Fingerprint Authentication with swaylock: Difference between revisions

From Alpine Linux
(Fingerprint Authentication with swaylock)
 
No edit summary
Line 83: Line 83:


You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in <code>/etc/pam.d/</code> such as:
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in <code>/etc/pam.d/</code> such as:
* <code>sudo</code> or <code>doas</code>
* <code>sudo</code>  
* <code>polkit-1</code>
* <code>polkit-1</code>
* <code>login</code>
* <code>login</code>
* <code>su</code>
* <code>su</code>

Revision as of 14:08, 1 September 2025

Fingerprint Authentication with swaylock

This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:

  • <enter password><hit enter>
  • <hit enter><touch fingerprint sensor>

Installation

Install the fprintd package: 

doas apk add fprintd

Configure PolicyKit Permissions

Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the input group to manage fingerprints: 

doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
polkit.addRule(function (action, subject) {
    if (action.id.indexOf("net.reactivated.fprint.") == 0) {
        if (subject.isInGroup("input")) {
            return polkit.Result.YES;
        }
    }
});
EOF

Add your user to the input group: 

doas adduser $USER input

Note: You must log out and back in (or reboot) for the group membership to take effect.

Enroll Fingerprints

If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: 

# Delete fingerprints for current user
fprintd-delete $(whoami)

# If you accidentally enrolled as root, delete those too
doas fprintd-delete root

Enroll your fingerprint(s): 

fprintd-enroll

Verify the enrollment works: 

fprintd-verify

Configure PAM for swaylock

Create the PAM configuration for swaylock: 

doas tee /etc/pam.d/swaylock << 'EOF'
# Try password authentication first
auth sufficient pam_unix.so nullok
# If no password provided, try fingerprint
auth sufficient pam_fprintd.so ignore-empty-password
auth required pam_deny.so

# KWallet integration (optional)
-auth    optional        pam_kwallet.so
-auth    optional        pam_kwallet5.so
-session optional        pam_kwallet.so auto_start
-session optional        pam_kwallet5.so auto_start
EOF

Usage

Once configured, swaylock will accept both authentication methods:

  • Password authentication: Type your password and press Enter
  • Fingerprint authentication: Press Enter without typing anything, then touch the fingerprint sensor

Troubleshooting

  • Permission denied during enrollment: Ensure you're in the input group and have logged out/in after adding the group
  • Fingerprint recognized but doesn't unlock: Check that fingerprints are enrolled for the correct user (not root)
  • No fallback to password: Verify the PAM configuration has pam_unix.so before pam_fprintd.so

Extending to Other Services

You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in /etc/pam.d/ such as:

  • sudo
  • polkit-1
  • login
  • su
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Fingerprint_Authentication_with_swaylock&oldid=30832"