#!/bin/sh -e

PAMFILE=/etc/pam.d/common-auth

if [ ! -w $PAMFILE ]; then
   echo "$PAMFILE not writable (need to be root?)" 2>&1
   exit 1
fi

if grep thinkfinger $PAMFILE >/dev/null; then
   echo "fingerprint reader already enabled" 2>&1
   exit 1
fi

if grep fprint $PAMFILE >/dev/null; then
   echo "other fingerprint reader already enabled" 2>&1
   exit 1
fi

if ! grep pam_unix $PAMFILE >/dev/null; then
   echo "unusual PAM file, modify by hand" 2>&1
   exit 1
fi

sed -i -r -e "/^auth[ \t].*[ \t]pam_unix\.so([ \t].*)?/{
	/try_first_pass/q
	s/^(auth[ \t].*[ \t]pam_unix\.so)/\1 try_first_pass/
	i \
	auth\tsufficient\tpam_thinkfinger.so
}" $PAMFILE
