On Thu, Apr 17, 2025 at 1:17 PM Hilton Chain <hako@ultrarare.space> wrote:
> Hi Nicolas, > > On Thu, 17 Apr 2025 02:46:13 +0800, > Nicolas Maupu wrote: > > > > Hello ! > > > > I enabled fprintd with fprintd and added fprintd-service-type service to > my > > configuration. > > This works : I can enroll and verify my fingerprints with success. > > > > However, fingerprints cannot be used to login from GDM, nor from sudo or > > any other authentication tools. > > As far as I understand, this needs some PAM configuration to be added to > > existing config files. > > For example, if I want to be able to use fingerprints to authenticate > with > > sudo, I would need to add to /etc/static/pam.d/sudo: > > > > auth sufficient pam_fprintd.so > > > > I came across the "pam-extension" function browsing the guix source code > > but I am not sure on how I can implement that in my system.scm... > > > > Is there a tutorial or an example snippet I can use to achieve that? > > > > Thanks, > > Nicolas > > The following service is equivalent to your need: > --8<---------------cut here---------------start------------->8--- > (simple-service 'my-pam-service pam-root-service-type > (let ((my-pam-entry > (pam-entry > (control "sufficient") > (module (file-append fprintd "/lib/security/pam_fprintd.so"))))) > (list (pam-extension > (transformer > (lambda (pam) > (if (string=? "sudo" (pam-service-name pam)) > (pam-service > (inherit pam) > (auth > (append (pam-service-auth pam) > (list my-pam-entry)))) > pam))))))) > --8<---------------cut here---------------end--------------->8--- > > Thanks > > Thanks very much, this snippet adds the required line to the sudo configuration! However, the line with sufficient is added after the line 'auth required pam_unix.so' which requires the password first and asks for fingerprint after but ignores the result. So to have a complete working example, we need to append my-pam-entry BEFORE pam-service-auth. Other than that, it works perfectly. This is just a proof of concept as using bio for sudo might not be a good idea though ;) Nico
