Hi, I recently added authentication via fingerprint to my config, and now i find that everytime I need to authenticate I am expected to do so by using my fingerprint. That’s mostly fine to me but when I want to login/unluck via ly/swaylock respectively it gives me the password promt, but if I enter my password it either takes about 30 second to evaluate it or I just skip it using the fingerprint reader.
For sudo promts this is more or less the same as it first asks me for my fingerprint and only if it did not succede after about 30 seconds or so I get a password promt.
I did a bit of research and found this is probably due to a wrong order in the pam configs generated by NixOS.
Is there a way to change the order of authentication by declaring it in the configuration.nix file or to change the timeout to something like 10 sec or 3 trys.
Best case would be if I could do it on a program basis for example:
ly: only password (at first login)
swaylock: 1. password 2. fingerprint
sudo: 1. fingerprint 3 trys or 10 sec 2.password
Thanks for your Help
Hi, I don’t really know a lot about PAM configuration, but might be able to help. There are experimental, undocumented options for ordering the PAM statements. Be aware that the experimental status means that you might lock yourself out of your system, or the options just change without regard for existing users. For the ordering each of the rules is an attribute set that has an order attribute, which is a number. So for swaylock you can set
security.pam.services.swaylock.rules.auth.fprintd.order = config.security.pam.services.swaylock.rules.auth.unix.order + 50;
Pay attention that you are not hardcoding numbers, as the order attribute of e.g. the unix rule might change, and if you hardcoded the order attribute for fprintd the order might change on a nixpkgs update and break your config.
For sudo you’ll likely need to set
….rules.auth.fprintd.settings.timeout = 10;
but I have not tested this at all.
For ly, ….rules.auth.fprintd.enable = false; might be sufficient.
I hope this helps a little. Be very careful changing your PAM policies, especially when interacting with an unstable interface (as I am suggesting)!
1 Like