From f1bbf399bc4c393a79af4bbbfb61bb29ae7c66ef Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Thu, 3 Feb 2022 12:33:23 -0500
Subject: [PATCH] Add sudo auth section

Add section explaining that ansible and fingerprint auth do not mix.
Explain how to disable it for sudo.
---
 framework.md | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/framework.md b/framework.md
index 90e73ca..4549b7d 100644
--- a/framework.md
+++ b/framework.md
@@ -2,6 +2,29 @@
 
 ## Fingerprint Sensor
 
+### Sudo Auth
+
+Running ansible playbooks becomes impossible with the default fingerprint
+configuration. Unfortunately, it's best to disable fingerprint auth for sudo
+tasks. The way to do this is by editing /etc/pam.d/sudo and commenting out
+pam_fprintd.so
+
+```conf
+auth required pam_env.so
+#auth sufficient pam_fprintd.so
+auth sufficient pam_unix.so try_first_pass likeauth nullok
+auth required pam_deny.so
+auth		include		system-auth
+account		include		system-auth
+session		include		system-auth
+```
+
+Note: setting timeout=10 and max-retries=1 per the [pam_fprintd man
+page](https://www.mankier.com/8/pam_fprintd) does not seem to work. For some
+reason, ansible never hits the password authentication method and times out.
+
+### Errors
+
 "Device disconnected" on enrolling
 
 If you've enrolled fingerprints in another OS or in a previous installation you
@@ -25,5 +48,3 @@ sudo python framework/libfprint_delete_device_prints.py -d
 ```
 
 That's it! Should work again.
-
-## Secure Boot