|
|
| Line 1: |
Line 1: |
| = Fingerprint Authentication with swaylock =
| |
|
| |
|
| This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:
| |
| * <code><enter password></code> → <code><hit enter></code>
| |
| * <code><hit enter></code> → <code><touch fingerprint sensor></code>
| |
|
| |
| == Installation ==
| |
|
| |
| Install the fprintd package:
| |
|
| |
| doas apk add fprintd
| |
|
| |
| == Configure PolicyKit Permissions ==
| |
|
| |
| Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the <code>input</code> group to manage fingerprints:
| |
|
| |
| doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
| |
| polkit.addRule(function (action, subject) {
| |
| if (action.id.indexOf("net.reactivated.fprint.") == 0) {
| |
| if (subject.isInGroup("input")) {
| |
| return polkit.Result.YES;
| |
| }
| |
| }
| |
| });
| |
| EOF
| |
|
| |
| Add your user to the <code>input</code> group:
| |
|
| |
| doas adduser $USER input
| |
|
| |
| '''Note:''' You must log out and back in (or reboot) for the group membership to take effect.
| |
|
| |
| == Enroll Fingerprints ==
| |
|
| |
| If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:
| |
|
| |
| # Delete fingerprints for current user
| |
| fprintd-delete $(whoami)
| |
|
| |
| # If you accidentally enrolled as root, delete those too
| |
| doas fprintd-delete root
| |
|
| |
| Enroll your fingerprint(s):
| |
|
| |
| fprintd-enroll
| |
|
| |
| Verify the enrollment works:
| |
|
| |
| fprintd-verify
| |
|
| |
| == Configure PAM for swaylock ==
| |
|
| |
| Create the PAM configuration for swaylock:
| |
|
| |
| doas tee /etc/pam.d/swaylock << 'EOF'
| |
| # Try password authentication first
| |
| auth sufficient pam_unix.so nullok
| |
| # If no password provided, try fingerprint
| |
| auth sufficient pam_fprintd.so ignore-empty-password
| |
| auth required pam_deny.so
| |
|
| |
| # KWallet integration (optional)
| |
| -auth optional pam_kwallet.so
| |
| -auth optional pam_kwallet5.so
| |
| -session optional pam_kwallet.so auto_start
| |
| -session optional pam_kwallet5.so auto_start
| |
| EOF
| |
|
| |
| == Usage ==
| |
|
| |
| Once configured, swaylock will accept both authentication methods:
| |
|
| |
| * '''Password authentication:''' Type your password and press Enter
| |
| * '''Fingerprint authentication:''' Press Enter without typing anything, then touch the fingerprint sensor
| |
|
| |
| == Troubleshooting ==
| |
|
| |
| * '''Permission denied during enrollment:''' Ensure you're in the <code>input</code> group and have logged out/in after adding the group
| |
| * '''Fingerprint recognized but doesn't unlock:''' Check that fingerprints are enrolled for the correct user (not root)
| |
| * '''No fallback to password:''' Verify the PAM configuration has <code>pam_unix.so</code> before <code>pam_fprintd.so</code>
| |
|
| |
| == Extending to Other Services ==
| |
|
| |
| You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in <code>/etc/pam.d/</code> such as:
| |
| * <code>sudo</code> or <code>doas</code>
| |
| * <code>polkit-1</code>
| |
| * <code>login</code>
| |
| * <code>su</code>
| |