f1bbf399bc
Add section explaining that ansible and fingerprint auth do not mix. Explain how to disable it for sudo.
1.7 KiB
Framework Laptop
Fingerprint Sensor
Sudo Auth
Running ansible playbooks becomes impossible with the default fingerprint configuration. Unfortunately, it's best to disable fingerprint auth for sudo tasks. The way to do this is by editing /etc/pam.d/sudo and commenting out pam_fprintd.so
auth required pam_env.so
#auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
auth include system-auth
account include system-auth
session include system-auth
Note: setting timeout=10 and max-retries=1 per the pam_fprintd man page does not seem to work. For some reason, ansible never hits the password authentication method and times out.
Errors
"Device disconnected" on enrolling
If you've enrolled fingerprints in another OS or in a previous installation you might encounter this error. It prevents you from enrolling new fingerprints and re-enrolling old fingerprints. Fortunately, there's an easy solution thanks to this incredible forum post.
The problem lies in old fingerprints remaining on the reader without the host OS knowing about them. When the host OS tries to enroll a new fingerprint that already exists, the fingerprint reader chokes. The solution is to delete the old fingerprints from the reader before enrolling new ones. This should be included as part of the device bootstra process or as part of the devices wipe process.
Here's the process:
# Delete all fingerprints from device
sudo python framework/libfprint_delete_device_prints.py -d
That's it! Should work again.