Enable windows like PIN unlock or login

We always need to enter user’s password to login or unlock desktop session. The password can be long and complex. This is annoying, while security is important. So a shorter password as a complement to simply the process would be helpful. Windows 10 ‘s PIN (4 digits) is a kind of implementation.

This document show you how to set another simple password to access desktop session.

libpam_pwdfile is a PAM module allowing authentication via an file like /etc/passwd. We use it to meet our solution.

sudo apt install libpam-pwdfile

Unlock KDE desktop with PIN

kscreenlocker is the application that handle the lock and unlock process. By default, it use uses the PAM service “kde”. So we need to hack the file /etc/pam.d/kde

First, we generate a file to store the PIN.

echo <username>:`openssl passwd -1 <PIN>` |sudo tee -a /etc/kde_unlock_pin

Note: the file (/etc/kde_unlock_pin) used to save your PIN is not plain text. It is encrypted password just like /etc/shadow. And you can put the file anywhere with proper permission as you like , /etc would be the best.

Second, modify the PAM service /etc/pam.d/kde

/etc/pam.d/kde
--------------------------------------------------------------------------------------------------
# put this line before any other normal auth
-auth   sufficient      pam_pwdfile.so pwdfile=/etc/kde_unlock_pin
...

That’s all you need. Done!

Login KDE desktop with PIN

Login with simple password is not recommend. But if you want, you can do that. Here we are. The method is almost the same as above.

If you are using SDDM the default KDE window manager, we need to modify /etc/pam.d/sddm

...
# We need to skip the common-auth if success
-auth   [success=1 default=ignore]      pam_pwdfile.so pwdfile= /etc/kde_unlock_pin
# we replace @include with substack, so we can jump over it
auth    substack        common-auth
auth    required        pam_permit.so
...

success=1 means jump over one module if success.

auth required pam_permit.so This line is necessary to avoid jump too far.

pam1

KWallet auto unlock when login

The line -auth optional pam_kwallet5.so in above picture is to unlock KWallet with entered password. So you just need to make sure KWallet’s password is the same.

kwallet

Refer:

Updated: