Category → linux
Finger print reader vs. encrypted home
Modern Linux distributions allow you to encrypt your home directory. When logging in the user’s password is used to decrypt the home directory. This works great unless you are using one of the many other options that PAM offers for authentication. PAM (Pluggable Authentication Modules) is an extensible authentication system, currently standard on most modern Unix systems including Linux.
On my Thinkpad notebooks I am used to the comfort of the finger print reader instead of having to type and remember passwords. As far as I know support for decrypting the home directory using your finger print has not been developed yet. Thus my preferred solution is:
- For initial login after use a password and decrypt home. This happens very seldom anyway.
- For everything else (sudo, screensaver, etc.) use the finger print reader
- Whenever the finger print is not available (ssh, injured finger, etc.) fall back to password
Luckily using pam this can be easily achieved. The solution below has been tested on Ubuntu but it should work with slight adoptions on most linux distributions. If you have configured an alternative authentication method like a finger print reader (or if your distribution or an setup script has done this for you) you will probably have edited /etc/pam.d/common-auth. Copy this file now e.g. to /etc/pam.d/common-auth-pass-only and remove the lines that you added during configuration in the new file. I am using fprint so I had to remove the following line:
auth [success=3 default=ignore] pam_fprintd.so
Now configure your login manager to use the password-only-configuration by substituting
@include common-auth through @include common-auth-pass-only. Your login manager is probably configured in one of those files:
/etc/pam.d/lightdm /etc/pam.d/gdm /etc/pam.d/kdm
You might want to do the same for /etc/pam.d/sshd or others as well.
If you know about a way to support the finger print reader during initial login in combination with an encryted home I’d be happy to hear about it in the comments.