and do man polkit. Which has example of rule that grants administrative privileges to a user group and which can be trivially changed to grant administrative privileges to a single user.

pavinjoseph · April 15, 2024, 3:49pm

Hi and welcome to the forums

You’re definitely on the right track as polkit is used for nice looking authentication by KDE/Gnome et al.

To get your user auth (fingerprint) working, simply copy the pam config file for polkit and modify it, make sure to do changes to PAM as root so as not to get locked out

# run as root
cp /usr/lib/pam.d/polkit-1 /etc/pam.d/polkit-1
# edit /etc/pam.d/polkit-1
# test from a new shell by running systemctl daemon-reload for example
# do not close the root shell until you've ensured everything works!!!

For example, I use Yubikey for polkit auth so here’s my PAM config file:

# /etc/pam.d/polkit-1
#%PAM-1.0
auth       sufficient   pam_u2f.so      authfile=/etc/Yubico/u2f_keys cue
auth       include      common-auth
account    include      common-account
password   include      common-password
session    include      common-session
session    optional     pam_keyinit.so revoke [force]

I only added the first line, the skeleton/template was from /usr/lib/pam.d/polkit-1

iori · April 16, 2024, 8:18am

Thank you for the warm welcome!

I did what you said and added auth sufficient pam_fprintd.so in front of my pam polkit-1 file, one issue though is that it asks for the root password and not my admin user where my fingerprint is enrolled. I tested this by enrolling a different finger in the root shell i kept open. It would not be an issue if i could have the same finger for both users but that’s not allowed at least by default.

Writing this I think I got the solution, I’ll re-enable the visudo file to ask for root password instead of the user which was the solution I got for using the fingerprint in the terminal.
One issue now is that I will not be able to unlock the laptop with the fingerprint reader. If you know what setting I would need to change in order to be asked the user admin user password instead of root then it would be great, if not that’s alright.

Thanks again!

pavinjoseph · April 16, 2024, 8:54am

Sorry, I’m not very familiar with the fingerprint pam module, no fingerprint reader here!
For example I didn’t know you couldn’t enroll the same finger for two different users.
I do have Yubikey config for my normal user and root though.

If it doesn’t let you enroll the same finger for two different users, perhaps you could enroll an alternate finger for the normal user and “main finger” for root.

iori · April 16, 2024, 9:08am

yup, that’s what i ended up doing, although flipped with my main index for root and major for user, just to unlock it

system · April 23, 2024, 9:08am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.