Have a long password for your Linux user account? You can set up a 4 or 6 digit PIN number to login your Linux with ease.
Most Linux uses Pluggable Authentication Modules (PAM) for many authentication methods support. By configuring it, allows to login and unlock your Linux PC with a PIN.
NOTE 1: After following this tutorial, your can login with either user password or PIN number. While all other works that need root permission only work with your user password.
NOTE 2: This tutorial is tested and works in following Linux Distributions:
- Ubuntu 22.04, Ubuntu 23.04, Ubuntu 23.10.
- KUbuntu 22.04, Ubuntu MATE 22.04, Ubuntu Cinnamon 22.04. XUbuntu 22.04
- Debian 12 with XFCE, GNOME, KDE, MATE, and Cinnamon.
- Linux Mint 21, Elementary OS 7, Pop OS 22.04, Zorin OS 6, Linux Lite 6.6.
- Manjaro Linux with GNOME.
It should work in most other Linux, though you HAVE to manually install the libpam-pwdfile library.
Step 1: Install the Required Library
Before getting started, you need to install the libpam-pwdfile PAM module for authenticate with /etc/passwd-like file. Also install whois package for encrypt your PIN number.
In all Debian and Ubuntu based systems mentioned above, first launch a terminal (or koncole) window from start/application menu or ‘Activities’ overview depends on your desktop environment.
When terminal opens, run command to install the 2 library packages:
sudo apt install libpam-pwdfile whois
For Manjaro Linux, launch “Add/Remove Software”, then search and install ‘whois‘ and ‘libpam_pwdfile‘ one by one.
NOTE: You need to open 'Preferences' and turn on 'Enable AUR Support' under Third Party tab first.
Step 2: Create a file to store your PIN Number
Also in terminal (or konsole) window, run command:
sudo sh -c 'echo "merilyn:$(mkpasswd -5)" > /etc/mypinfile'
This command will create a /etc/mypinfile file, and write merilyn:$(mkpasswd -5) into that file. While:
- merilyn is my username, replace it to yours. Run
whoamito tell your current name. - $(mkpasswd -5) will ask to input your desired PIN number (e.g., 6054) as password, then return unreadable encrypted code with MD5.
After that, you can verify the file content by running cat /etc/mypinfile command. It should output something “your_user_name:encrypted_pin_number“.
Finally, run command to change its permission, so only root can read, while all others have no permission to that file:
sudo chmod 400 /etc/mypinfile
Step 3: Set the PIN Number for Login
Finally, edit the config file under /etc/pam.d to apply the PIN you just set.
The file varies depends on your display manager. You may run systemctl status display-manager command in terminal to tell.
For GDM, GNOME Display Manager
Ubuntu, Debian and Manjaro with GNOME, or Pop! OS, Zorin OS users can edit the /etc/pam.d/gdm-password to do the job.
- First, run command to make a backup of original config file:
sudo cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password.backup
- Then, edit the config file via command:
sudo gedit /etc/pam.d/gdm-password
Replace gedit in command with gnome-text-editor for Debian 12, Ubuntu 23.04+, Manjaro GNOME.
- When file opens, add the line below near the top and save it.
auth sufficient pam_pwdfile.so pwdfile=/etc/mypinfile
For lightdm, Light Display Manager
XUbuntu, Elementary OS 7, Linux Mint, Linux Lite and other Linux with XFCE, MATE, or Cinnamon desktop environment can edit the /etc/pam.d/lightdm file instead.
Also, open terminal and run the commands below one by one.
- First, run command to make a backup of original config file:
sudo cp /etc/pam.d/lightdm /etc/pam.d/lightdm.backup
- Then, edit the config file via command:
sudo mousepad /etc/pam.d/lightdm
Replace mousepad (for XFCE) in command with pluma for MATE, or xedit for Cinnamon. If you don’t know which editor to use, just use nano that works in most Linux
- When file opens, add the line below near the top (usually second) and save it.
auth sufficient pam_pwdfile.so pwdfile=/etc/mypinfile
For nano text editor, press Ctrl+X, then type y and hit Enter to save file.
For sddm, Simple Desktop Display Manager
KUbuntu, Ubuntu Studio, etc with SDDM display manager can edit the /etc/pam.d/sddm file instead.
Also, open terminal (or maybe konsole) and run the commands below one by one.
- First, run command to make a backup of original config file:
sudo cp /etc/pam.d/sddm /etc/pam.d/sddm.backup
- Then, edit the config file via command:
kate /etc/pam.d/sddm
Replace kate for KDE Plasma, for your system text editor, or use universal sudo nano works in most Linux.
- When file opens, add the line below near the top (usually second) and save it.
auth sufficient pam_pwdfile.so pwdfile=/etc/mypinfile
When done, restart your computer and type logging with the PIN number and enjoy!
Undo or Refresh PIN number
To refresh your PIN number, just re-run the command in Step 2:
sudo sh -c 'echo "merilyn:$(mkpasswd -5)" > /etc/mypinfile'
Replace ‘merilyn’ to your username and re-type a PIN number when it prompt to input ‘Password’
If you did above steps incorrectly, your system may refuse to login anymore! In the case, simple restore the original config file you edit in Step 3. To do so,
- First, press Ctrl+Alt+F3 (~F6) to switch to TTY console. Then type your username and then password to login.
- Finally, run command to restore the config file:
sudo mv /etc/pam.d/gdm-password.backup /etc/pam.d/gdm-password
Depends on your display manager, replace gdm-password in last command with sddm for KDE Plasma, or lightdm for XFCE, MATE, Cinnamon.
Summary
In short, to enable PIN login, you just need libpam-pwdfile and whois packages installed. Then write your username plus PIN number (encrypted) in a file, finally edit the config file under /etc/pam.d depends your display manager and add the rule for PIN login.
