|
|
| (3 intermediate revisions by one other user not shown) |
| Line 1: |
Line 1: |
| # Fingerprint Authentication with swaylock | | #REDIRECT [[Fingerprint Authentication with swaylock]] |
| | |
| This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:
| |
| - `<enter password>` → `<hit enter>`
| |
| - `<hit enter>` → `<touch fingerprint sensor>`
| |
| | |
| ## Installation
| |
| | |
| Install the fprintd package:
| |
| | |
| ```bash
| |
| doas apk add fprintd
| |
| ```
| |
| | |
| ## Configure PolicyKit Permissions
| |
| | |
| Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the `input` group to manage fingerprints:
| |
| | |
| ```bash
| |
| doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
| |
| polkit.addRule(function (action, subject) {
| |
| if (action.id.indexOf("net.reactivated.fprint.") == 0) {
| |
| if (subject.isInGroup("input")) {
| |
| return polkit.Result.YES;
| |
| }
| |
| }
| |
| });
| |
| EOF
| |
| ```
| |
| | |
| Add your user to the `input` group:
| |
| | |
| ```bash
| |
| doas adduser $USER input
| |
| ```
| |
| | |
| **Note:** You must log out and back in (or reboot) for the group membership to take effect.
| |
| | |
| ## Enroll Fingerprints
| |
| | |
| If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:
| |
| | |
| ```bash
| |
| # Delete fingerprints for current user
| |
| fprintd-delete $(whoami)
| |
| | |
| # If you accidentally enrolled as root, delete those too
| |
| doas fprintd-delete root
| |
| ```
| |
| | |
| Enroll your fingerprint(s):
| |
| | |
| ```bash
| |
| fprintd-enroll
| |
| ```
| |
| | |
| Verify the enrollment works:
| |
| | |
| ```bash
| |
| fprintd-verify
| |
| ```
| |
| | |
| ## Configure PAM for swaylock
| |
| | |
| Create the PAM configuration for swaylock:
| |
| | |
| ```bash
| |
| doas tee /etc/pam.d/swaylock << 'EOF'
| |
| # Try password authentication first
| |
| auth sufficient pam_unix.so nullok
| |
| # If no password provided, try fingerprint
| |
| auth sufficient pam_fprintd.so ignore-empty-password
| |
| auth required pam_deny.so
| |
| | |
| # KWallet integration (optional)
| |
| -auth optional pam_kwallet.so
| |
| -auth optional pam_kwallet5.so
| |
| -session optional pam_kwallet.so auto_start
| |
| -session optional pam_kwallet5.so auto_start
| |
| EOF
| |
| ```
| |
| | |
| ## Usage
| |
| | |
| Once configured, swaylock will accept both authentication methods:
| |
| | |
| - **Password authentication:** Type your password and press Enter
| |
| - **Fingerprint authentication:** Press Enter without typing anything, then touch the fingerprint sensor
| |
| | |
| ## Troubleshooting
| |
| | |
| - **Permission denied during enrollment:** Ensure you're in the `input` group and have logged out/in after adding the group
| |
| - **Fingerprint recognized but doesn't unlock:** Check that fingerprints are enrolled for the correct user (not root)
| |
| - **No fallback to password:** Verify the PAM configuration has `pam_unix.so` before `pam_fprintd.so`
| |
| | |
| ## Extending to Other Services
| |
| | |
| You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in `/etc/pam.d/` such as:
| |
| - `sudo` or `doas`
| |
| - `polkit-1`
| |
| - `login`
| |
| - `su`
| |