One of the best Windows 10 features is that you can use a PIN to log in faster than typing your password. Of course with Windows Hello you can log in even faster, but fingerprint scanning is often unreliable, and not many laptops have the IR camera required for the facial unlock feature. Wouldn’t it be great if you could use a PIN to log in to your Linux desktop too?
It turns out that you can. The following instructions are for Ubuntu, but they should also work on derivates like Zorin OS 16, which I tested the feature on.
First, let’s open the terminal and update the apt sources just to be sure:
sudo apt update
Now, let’s install some stuff that we need. First, let’s add a PAM (Linux Pluggable Authentication modules) module that will enable us to authenticate via an /etc/passwd-like file:
sudo apt install -y libpam-pwdfile
Let’s also install whois as it is not 100% percent that you have the mkpasswd command available. If you do, this command will not break anything anyway:
sudo apt install whois
Now the fun begins. For these steps, we assume that you are using GDM as your graphical login manager. If you are using something else, go on and Google a bit on what file you will need to edit instead of gdm-password.
Let’s switch to the root user, make a backup copy of the gdm-password file and generate the encrypted PIN file. For the third command be sure to change “myusername” to your username 🙂
sudo -i cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password_ORIGINAL echo "myusername:$(mkpasswd -5)" > /etc/custompinfile
After running the third line, you will be prompted for a password. Enter the PIN code you desire there.
Okay, now all that is left is to tell gdm-password to use the PIN file we created. Open up gdm-password with root privileges with your favorite editor. To keep things simple, just use gedit like this:
sudo gedit /etc/pam.d/gdm-password
Note: If you are still using the same terminal, you will not even need to add sudo at the front as you will still have root privileges.
In the editor, add the following line after “%PAM-1.0”:
auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfile
The beginning of the file now should look like this:
Save the file, close the editor and prepare to test if it works. First, you need to log out and log back in using your normal password. Restarting your computer works fine too. Now after you lock your screen with the [Super] + [L] key combination, in the password input field you can use both your password or your PIN to log back in.
If something goes wrong
You can boot in recovery mode and enter the terminal to fix things. The following command will restore the original gdm-password file and we didn’t change anything else that could break the system:
cp /etc/pam.d/gdm-password_ORIGINAL /etc/pam.d/gdm-password
Pros and cons
Pro
- More secure than Windows as you cannot use the PIN code for the first time you try to log in after starting up your computer and you can’t gain root privleges with it. For that you still need your password.
Contra
- You need to press the [Enter] key after entering the PIN code. This is better on Windows, where you don’t need to…
- After rebooting you have to log in with your normal password first. PIN unlock will work after that only.
Worked right the first time.
Thanks
Worked perfectly for me. Thanks.
Worked great, and great instructions. Thanks.
Please notice that whoever has read access to ‘/etc/custompinfile’ can EASILY brute force the PIN.
Therefore make sure that the file is owned by root and nobody else has access to it (440 mod I think).
Also, if the drive where ‘/etc/custompinfile’ is stored isn’t encrypted – in case somebody gains physical access to the drive he will be able to access the file (and brute force the PIN) regardless of the permissions you’ve set to the file.
for Mint cinnamon:
Alter the /etc/pam.d/cinnamon-screensaver to include the
‘auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfile’ above the @include common-auth.
also for Mint Cinnamon
instead of gdm-password you want to edit lightdm
This worked pretty well for me on Ubuntu 22.04.1 LTS, however when I reach the desktop I now get a prompt after reboot stating “The login key did not get unlocked when you logged into your computer”. After entering my full password everything works as expected.
Any ideas?
Regards,
Al
PIN unlock only works after you logged in once with your password. Your observation is correct and I added this to the article.
Ah yes, apologies I noticed the mention of using the password on reboot login after my comment.
Thank you very much for this excellent guide, I’ve bookmarked it for future use and will be sharing it.
I have done it in debian testing, with gdm. But the behavior is not as expected, when I turn on the computer for the first time, the pin also works to log in, when, as detailed, only the password and pin should do so to unlock with the session already started. Does somebody knows why it could be? I would prefer that only the password and the pin work to log in to unlock the session already started.
Although the pin is valid for logging in, not for the terminal, for example “sudo apt update” + pin does not work