How to disable fingerprint login?

Hello,

Recently I’ve found out that currently it’s not possible to unlock gnome-keyring automatically with fingerprint login.

I use greetd & tuigreet to login in Plasma 6.
So, I’d like to know how to disable fingerprint login (for greetd), but I’d like to keep the functionality for sudo, polkit, the screen locker, etc.

Thank you.

I’m not familiar with greetd, but if it uses PAM like most services do, it is probably as simple as removing (or commenting out) the line(s) containing pam_fprintd.so in the corresponding file under /etc/pam.d.

Hello,

The thing is that on my /etc/pam.d/greetd there’s no mention to pam_fprintd.so
Though I can still login with my fingerprint…

That’s why I mentioned authselect may have something to do.

EDIT: my bad, didn’t mention. For some reason all this seems to be handled by the tool authselect.

I see. In that case, I’m guessing the greetd file contains something like auth include system-auth and the system-auth file has the pam_fprintd.so line? If that is the case, then you could probably work around the problem by making a copy of system-auth (e.g. cp system-auth my-system-auth) and then changing the auth line in your greetd file to auth include my-system-auth.

Be sure to have a root session open somewhere while you are editing and testing because you could lock yourself out if you misconfigure these files. (Also, it is a good idea to make sure they don’t work when they are not supposed to.)

Edit: authselect probably just does an all-or-nothing configuration. Since you want something more complex (works with sudo, but not with greetd) you will probably have to edit the PAM conf files manually to achieve that.

So, you’re telling me to do a backup of system-auth and then edit the greetd file right? Just to be sure and not to mess it up.

EDIT: Oh yeah now I understood it.

Don’t edit system-auth manually. Make a copy of system-auth, edit the copy, and then edit greetd to reference the copy. (But making backup copies of the files you are going to edit is certainly a good idea.)

I don’t seem to have an auth include system-auth line in the greetd file.

Attaching:

auth	   substack    system-auth
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
-auth       optional    pam_kwallet.so
auth	   include     postlogin

account    required    pam_sepermit.so
account    required    pam_nologin.so
account    include     system-auth

password   include     system-auth

session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start
-session    optional    pam_kwallet.so auto_start
session    include     postlogin

The auth substack system-auth line is roughly equivalent. The difference is that “jump” lines in a substack cannot skip over lines in the calling stack (whereas that is possible with “included” stacks). There are some other differences about how the state of the stack can be manipulated, but none of that is important for what you are trying to do. Just change the auth substack system-auth line in your copy to auth substack my-system-auth (or whatever you choose to call it).

Edit: For consistency, I would also change the other lines that reference system-auth to my-system-auth, but you don’t have to.

Shouldn’t I change also the password include system-auth line and the session include system-auth line too to my-system-auth?

1 Like

Seems to be working. Many thanks!

1 Like

Beware that when you update your system, you may occasionally get a new file under /etc/pam.d named greetd.rpmnew. The package manager will know that you have customized the greetd file and it will create that greetd.rpmnew file instead of overwriting your changes. You will need to compare the updated file with your customized file to make sure there are no changes besides the one you’ve intentionally made (referencing my-system-auth). If there are other changes, you should merge those changes into your custom greetd file. Unfortunately, you’ll have to merge the changes manually. There are tools to help with managing those kind of merges (rpmconf and vimdiff), but they are somewhat complicated to learn to use.

1 Like