# Linux Hello PAM Configuration Template
#
# WARNING: Incorrect PAM configuration may lock you out of your system!
# Always keep a root terminal open when testing PAM changes.
#
# This file is a TEMPLATE - it is NOT automatically installed.
# You must manually configure PAM after careful consideration.
#
# BACKUP YOUR PAM CONFIGURATION BEFORE MAKING CHANGES:
#   sudo cp -r /etc/pam.d /etc/pam.d.backup
#
# To enable Linux Hello for sudo, add this line to /etc/pam.d/sudo:
#   auth    sufficient    pam_linux_hello.so
#
# Example /etc/pam.d/sudo with Linux Hello:
# -------------------------------------------
# #%PAM-1.0
#
# # Try face authentication first
# auth    sufficient    pam_linux_hello.so
#
# # Fall back to normal authentication
# @include common-auth
# @include common-account
# @include common-session-noninteractive
# -------------------------------------------
#
# For login/gdm/lightdm, similar configuration applies.
# Be extremely careful with display manager PAM files!
#
# Module options:
#   debug           - Enable debug logging to syslog
#   timeout=N       - Authentication timeout in seconds (default: 5)
#   try_first_pass  - Use password from previous module if available
#
# Example with options:
#   auth sufficient pam_linux_hello.so debug timeout=10
#
# Testing:
# 1. Keep a root shell open: sudo -i
# 2. In another terminal, test: sudo -k && sudo echo "success"
# 3. If face auth fails, password prompt should appear
# 4. If completely locked out, use root shell to restore backup
#
# For more information, see:
# https://github.com/linux-hello/linux-hello