How to configure PAM to require both password and fingerprint to log in?
I can do a password / fingerprint login but not both by changing /etc/pam.d/common-auth
For password only
auth [success=2 default=ignore] pam_unix.so nullok_secure
For fingerprint only
auth [success=2 default=ignore] pam_fprintd.so
How to combine both?
If you use the success=2 control flag PAM skips the next 2 items in the stack on success. And default=ignore means you ignore bad results, so depending on your configuration you should probably use success=ok on the first entry and default=bad on both as they are executed in order.
auth [success=ok default=bad] pam_unix.so nullok_secure
auth [success=2 default=bad] pam_fprintd.so
This would require both password (pam_unix) and fingerprint (pam_fprintd) and only succeeds if both are successful. If you want to cancel the checks after first failure, you can also use default=die which is equivalent to bad but terminates the PAM stack immediately.
