- Install packages if they aren't already installed.
sudo apt install libpam-pwdfile whois- Backup the Original PAM Configuration File
sudo cp /etc/pam.d/gdm-password /etc/pam.d/gdm-password_ORIGINAL- Create the Custom PIN File
echo "$(whoami):$(mkpasswd -5)" | sudo tee /etc/custompinfile
sudo chmod 400 /etc/custompinfile- Edit the PAM Configuration File to Enable the PIN file
Use your editor of choice with superuser privileges to edit the /ect/pam.d/gdm-password file to add auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfile to the top of the file, similar to the following:
sudo vim /etc/pam.d/gdm-passwordThe top of your configuration file should look like the following:
#%PAM-1.0
auth sufficient pam_pwdfile.so pwdfile=/etc/custompinfile
Unfortunately after several weeks of using this, I had to revert it. It doesn't work well with fscrypt encrypted folders or drives. I found myself jumping through all kinds of hoops to get it to work, and for safety decided that I should just go back to the main password rather than end up locking myself out.
I think it's safe to say that at this point, Ubuntu isn't designed to work with pin access for the initial login, and you should only use this on an intentionally insecure system without any encrypted files, stored credit card details, etc.
However, it might be possible to set things up so you enter the main password on the first login (after a reboot). This will unlock encrypted drives and keyring. Then use the pin screen lock only. I'll investigate this when I have more time.