Fix fido2 and fprint auth flow (#635)

* Restructure fido2 / fprint to add to sudo and polkit * Add migration * Fix migration
2026-02-17 15:25:37 +00:00 · 2025-08-24 13:41:11 +02:00
parent c4b32c047a
commit bb43d719e6
3 changed files with 235 additions and 52 deletions
--- a/migrations/1754860578.sh
+++ b/migrations/1754860578.sh
@@ -0,0 +1,26 @@
+echo "Update polkit policy to yield to fingerprint and fido2"
+# If fprint exists in polkit, it was wrong and needs reset
+if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_fprintd.so' /etc/pam.d/polkit-1; then
+  sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_fprintd.so
+auth      required pam_unix.so
+
+account   required pam_unix.so
+password  required pam_unix.so
+session   required pam_unix.so
+EOF
+fi
+
+# If fido2 is in sudo, it won't be in polkit either way
+if grep -q pam_u2f.so /etc/pam.d/sudo && [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_u2f.so' /etc/pam.d/polkit-1; then
+  sudo sed -i '1i auth      sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/polkit-1
+elif grep -q pam_u2f.so /etc/pam.d/sudo && [ ! -f /etc/pam.d/polkit-1 ]; then
+  sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_u2f.so cue authfile=/etc/fido2/fido2
+auth      required pam_unix.so
+
+account   required pam_unix.so
+password  required pam_unix.so
+session   required pam_unix.so
+EOF
+fi