Fix fido2 and fprint auth flow (#635)

* Restructure fido2 / fprint to add to sudo and polkit * Add migration * Fix migration
2025-08-24 13:41:11 +02:00 · 2025-08-24 13:41:11 +02:00 · bb43d719e6
commit bb43d719e6
parent c4b32c047a
3 changed files with 235 additions and 52 deletions
--- a/bin/omarchy-setup-fido2
+++ b/bin/omarchy-setup-fido2
@ -1,39 +1,128 @@
 #!/bin/bash

+set -e
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+print_success() {
+  echo -e "${GREEN}$1${NC}"
+}
+
+print_error() {
+  echo -e "${RED}$1${NC}"
+}
+
+print_info() {
+  echo -e "${YELLOW}$1${NC}"
+}
+
+check_fido2_hardware() {
+  tokens=$(fido2-token -L 2>/dev/null)
+  if [ -z "$tokens" ]; then
+    print_error "\nNo FIDO2 device detected. Please plug it in (you may need to unlock it as well)."
+    return 1
+  fi
+  return 0
+}
+
+setup_pam_config() {
+  # Configure sudo
+  if ! grep -q pam_u2f.so /etc/pam.d/sudo; then
+    print_info "Configuring sudo for FIDO2 authentication..."
+    sudo sed -i '1i auth    sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/sudo
+  fi
+
+  # Configure polkit
+  if [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_u2f.so' /etc/pam.d/polkit-1; then
+    print_info "Configuring polkit for FIDO2 authentication..."
+    sudo sed -i '1i auth      sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/polkit-1
+  elif [ ! -f /etc/pam.d/polkit-1 ]; then
+    print_info "Creating polkit configuration with FIDO2 authentication..."
+    sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_u2f.so cue authfile=/etc/fido2/fido2
+auth      required pam_unix.so
+
+account   required pam_unix.so
+password  required pam_unix.so
+session   required pam_unix.so
+EOF
+  fi
+}
+
+remove_pam_config() {
+  # Remove from sudo
+  if grep -q pam_u2f.so /etc/pam.d/sudo; then
+    print_info "Removing FIDO2 authentication from sudo..."
+    sudo sed -i '/pam_u2f\.so/d' /etc/pam.d/sudo
+  fi
+
+  # Remove from polkit
+  if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_u2f.so' /etc/pam.d/polkit-1; then
+    print_info "Removing FIDO2 authentication from polkit..."
+    sudo sed -i '/pam_u2f\.so/d' /etc/pam.d/polkit-1
+  fi
+}
+
 if [[ "--remove" == "$1" ]]; then
-  echo -e "\e[32mLet's remove your Fido2 device from sudo authentication.\n\e[0m"
+  print_success "Removing FIDO2 device from authentication.\n"
+
+  # Remove PAM configuration
+  remove_pam_config
+
+  # Remove FIDO2 configuration
+  if [ -d /etc/fido2 ]; then
+    print_info "Removing FIDO2 configuration..."
+    sudo rm -rf /etc/fido2
+  fi
+
+  # Uninstall packages
+  print_info "Removing FIDO2 packages..."
  yay -Rns --noconfirm libfido2 pam-u2f
-  sudo rm -rf /etc/fido2
-  sudo sed -i '\|^auth[[:space:]]\+sufficient[[:space:]]\+pam_u2f\.so[[:space:]]\+cue[[:space:]]\+authfile=/etc/fido2/fido2$|d' /etc/pam.d/sudo
-  echo -e "\e[32m\nYou've successfully removed the fido2 device setup.\e[0m"
+
+  print_success "FIDO2 authentication has been completely removed."
 else
-  echo -e "\e[32mLet's setup your Fido2 device for sudo authentication.\n\e[0m"
+  print_success "Setting up FIDO2 device for authentication.\n"
+
+  # Install required packages
+  print_info "Installing required packages..."
  yay -S --noconfirm --needed libfido2 pam-u2f

