Add sudo auth section

Add section explaining that ansible and fingerprint auth do not mix.
Explain how to disable it for sudo.

framework.md

@@ -2,6 +2,29 @@
 
 ## Fingerprint Sensor
 
+### Sudo Auth
+
+Running ansible playbooks becomes impossible with the default fingerprint
+configuration. Unfortunately, it's best to disable fingerprint auth for sudo
+tasks. The way to do this is by editing /etc/pam.d/sudo and commenting out
+pam_fprintd.so
+
+```conf
+auth required pam_env.so
+#auth sufficient pam_fprintd.so
+auth sufficient pam_unix.so try_first_pass likeauth nullok
+auth required pam_deny.so
+auth		include		system-auth
+account		include		system-auth
+session		include		system-auth
+```
+
+Note: setting timeout=10 and max-retries=1 per the [pam_fprintd man
+page](https://www.mankier.com/8/pam_fprintd) does not seem to work. For some
+reason, ansible never hits the password authentication method and times out.
+
+### Errors
+
 "Device disconnected" on enrolling
 
 If you've enrolled fingerprints in another OS or in a previous installation you
@@ -25,5 +48,3 @@ sudo python framework/libfprint_delete_device_prints.py -d
 ```
 
 That's it! Should work again.
-
-## Secure Boot