Is there a better way to unlock linux?

Kinda tired of always have to type the password, wondering if exists a well integrated way to make linux unlocked while Bluetooth connected to phone (already using kde connect) or some cheap reliable fingerprint device or any other thing else that you guys recommend

Maybe this is what you are looking for?:

1 Like

The issue is that fido2 keys mostly need no user credentials or fingerprint.

A fido2 key with fingerprint would be needed. Otherwise, traditional USB fingerprint readers may be a quite big attack vector. If it stores a key, that could be extracted. If it doesnt, a device could pretend to be it and unlock the device.

do you know a way with the phone ?
Most phone already have some type of biometric, idk why there isnt a solution with bluethoot (to confirm phone ir near) and biometrics to confirm thats you , and the standard password as backup

I don’t know of any existing system that would do that. However, I have seen people write their own scripts to do stuff like that. For example:

# cat /etc/udev/rules.d/90-yubikey.rules 
SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device",  ENV{PRODUCT}=="1050/407*", RUN+="/usr/local/bin/yubilock lock"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", ENV{PRODUCT}=="1050/407*", RUN+="/usr/local/bin/yubilock unlock jsmith"
# cat /usr/local/bin/yubilock 
#!/usr/bin/bash

if [[ $1 == lock ]]; then
	/usr/bin/loginctl lock-sessions
else
	if pamtester yubikey $2 authenticate &> /dev/null; then
		/usr/bin/loginctl unlock-sessions
	fi
fi

exit 0
# cat /etc/pam.d/yubikey 
auth     sufficient pam_yubico.so mode=challenge-response
auth     required   pam_deny.so
account  required   pam_permit.so
password required   pam_deny.so
session  required   pam_deny.so

Some window managers will let you further tune exactly what will happen when systemd (loginctl) triggers lock and unlock events. For example, if you were using Sway, you might have something like the following:

$ cat ~/.config/swayidle/config
lock '/usr/bin/swaylock -f -t -i /var/lib/lxdm/clouds.png; /usr/bin/swaymsg "output * dpms off"'
unlock '/usr/bin/killall --signal SIGUSR1 --wait swaylock; /usr/bin/swaymsg "output * dpms on"'

If your phone can trigger a udev event like that, then you might be able to script something similar.

1 Like

thanks !