fprint
The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).
From the fprint homepage:
- The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.
Prerequisites
Make sure you have one of the supported finger scanners. You can check if your device is supported by checking list of supported devices. To check which one you have, type:
$ lsusb
Installation
Install the fprintd package. imagemagick might also be needed.
Some devices require a different fork of libfprint specifically made for touch-based sensors and not (yet?) merged with the main libfprint: libfprint-tod. This is available as libfprint-tod-gitAUR. If you have a 04f3:0c4c or a 04f3:0c00 use the experimental package libfprint-elanmoc2-newdrvs-gitAUR from libfprint-elanmoc2-newdrvs waiting to be merged into libfprint-elanmoc2 which is also waiting to be merged into the main libfprint.
Configuration
Login configuration
Add as sufficient to the top of the auth section of :
This tries to use fingerprint login first, and if it fails or if it finds no fingerprint signatures in the given user's home directory, it proceeds to password login.
You can also modify other files in /etc/pam.d/{login,su,sudo,gdm,lightdm} in the same way, for example /etc/pam.d/polkit-1 for GNOME polkit authentication or to unlock KDE's lockscreen.
Adding as sufficient to any configuration file in when a fingerprint signature is present will only prompt for fingerprint authentication. This prevents the use of a password if you cannot fingerprint authentication (due to the lack of a shell). In order to use either a password or a fingerprint in a graphical interface, add the following line to the top of any files required:
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_fprintd.so ...
This will prompt for a password; pressing on a blank field will proceed to fingerprint authentication.
If you want to prompt for fingerprint and password input at the same time, you can use . This may be needed for some graphical programs which do not allow blank password input, such as Gnome's built-in polkit agent. To use this package, add the following lines to the top of any files required:
auth sufficient pam_fprintd_grosshack.so auth sufficient pam_unix.so try_first_pass nullok ...
Create fingerprint signature
You will need to have an authentication agent running before being able to enroll.
To add a signature for a finger, run:
$ fprintd-enroll
or create a new signature for all fingers:
$ fprintd-delete "$USER"
$ for finger in {left,right}-{thumb,{index,middle,ring,little}-finger}; do fprintd-enroll -f "$finger" "$USER"; done
You will be asked to scan the given finger. Swipe your right index finger five times. After that, the signature is created in .
You can also enroll without an authentication agent:
# fprintd-enroll user
For more information, see .
Restrict enrolling
By default every user is allowed to enroll new fingerprints without prompting for the password or the fingerprint. You can change this behavior using polkit rules.
There are two locations that contains the polkit configuration files:
/usr/share/polkit-1/rules.d/
/usr/share/polkit-1/rules.d/ because they will be overwritten on update. Copy them to /etc/polkit-1/rules.d/ first.In the following example only root can enroll fingerprints:
Troubleshooting
No devices available
If your supported device cannot be found or is claimed to be already open (in use), check the logs in the journal.
You may find log entries like:
fprintd[2936592]: Corrupted message received fprintd[2936592]: Ignoring device due to initialization error: unsupported firmware version
Ensure your device's firmware is up to date with Fwupd.