Setting up fprintd for swaylock: Difference between revisions
No edit summary |
No edit summary |
||
| Line 9: | Line 9: | ||
Install the fprintd package: | Install the fprintd package: | ||
doas apk add fprintd | |||
doas apk add fprintd | |||
== Configure PolicyKit Permissions == | == Configure PolicyKit Permissions == | ||
| Line 17: | Line 15: | ||
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the <code>input</code> group to manage fingerprints: | Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the <code>input</code> group to manage fingerprints: | ||
doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF' | |||
doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF' | polkit.addRule(function (action, subject) { | ||
polkit.addRule(function (action, subject) { | if (action.id.indexOf("net.reactivated.fprint.") == 0) { | ||
if (subject.isInGroup("input")) { | |||
return polkit.Result.YES; | |||
} | |||
} | |||
}); | |||
}); | EOF | ||
EOF | |||
Add your user to the <code>input</code> group: | Add your user to the <code>input</code> group: | ||
doas adduser $USER input | |||
doas adduser $USER input | |||
'''Note:''' You must log out and back in (or reboot) for the group membership to take effect. | |||
== Enroll Fingerprints == | == Enroll Fingerprints == | ||
| Line 41: | Line 35: | ||
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: | If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: | ||
# Delete fingerprints for current user | |||
# Delete fingerprints for current user | fprintd-delete $(whoami) | ||
fprintd-delete $(whoami) | |||
# If you accidentally enrolled as root, delete those too | |||
# If you accidentally enrolled as root, delete those too | doas fprintd-delete root | ||
doas fprintd-delete root | |||
Enroll your fingerprint(s): | Enroll your fingerprint(s): | ||
fprintd-enroll | |||
fprintd-enroll | |||
Verify the enrollment works: | Verify the enrollment works: | ||
fprintd-verify | |||
fprintd-verify | |||
== Configure PAM for swaylock == | == Configure PAM for swaylock == | ||
| Line 65: | Line 53: | ||
Create the PAM configuration for swaylock: | Create the PAM configuration for swaylock: | ||
doas tee /etc/pam.d/swaylock << 'EOF' | |||
doas tee /etc/pam.d/swaylock << 'EOF' | # Try password authentication first | ||
# Try password authentication first | auth sufficient pam_unix.so nullok | ||
auth sufficient pam_unix.so nullok | # If no password provided, try fingerprint | ||
# If no password provided, try fingerprint | auth sufficient pam_fprintd.so ignore-empty-password | ||
auth sufficient pam_fprintd.so ignore-empty-password | auth required pam_deny.so | ||
auth required pam_deny.so | |||
# KWallet integration (optional) | |||
# KWallet integration (optional) | -auth optional pam_kwallet.so | ||
-auth optional pam_kwallet.so | -auth optional pam_kwallet5.so | ||
-auth optional pam_kwallet5.so | -session optional pam_kwallet.so auto_start | ||
-session optional pam_kwallet.so auto_start | -session optional pam_kwallet5.so auto_start | ||
-session optional pam_kwallet5.so auto_start | EOF | ||
EOF | |||
== Usage == | == Usage == | ||
Revision as of 13:41, 1 September 2025
Fingerprint Authentication with swaylock
This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:
<enter password>→<hit enter><hit enter>→<touch fingerprint sensor>
Installation
Install the fprintd package:
doas apk add fprintd
Configure PolicyKit Permissions
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the input group to manage fingerprints:
doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
polkit.addRule(function (action, subject) {
if (action.id.indexOf("net.reactivated.fprint.") == 0) {
if (subject.isInGroup("input")) {
return polkit.Result.YES;
}
}
});
EOF
Add your user to the input group:
doas adduser $USER input
Note: You must log out and back in (or reboot) for the group membership to take effect.
Enroll Fingerprints
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:
# Delete fingerprints for current user fprintd-delete $(whoami) # If you accidentally enrolled as root, delete those too doas fprintd-delete root
Enroll your fingerprint(s):
fprintd-enroll
Verify the enrollment works:
fprintd-verify
Configure PAM for swaylock
Create the PAM configuration for swaylock:
doas tee /etc/pam.d/swaylock << 'EOF' # Try password authentication first auth sufficient pam_unix.so nullok # If no password provided, try fingerprint auth sufficient pam_fprintd.so ignore-empty-password auth required pam_deny.so # KWallet integration (optional) -auth optional pam_kwallet.so -auth optional pam_kwallet5.so -session optional pam_kwallet.so auto_start -session optional pam_kwallet5.so auto_start EOF
Usage
Once configured, swaylock will accept both authentication methods:
- Password authentication: Type your password and press Enter
- Fingerprint authentication: Press Enter without typing anything, then touch the fingerprint sensor
Troubleshooting
- Permission denied during enrollment: Ensure you're in the
inputgroup and have logged out/in after adding the group - Fingerprint recognized but doesn't unlock: Check that fingerprints are enrolled for the correct user (not root)
- No fallback to password: Verify the PAM configuration has
pam_unix.sobeforepam_fprintd.so
Extending to Other Services
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in /etc/pam.d/ such as:
sudoordoaspolkit-1loginsu