From bb43d719e67e9c6cb9b94f3a3dbd5dad3a8bdb57 Mon Sep 17 00:00:00 2001 From: Ryan Hughes Date: Sun, 24 Aug 2025 13:41:11 +0200 Subject: [PATCH] Fix fido2 and fprint auth flow (#635) * Restructure fido2 / fprint to add to sudo and polkit * Add migration * Fix migration --- bin/omarchy-setup-fido2 | 139 ++++++++++++++++++++++++++++------ bin/omarchy-setup-fingerprint | 122 ++++++++++++++++++++++------- migrations/1754860578.sh | 26 +++++++ 3 files changed, 235 insertions(+), 52 deletions(-) create mode 100644 migrations/1754860578.sh diff --git a/bin/omarchy-setup-fido2 b/bin/omarchy-setup-fido2 index abe6c5da..6abc7659 100755 --- a/bin/omarchy-setup-fido2 +++ b/bin/omarchy-setup-fido2 @@ -1,39 +1,128 @@ #!/bin/bash +set -e + +GREEN='\033[0;32m' +RED='\033[0;31m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +print_success() { + echo -e "${GREEN}$1${NC}" +} + +print_error() { + echo -e "${RED}$1${NC}" +} + +print_info() { + echo -e "${YELLOW}$1${NC}" +} + +check_fido2_hardware() { + tokens=$(fido2-token -L 2>/dev/null) + if [ -z "$tokens" ]; then + print_error "\nNo FIDO2 device detected. Please plug it in (you may need to unlock it as well)." + return 1 + fi + return 0 +} + +setup_pam_config() { + # Configure sudo + if ! grep -q pam_u2f.so /etc/pam.d/sudo; then + print_info "Configuring sudo for FIDO2 authentication..." + sudo sed -i '1i auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/sudo + fi + + # Configure polkit + if [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_u2f.so' /etc/pam.d/polkit-1; then + print_info "Configuring polkit for FIDO2 authentication..." + sudo sed -i '1i auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/polkit-1 + elif [ ! -f /etc/pam.d/polkit-1 ]; then + print_info "Creating polkit configuration with FIDO2 authentication..." + sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF' +auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2 +auth required pam_unix.so + +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so +EOF + fi +} + +remove_pam_config() { + # Remove from sudo + if grep -q pam_u2f.so /etc/pam.d/sudo; then + print_info "Removing FIDO2 authentication from sudo..." + sudo sed -i '/pam_u2f\.so/d' /etc/pam.d/sudo + fi + + # Remove from polkit + if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_u2f.so' /etc/pam.d/polkit-1; then + print_info "Removing FIDO2 authentication from polkit..." + sudo sed -i '/pam_u2f\.so/d' /etc/pam.d/polkit-1 + fi +} + if [[ "--remove" == "$1" ]]; then - echo -e "\e[32mLet's remove your Fido2 device from sudo authentication.\n\e[0m" + print_success "Removing FIDO2 device from authentication.\n" + + # Remove PAM configuration + remove_pam_config + + # Remove FIDO2 configuration + if [ -d /etc/fido2 ]; then + print_info "Removing FIDO2 configuration..." + sudo rm -rf /etc/fido2 + fi + + # Uninstall packages + print_info "Removing FIDO2 packages..." yay -Rns --noconfirm libfido2 pam-u2f - sudo rm -rf /etc/fido2 - sudo sed -i '\|^auth[[:space:]]\+sufficient[[:space:]]\+pam_u2f\.so[[:space:]]\+cue[[:space:]]\+authfile=/etc/fido2/fido2$|d' /etc/pam.d/sudo - echo -e "\e[32m\nYou've successfully removed the fido2 device setup.\e[0m" + + print_success "FIDO2 authentication has been completely removed." else - echo -e "\e[32mLet's setup your Fido2 device for sudo authentication.\n\e[0m" + print_success "Setting up FIDO2 device for authentication.\n" + + # Install required packages + print_info "Installing required packages..." yay -S --noconfirm --needed libfido2 pam-u2f - tokens=$(fido2-token -L) + if ! check_fido2_hardware; then + exit 1 + fi - if [ -z "$tokens" ]; then - echo -e "\e[31m\nNo fido2 device detected. Plug it in, you may have to unlock it as well\e[0m" - else - # Create the pamu2fcfg file - if [ ! -f /etc/fido2/fido2 ]; then - sudo mkdir -p /etc/fido2 - echo -e "\e[32m\nLet's setup your device by confirming on the device now.