No authentication after screen lock or sleep

Taffer · April 18, 2025, 10:31am

Any pam experts here? I’ve pooched my settings, and I’m not sure how to get them back to a sane state (although I haven’t experimented much because I’m a little paranoid about getting locked out).

I’m using a Framework 16 laptop with KDE Plasma. The goal:

Fingerprint sensor or password for authenticating when the “enter your password” dialog pops up (unlocking 1Password for example, or elevating KDE like with the “Boot Splash Screen” settings panel)
Fingerprint or password for unlocking the screen
Password for unlocking after system sleep
Password for logging in to the console and SDDM
Password for sudo

Current situation (I’ve disabled the fingerprint sensor until I get this resolved):

password only for logging in (console and SDDM), authenticating/elevating/sudo
lock screen asks for no authentication
no authentication after system sleep

Where should I look for clues? Does pam have a way to dump the active config so I can see what’s actually set at runtime?

Alternatively, is there I way I can get (or view online) the original /etc/pam.d files back? I believe everything is stock except for: kde-fingerprint, system-login The kde-fingerprint config should be ignored right now because fprintd is disabled.

For your amusement, my current system-login:

#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
session    optional   pam_umask.so
-session   optional   pam_systemd.so
session    required   pam_env.so

cactux · April 18, 2025, 10:36am

Look for pam-1.7.0-2.1-x86_64_v3.pkg.tar.zst in /var/cache/pacman/pkg

Or download from mirror: https://archlinux.org/packages/core/x86_64/pam/download/

Extract the file and look inside.

Taffer · April 18, 2025, 11:30am

The base pam package doesn’t seem to provide any of those config files. I’m digging into pambase now…

cactux · April 18, 2025, 11:34am

Yes, that must be it:

etc/
etc/pam.d/
etc/pam.d/other
etc/pam.d/system-auth
etc/pam.d/system-local-login
etc/pam.d/system-login
etc/pam.d/system-remote-login
etc/pam.d/system-services

Taffer · April 18, 2025, 11:50am

No luck, I haven’t been able to find a source for /etc/pam.d/{kde, kde-fingerprint, systemd-user}; the ones in pambase are all the same as the ones on my system.

cactux · April 18, 2025, 12:00pm

Look at: extra/kscreenlocker


etc/
etc/pam.d/
etc/pam.d/kde
etc/pam.d/kde-fingerprint
etc/pam.d/kde-smartcard

Taffer · April 18, 2025, 7:38pm

Perfect, that was it! Adding -auth required pam_fprintd.so back in has made things work properly again.

Now I’ve got a sane base for tweaking behaviours.

Taffer · April 19, 2025, 11:43am

I believe I’ve gotten things set up the way I want (I can authenticate with fingerprint after logging in with password). The change was to add one line to /etc/pam.d/system-auth:

auth       required                    pam_faillock.so      preauth
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       sufficient                  pam_fprintd.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

Specifically the auth sufficient pam_fprintd.so line.