I basically want to unlock any sudo authentication with any of these criteria met (whatever completes first successfully):
- a usb as a security key matched (custom script).
- fingerprint matched.
- password entered and matched.
Its easy to add up the PAM stack to allow sequential 2FA/3FA, but I'm struggling quite a lot to make it parallelly running and pick the first which succeeds.
The auth sufficient allows to wait for the next method in queue if it fails, but I haven't found a way to have something like that in parallel (looking for something like auth sufficient_parallel).
References recorded before asking the question:
- PAM - required and sufficient control flag
- linux-pam#301 - Parallel or "any" PAM modules
- i3lock#201 - Fingerprint unlock after suspend/sleep with fprintd and PAM does not work
- Use multiple PAM login methods at once?
- How do I allow both fingerprint and password entry on lock/login screen regardless of prompt type?
Most of these are either too outdated or the hacks are unmaintained.
I feel like the 10s fingerprint timeout in running sequentially is a waste, as it becomes of no use after the timeout unless killed and restarted the auth process again, and have no access to type out the password unless that 10s timeout of fingerprint is finished.
Its been 2022 and I feel like this type of parallelism is a general requirement of user, as processors and OS have been picked up multiple cores and threads from a long ago.
Is there any working hacks or proper patch applicable to make it work right now?
