Using Fingerprint auth for Polkt


I am trying to use the user password instead of the root password for all of the kde polkit authentication, i looked through the wiki and managed to apply this to sudo but not the gui popups that i get when opening yast or using systemctl without sudo. The installation is pretty much a brand new tumbleweed. While using Linux i never managed to understand PAM, if there is any comprehensive documentation on it it would be great too :slight_smile:
Thanks for any help!

Polkit and PAM are two different things.

If “it” means “polkit” - start with low hanging fruits and do man polkit. Which has example of rule that grants administrative privileges to a user group and which can be trivially changed to grant administrative privileges to a single user.

Hi and welcome to the forums :smile:

You’re definitely on the right track as polkit is used for nice looking authentication by KDE/Gnome et al.

To get your user auth (fingerprint) working, simply copy the pam config file for polkit and modify it, make sure to do changes to PAM as root so as not to get locked out :warning:

# run as root
cp /usr/lib/pam.d/polkit-1 /etc/pam.d/polkit-1
# edit /etc/pam.d/polkit-1
# test from a new shell by running systemctl daemon-reload for example
# do not close the root shell until you've ensured everything works!!!

For example, I use Yubikey for polkit auth so here’s my PAM config file:

# /etc/pam.d/polkit-1
auth       sufficient      authfile=/etc/Yubico/u2f_keys cue
auth       include      common-auth
account    include      common-account
password   include      common-password
session    include      common-session
session    optional revoke [force]

I only added the first line, the skeleton/template was from /usr/lib/pam.d/polkit-1

Thank you for the warm welcome!

I did what you said and added auth sufficient in front of my pam polkit-1 file, one issue though is that it asks for the root password and not my admin user where my fingerprint is enrolled. I tested this by enrolling a different finger in the root shell i kept open. It would not be an issue if i could have the same finger for both users but that’s not allowed at least by default.

Writing this I think I got the solution, I’ll re-enable the visudo file to ask for root password instead of the user which was the solution I got for using the fingerprint in the terminal.
One issue now is that I will not be able to unlock the laptop with the fingerprint reader. If you know what setting I would need to change in order to be asked the user admin user password instead of root then it would be great, if not that’s alright.

Thanks again!

Sorry, I’m not very familiar with the fingerprint pam module, no fingerprint reader here!
For example I didn’t know you couldn’t enroll the same finger for two different users.
I do have Yubikey config for my normal user and root though.

If it doesn’t let you enroll the same finger for two different users, perhaps you could enroll an alternate finger for the normal user and “main finger” for root.

yup, that’s what i ended up doing, although flipped with my main index for root and major for user, just to unlock it

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.