Fix fido2 and fprint auth flow (#635)

* Restructure fido2 / fprint to add to sudo and polkit * Add migration * Fix migration
2026-02-17 15:25:37 +00:00 · 2025-08-24 13:41:11 +02:00
parent c4b32c047a
commit bb43d719e6
3 changed files with 235 additions and 52 deletions
--- a/bin/omarchy-setup-fingerprint
+++ b/bin/omarchy-setup-fingerprint
@@ -1,45 +1,113 @@
 #!/bin/bash

-if [[ "--remove" == "$1" ]]; then
-  echo -e "\e[32mLet's remove your fingerprint scanner from authentication.\n\e[0m"
-  yay -Rns --noconfirm fprintd
-  sudo rm -rf /etc/pam.d/polkit-1
-  sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo
-  echo -e "\e[32mYou've successfully removed the fingerprint setup.\e[0m"
-else
-  echo -e "\e[32mLet's setup your fingerprint scanner for authentication.\n\e[0m"
-  yay -S --noconfirm --needed fprintd usbutils
+set -e

-  if ! lsusb | grep -Eiq 'fingerprint|synaptics|goodix|elan'; then
-    echo -e "\e[31m\nNo fingerprint sensor detected.\e[0m"
-  else
-    # Add fingerprint authentication as an option for sudo
-    if ! grep -q pam_fprintd.so /etc/pam.d/sudo; then
-      sudo sed -i '1i auth    sufficient pam_fprintd.so' /etc/pam.d/sudo
-    fi
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color

-    # Add fingerprint authentication as an option for hyprpolkitagent
-    if [ ! -f /etc/pam.d/polkit-1 ] || ! grep -q pam_fprintd.so /etc/pam.d/polkit-1; then
-      sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+print_success() {
+  echo -e "${GREEN}$1${NC}"
+}
+
+print_error() {
+  echo -e "${RED}$1${NC}"
+}
+
+print_info() {
+  echo -e "${YELLOW}$1${NC}"
+}
+
+check_fingerprint_hardware() {
+  if ! lsusb | grep -Eiq 'fingerprint|synaptics|goodix|elan|validity'; then
+    print_error "\nNo fingerprint sensor detected."
+    return 1
+  fi
+  return 0
+}
+
+setup_pam_config() {
+  # Configure sudo
+  if ! grep -q pam_fprintd.so /etc/pam.d/sudo; then
+    print_info "Configuring sudo for fingerprint authentication..."
+    sudo sed -i '1i auth    sufficient pam_fprintd.so' /etc/pam.d/sudo
+  fi
+
+  # Configure polkit
+  if [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_fprintd.so' /etc/pam.d/polkit-1; then
+    print_info "Configuring polkit for fingerprint authentication..."
+    sudo sed -i '1i auth      sufficient pam_fprintd.so' /etc/pam.d/polkit-1
+  elif [ ! -f /etc/pam.d/polkit-1 ]; then
+    print_info "Creating polkit configuration with fingerprint authentication..."
+    sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_fprintd.so
 auth      required pam_unix.so
-auth      optional pam_fprintd.so

 account   required pam_unix.so
 password  required pam_unix.so
 session   required pam_unix.so
 EOF
-    fi
+  fi
+}

-    # Enroll the first finger
-    echo -e "\e[32m\nLet's setup your right index finger as the first fingerprint.\nKeep moving the finger around on sensor until the process completes.\n\e[0m"
-    sudo fprintd-enroll $USER
+remove_pam_config() {
+  # Remove from sudo
+  if grep -q pam_fprintd.so /etc/pam.d/sudo; then
+    print_info "Removing fingerprint authentication from sudo..."
+    sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo
+  fi

-    echo -e "\e[32m\nNow let's verify that it's working correctly.\e[0m\n"
+  # Remove from polkit
+  if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_fprintd.so' /etc/pam.d/polkit-1; then
+    print_info "Removing fingerprint authentication from polkit..."
+    sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/polkit-1
+  fi
+}

+if [[ "--remove" == "$1" ]]; then
+  print_success "Removing fingerprint scanner from authentication.\n"
+
+  # Remove PAM configuration
+  remove_pam_config
+
+  # Uninstall packages
+  print_info "Removing fingerprint packages..."
+  yay -Rns --noconfirm fprintd
+
+  print_success "Fingerprint authentication has been completely removed."
+else
+  print_success "Setting up fingerprint scanner for authentication.\n"
+
+  # Install required packages
+  print_info "Installing required packages..."
+  yay -S --noconfirm --needed fprintd usbutils
+
+  if ! check_fingerprint_hardware; then
+    exit 1
+  fi
+
+  # Configure PAM
+  setup_pam_config
+
+  # Enroll first fingerprint
+  print_success "\nLet's setup your right index finger as the first fingerprint."
+  print_info "Keep moving the finger around on sensor until the process completes.\n"
+
+  if sudo fprintd-enroll "$USER"; then
+    print_success "\nFingerprint enrolled successfully!"
+
+    # Verify
+    print_info "\nNow let's verify that it's working correctly.\n"
    if fprintd-verify; then
-      echo -e "\e[32m\nPerfect! Now you can use your fingerprint on the lock screen (Super + Escape).\e[0m"
+      print_success "\nPerfect! Fingerprint authentication is now configured."
+      print_info "You can use your fingerprint for sudo, polkit, and lock screen (Super + Escape)."
    else
-      echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m"
+      print_error "\nVerification failed. You may want to try enrolling again."
    fi
+  else
+    print_error "\nEnrollment failed. Please try again."
+    exit 1
  fi
 fi
+