-  tokens=$(fido2-token -L)
+  if ! check_fido2_hardware; then
+    exit 1
+  fi

-  if [ -z "$tokens" ]; then
-    echo -e "\e[31m\nNo fido2 device detected. Plug it in, you may have to unlock it as well\e[0m"
-  else
-    # Create the pamu2fcfg file
-    if [ ! -f /etc/fido2/fido2 ]; then
-      sudo mkdir -p /etc/fido2
-      echo -e "\e[32m\nLet's setup your device by confirming on the device now.\e[0m"
-      pamu2fcfg >/tmp/fido2 # This needs to run as the user
-      if [ $? -ne 0 ]; then
-        echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m"
-        exit 1
-      fi
+  # Create the pamu2fcfg file
+  if [ ! -f /etc/fido2/fido2 ]; then
+    sudo mkdir -p /etc/fido2
+    print_success "\nLet's setup your device by confirming on the device now."
+    print_info "Touch your FIDO2 key when it lights up...\n"
+
+    if pamu2fcfg >/tmp/fido2; then
      sudo mv /tmp/fido2 /etc/fido2/fido2
+      print_success "FIDO2 device registered successfully!"
+    else
+      print_error "\nFIDO2 registration failed. Please try again."
+      exit 1
    fi
+  else
+    print_info "FIDO2 device already registered."
+  fi

-    # Add fido2 auth as an option for sudo
-    if ! grep -q pam_u2f.so /etc/pam.d/sudo; then
-      sudo sed -i '1i auth    sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/sudo
-    fi
+  # Configure PAM
+  setup_pam_config

-    if ! sudo echo -e "\e[32m\nPerfect! Now you can use your fido2 device for sudo.\e[0m"; then
-      echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m"
-    fi
+  # Test with sudo
+  print_info "\nTesting FIDO2 authentication with sudo..."
+  print_info "Touch your FIDO2 key when prompted.\n"
+
+  if sudo echo "FIDO2 authentication test successful"; then
+    print_success "\nPerfect! FIDO2 authentication is now configured."
+    print_info "You can use your FIDO2 key for sudo and polkit authentication."
+  else
+    print_error "\nVerification failed. You may want to check your configuration."
  fi
 fi
+
--- a/bin/omarchy-setup-fingerprint
+++ b/bin/omarchy-setup-fingerprint
@ -1,45 +1,113 @@
 #!/bin/bash

-if [[ "--remove" == "$1" ]]; then
-  echo -e "\e[32mLet's remove your fingerprint scanner from authentication.\n\e[0m"
-  yay -Rns --noconfirm fprintd
-  sudo rm -rf /etc/pam.d/polkit-1
-  sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo
-  echo -e "\e[32mYou've successfully removed the fingerprint setup.\e[0m"
-else
-  echo -e "\e[32mLet's setup your fingerprint scanner for authentication.\n\e[0m"
-  yay -S --noconfirm --needed fprintd usbutils
+set -e

-  if ! lsusb | grep -Eiq 'fingerprint|synaptics|goodix|elan'; then
-    echo -e "\e[31m\nNo fingerprint sensor detected.\e[0m"
-  else
-    # Add fingerprint authentication as an option for sudo
-    if ! grep -q pam_fprintd.so /etc/pam.d/sudo; then
-      sudo sed -i '1i auth    sufficient pam_fprintd.so' /etc/pam.d/sudo
-    fi
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color

-    # Add fingerprint authentication as an option for hyprpolkitagent
-    if [ ! -f /etc/pam.d/polkit-1 ] || ! grep -q pam_fprintd.so /etc/pam.d/polkit-1; then
-      sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+print_success() {
+  echo -e "${GREEN}$1${NC}"
+}
+
+print_error() {
+  echo -e "${RED}$1${NC}"
+}
+
+print_info() {
+  echo -e "${YELLOW}$1${NC}"
+}
+
+check_fingerprint_hardware() {
+  if ! lsusb | grep -Eiq 'fingerprint|synaptics|goodix|elan|validity'; then
+    print_error "\nNo fingerprint sensor detected."
+    return 1
+  fi
+  return 0
+}
+
+setup_pam_config() {
+  # Configure sudo
+  if ! grep -q pam_fprintd.so /etc/pam.d/sudo; then
+    print_info "Configuring sudo for fingerprint authentication..."
+    sudo sed -i '1i auth    sufficient pam_fprintd.so' /etc/pam.d/sudo
+  fi
+
+  # Configure polkit
+  if [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_fprintd.so' /etc/pam.d/polkit-1; then
+    print_info "Configuring polkit for fingerprint authentication..."
+    sudo sed -i '1i auth      sufficient pam_fprintd.so' /etc/pam.d/polkit-1
+  elif [ ! -f /etc/pam.d/polkit-1 ]; then
+    print_info "Creating polkit configuration with fingerprint authentication..."
+    sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_fprintd.so
 auth      required pam_unix.so
-auth      optional pam_fprintd.so

