drowsy cloak
I want to set up password + fingerprint two factor authentication for all my users on secureblue. Essentially something like this:
auth required pam_unix.so
auth required pam_fprintd.so
How should I go about it? I suppose I would have to edit the /etc/pam.d/ files with authselect, since I'm not supposed to edit them manually?
drowsy cloak
If I understood this and the man page correctly, I need to run something like this:
# authselect select <current_profile> <current_features> with-fingerprint
(I think)
drowsy cloak
Alright so apparently authselect enable-feature with-fingerprint sets fprintd as sufficient only
It it's not 2FA
I had to manually edit the system-auth file to enable it
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth required pam_unix.so nullok
auth sufficient pam_fprintd.so
auth required pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Any user changes will be overwritten.
Well shit
When?
drowsy cloak
Okay so I made a custom authselect profile