\e[0m" - pamu2fcfg >/tmp/fido2 # This needs to run as the user - if [ $? -ne 0 ]; then - echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m" - exit 1 - fi + # Create the pamu2fcfg file + if [ ! -f /etc/fido2/fido2 ]; then + sudo mkdir -p /etc/fido2 + print_success "\nLet's setup your device by confirming on the device now." + print_info "Touch your FIDO2 key when it lights up...\n" + + if pamu2fcfg >/tmp/fido2; then sudo mv /tmp/fido2 /etc/fido2/fido2 + print_success "FIDO2 device registered successfully!" + else + print_error "\nFIDO2 registration failed. Please try again." + exit 1 fi + else + print_info "FIDO2 device already registered." + fi - # Add fido2 auth as an option for sudo - if ! grep -q pam_u2f.so /etc/pam.d/sudo; then - sudo sed -i '1i auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/sudo - fi + # Configure PAM + setup_pam_config - if ! sudo echo -e "\e[32m\nPerfect! Now you can use your fido2 device for sudo.\e[0m"; then - echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m" - fi + # Test with sudo + print_info "\nTesting FIDO2 authentication with sudo..." + print_info "Touch your FIDO2 key when prompted.\n" + + if sudo echo "FIDO2 authentication test successful"; then + print_success "\nPerfect! FIDO2 authentication is now configured." + print_info "You can use your FIDO2 key for sudo and polkit authentication." + else + print_error "\nVerification failed. You may want to check your configuration." fi fi + diff --git a/bin/omarchy-setup-fingerprint b/bin/omarchy-setup-fingerprint index 8170cd3c..3d3d9ffc 100755 --- a/bin/omarchy-setup-fingerprint +++ b/bin/omarchy-setup-fingerprint @@ -1,45 +1,113 @@ #!/bin/bash -if [[ "--remove" == "$1" ]]; then - echo -e "\e[32mLet's remove your fingerprint scanner from authentication.\n\e[0m" - yay -Rns --noconfirm fprintd - sudo rm -rf /etc/pam.d/polkit-1 - sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo - echo -e "\e[32mYou've successfully removed the fingerprint setup.\e[0m" -else - echo -e "\e[32mLet's setup your fingerprint scanner for authentication.\n\e[0m" - yay -S --noconfirm --needed fprintd usbutils +set -e - if ! lsusb | grep -Eiq 'fingerprint|synaptics|goodix|elan'; then - echo -e "\e[31m\nNo fingerprint sensor detected.\e[0m" - else - # Add fingerprint authentication as an option for sudo - if ! grep -q pam_fprintd.so /etc/pam.d/sudo; then - sudo sed -i '1i auth sufficient pam_fprintd.so' /etc/pam.d/sudo - fi +GREEN='\033[0;32m' +RED='\033[0;31m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color - # Add fingerprint authentication as an option for hyprpolkitagent - if [ ! -f /etc/pam.d/polkit-1 ] || ! grep -q pam_fprintd.so /etc/pam.d/polkit-1; then - sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF' +print_success() { + echo -e "${GREEN}$1${NC}" +} + +print_error() { + echo -e "${RED}$1${NC}" +} + +print_info() { + echo -e "${YELLOW}$1${NC}" +} + +check_fingerprint_hardware() { + if ! lsusb | grep -Eiq 'fingerprint|synaptics|goodix|elan|validity'; then + print_error "\nNo fingerprint sensor detected." + return 1 + fi + return 0 +} + +setup_pam_config() { + # Configure sudo + if ! grep -q pam_fprintd.so /etc/pam.d/sudo; then + print_info "Configuring sudo for fingerprint authentication..." + sudo sed -i '1i auth sufficient pam_fprintd.so' /etc/pam.d/sudo + fi + + # Configure polkit + if [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_fprintd.so' /etc/pam.d/polkit-1; then + print_info "Configuring polkit for fingerprint authentication..." + sudo sed -i '1i auth sufficient pam_fprintd.so' /etc/pam.d/polkit-1 + elif [ ! -f /etc/pam.d/polkit-1 ]; then + print_info "Creating polkit configuration with fingerprint authentication..." + sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF' +auth sufficient pam_fprintd.so auth required pam_unix.so -auth optional pam_fprintd.so account required pam_unix.so password required pam_unix.so session required pam_unix.so EOF - fi + fi +} - # Enroll the first finger - echo -e "\e[32m\nLet's setup your right index finger as the first fingerprint.