 account   required pam_unix.so
 password  required pam_unix.so
 session   required pam_unix.so
 EOF
-    fi
+  fi
+}

-    # Enroll the first finger
-    echo -e "\e[32m\nLet's setup your right index finger as the first fingerprint.\nKeep moving the finger around on sensor until the process completes.\n\e[0m"
-    sudo fprintd-enroll $USER
+remove_pam_config() {
+  # Remove from sudo
+  if grep -q pam_fprintd.so /etc/pam.d/sudo; then
+    print_info "Removing fingerprint authentication from sudo..."
+    sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo
+  fi

-    echo -e "\e[32m\nNow let's verify that it's working correctly.\e[0m\n"
+  # Remove from polkit
+  if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_fprintd.so' /etc/pam.d/polkit-1; then
+    print_info "Removing fingerprint authentication from polkit..."
+    sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/polkit-1
+  fi
+}

+if [[ "--remove" == "$1" ]]; then
+  print_success "Removing fingerprint scanner from authentication.\n"
+
+  # Remove PAM configuration
+  remove_pam_config
+
+  # Uninstall packages
+  print_info "Removing fingerprint packages..."
+  yay -Rns --noconfirm fprintd
+
+  print_success "Fingerprint authentication has been completely removed."
+else
+  print_success "Setting up fingerprint scanner for authentication.\n"
+
+  # Install required packages
+  print_info "Installing required packages..."
+  yay -S --noconfirm --needed fprintd usbutils
+
+  if ! check_fingerprint_hardware; then
+    exit 1
+  fi
+
+  # Configure PAM
+  setup_pam_config
+
+  # Enroll first fingerprint
+  print_success "\nLet's setup your right index finger as the first fingerprint."
+  print_info "Keep moving the finger around on sensor until the process completes.\n"
+
+  if sudo fprintd-enroll "$USER"; then
+    print_success "\nFingerprint enrolled successfully!"
+
+    # Verify
+    print_info "\nNow let's verify that it's working correctly.\n"
    if fprintd-verify; then
-      echo -e "\e[32m\nPerfect! Now you can use your fingerprint on the lock screen (Super + Escape).\e[0m"
+      print_success "\nPerfect! Fingerprint authentication is now configured."
+      print_info "You can use your fingerprint for sudo, polkit, and lock screen (Super + Escape)."
    else
-      echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m"
+      print_error "\nVerification failed. You may want to try enrolling again."
    fi
+  else
+    print_error "\nEnrollment failed. Please try again."
+    exit 1
  fi
 fi
+
--- a/migrations/1754860578.sh
+++ b/migrations/1754860578.sh
@ -0,0 +1,26 @@
+echo "Update polkit policy to yield to fingerprint and fido2"
+# If fprint exists in polkit, it was wrong and needs reset
+if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_fprintd.so' /etc/pam.d/polkit-1; then
+  sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_fprintd.so
+auth      required pam_unix.so
+
+account   required pam_unix.so
+password  required pam_unix.so
+session   required pam_unix.so
+EOF
+fi
+
+# If fido2 is in sudo, it won't be in polkit either way
+if grep -q pam_u2f.so /etc/pam.d/sudo && [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_u2f.so' /etc/pam.d/polkit-1; then
+  sudo sed -i '1i auth      sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/polkit-1
+elif grep -q pam_u2f.so /etc/pam.d/sudo && [ ! -f /etc/pam.d/polkit-1 ]; then
+  sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF'
+auth      sufficient pam_u2f.so cue authfile=/etc/fido2/fido2
+auth      required pam_unix.so
+
+account   required pam_unix.so
+password  required pam_unix.so
+session   required pam_unix.so
+EOF
+fi