fix reeselink addresses

infrastructure/graduated/arch/README.md

@@ -257,11 +257,17 @@ after we finish the install.
 Don't set a password for single-user systems. We're using full-disk encryption.
 This will let you login with just a fingerprint.
 
+1. Install `seahorse` if you haven't already
+2. Open the `Passwords and Keys` apps
+3. Create a new Password keyring called "Login"
+4. Do not enter a password
+5. Set it as default
+
 ### Base Tools
 
 ```bash
 # gvfs and gvfs-dnssd are for webdav support
-pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget man-db
+pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget man-db net-tools
 ```
 
 ### ZSH
@@ -661,11 +667,39 @@ You can create chroot environments to run firejails or just use for testing purp
 4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome
 
 In order to use fingerprint auth with gnome for privileged system stuff with gdm,
-edit `/etc/pam.d/system-auth` and add the following to the top of the file:
+edit `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.
 
 ```conf
-auth        sufficient      pam_fprintd_grosshack.so
-auth        sufficient      pam_unix.so try_first_pass nullok
+#%PAM-1.0
+
+auth       required                    pam_shells.so # User must have shell in /etc/shells
+auth       requisite                   pam_nologin.so # Prevents users from loging in if /etc/nologin exists
+auth       required                    pam_faillock.so      preauth # Timeout after certain number of fails
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+auth       sufficient                  pam_fprintd_grosshack.so
+-auth      [success=2 default=ignore]  pam_systemd_home.so
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+-account   [success=1 default=ignore]  pam_systemd_home.so
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+-password  [success=1 default=ignore]  pam_systemd_home.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+-session   optional                    pam_systemd_home.so
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so
 ```
 
 ##### Turn Off Fingerprint When Laptop Lid Closed