\nKeep moving the finger around on sensor until the process completes.\n\e[0m" - sudo fprintd-enroll $USER +remove_pam_config() { + # Remove from sudo + if grep -q pam_fprintd.so /etc/pam.d/sudo; then + print_info "Removing fingerprint authentication from sudo..." + sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/sudo + fi - echo -e "\e[32m\nNow let's verify that it's working correctly.\e[0m\n" + # Remove from polkit + if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_fprintd.so' /etc/pam.d/polkit-1; then + print_info "Removing fingerprint authentication from polkit..." + sudo sed -i '/pam_fprintd\.so/d' /etc/pam.d/polkit-1 + fi +} +if [[ "--remove" == "$1" ]]; then + print_success "Removing fingerprint scanner from authentication.\n" + + # Remove PAM configuration + remove_pam_config + + # Uninstall packages + print_info "Removing fingerprint packages..." + yay -Rns --noconfirm fprintd + + print_success "Fingerprint authentication has been completely removed." +else + print_success "Setting up fingerprint scanner for authentication.\n" + + # Install required packages + print_info "Installing required packages..." + yay -S --noconfirm --needed fprintd usbutils + + if ! check_fingerprint_hardware; then + exit 1 + fi + + # Configure PAM + setup_pam_config + + # Enroll first fingerprint + print_success "\nLet's setup your right index finger as the first fingerprint." + print_info "Keep moving the finger around on sensor until the process completes.\n" + + if sudo fprintd-enroll "$USER"; then + print_success "\nFingerprint enrolled successfully!" + + # Verify + print_info "\nNow let's verify that it's working correctly.\n" if fprintd-verify; then - echo -e "\e[32m\nPerfect! Now you can use your fingerprint on the lock screen (Super + Escape).\e[0m" + print_success "\nPerfect! Fingerprint authentication is now configured." + print_info "You can use your fingerprint for sudo, polkit, and lock screen (Super + Escape)." else - echo -e "\e[31m\nSomething went wrong. Maybe try again?\e[0m" + print_error "\nVerification failed. You may want to try enrolling again." fi + else + print_error "\nEnrollment failed. Please try again." + exit 1 fi fi + diff --git a/migrations/1754860578.sh b/migrations/1754860578.sh new file mode 100644 index 00000000..afd4beb8 --- /dev/null +++ b/migrations/1754860578.sh @@ -0,0 +1,26 @@ +echo "Update polkit policy to yield to fingerprint and fido2" +# If fprint exists in polkit, it was wrong and needs reset +if [ -f /etc/pam.d/polkit-1 ] && grep -Fq 'pam_fprintd.so' /etc/pam.d/polkit-1; then + sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF' +auth sufficient pam_fprintd.so +auth required pam_unix.so + +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so +EOF +fi + +# If fido2 is in sudo, it won't be in polkit either way +if grep -q pam_u2f.so /etc/pam.d/sudo && [ -f /etc/pam.d/polkit-1 ] && ! grep -q 'pam_u2f.so' /etc/pam.d/polkit-1; then + sudo sed -i '1i auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2' /etc/pam.d/polkit-1 +elif grep -q pam_u2f.so /etc/pam.d/sudo && [ ! -f /etc/pam.d/polkit-1 ]; then + sudo tee /etc/pam.d/polkit-1 >/dev/null <<'EOF' +auth sufficient pam_u2f.so cue authfile=/etc/fido2/fido2 +auth required pam_unix.so + +account required pam_unix.so +password required pam_unix.so +session required pam_unix.so +EOF +fi