Disabling laptop fingerprint reader when clamshell on Linux
This post will briefly outline my fix for Fprint trying to use the built-in fingerprint reader when the laptop lid is closed.
Fprint + laptop fingerprint reader + clamshell on Linux’s problem #
I have multiple Linux laptops with built-in fingerprint readers that I use with Fprint to login via my fingerprint on Linux. Clamshell mode (having the laptop closed but still usable with an external display, keyboard, and trackpad) with Fprint presents a very annoying default behavior: if you use Fprint for sudo
(i.e. in a terminal), it will prompt you for a fingerprint when the laptop is closed and will not time out for about 20 seconds. This is very annoying! Additionally, I use 1Password’s system authentication option to be able to use my fingerprint to login to 1Password and it suffers from the same issue.
Brief NixOS plug: #
At the time of writing, I have a pull request opened in nixpkgs to fix this: nixos/pam: option to disable fprint if laptop lid is closed
This is what the implementation looks like for my X13: nixos/hosts/x13/configuration.nix
I won’t cover in this post how to consume my branch in NixOS.
Script to detect laptop lid state: lid.sh #
One could use something like this script to detect the state of the laptop lid:
#!/usr/bin/env bash
lid_state="/proc/acpi/button/lid/LID/state"
# Exit with failure if lid is closed, else true
grep -q closed ${lid_state} && exit 1; true
PAM configuration #
Assuming lid.sh
was placed at /opt/scripts/lid.sh
, your PAM configuration /etc/pam.d/sudo
might look like:
auth [success=ignore default=1] /usr/lib/aarch64-linux-gnu/security/pam_exec.so quiet /opt/scripts/lid.sh # fprintd-lid (order 11400)
This should be populated to each PAM configuration you’d like this to work.
For context/reference, here’s the realized configuration of /etc/pam.d/sudo
on my NixOS machine – ignore the Nix store paths if you’re unfamiliar with NixOS:
# Account management.
account required /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_unix.so # unix (order 10900)
# Authentication management.
auth [success=ignore default=1] /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_exec.so quiet /opt/scripts/lid.sh # fprintd-lid (order 11400)
auth sufficient /nix/store/7kjh2p1pzbibr9cj08kbczr4vzh3dyxv-fprintd-tod-1.90.9/lib/security/pam_fprintd.so # fprintd (order 11500)
auth sufficient /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_unix.so likeauth try_first_pass # unix (order 11700)
auth required /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_deny.so # deny (order 12500)
# Password management.
password sufficient /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_unix.so nullok yescrypt # unix (order 10200)
# Session management.
session required /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_unix.so # unix (order 10200)
session required /nix/store/g928dngdfy30jyi1cs2m2a5wfimxgnkr-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/wn252azs7hgq9q1m6k4jlwclclswgwrh-limits.conf # limits (order 12200)
Conclusion #
Using my lid.sh
script in PAM to detect if your laptop lid is open should bypass your built-in fingerprint reader when your laptop lid is closed but will allow it when your lid is open.
linux nixos fprint fprintd clamshell laptop