Setting up fprintd for swaylock: Difference between revisions

From Alpine Linux
No edit summary
No edit summary
Line 1: Line 1:
To enable swaylock to unlock like so:
# Fingerprint Authentication with swaylock


<enter password> <hit enter>
This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:
- `<enter password>` → `<hit enter>`
- `<hit enter>` → `<touch fingerprint sensor>`


or
## Installation


<hit enter> <touch fingerprint sensor>
Install the fprintd package:


To install fprintd:
```bash
$ doas apk add fprintd
doas apk add fprintd
```


Upon installation a standard user was not authorized to add prints.
## Configure PolicyKit Permissions
The below was used to allow members of the 'input' group to add prints:


$ sudo tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the `input` group to manage fingerprints:
 
```bash
doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
polkit.addRule(function (action, subject) {
polkit.addRule(function (action, subject) {
if (action.id.indexOf("net.reactivated.fprint.") == 0) {
    if (action.id.indexOf("net.reactivated.fprint.") == 0) {
if (subject.isInGroup("input")) {
        if (subject.isInGroup("input")) {
return polkit.Result.YES;
            return polkit.Result.YES;
}
        }
}
    }
});
});
EOF
EOF
```
Add your user to the `input` group:
```bash
doas adduser $USER input
```
**Note:** You must log out and back in (or reboot) for the group membership to take effect.
## Enroll Fingerprints
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:
```bash
# Delete fingerprints for current user
fprintd-delete $(whoami)


$ doas adduser $USER input
# If you accidentally enrolled as root, delete those too
doas fprintd-delete root
```


(reboot)
Enroll your fingerprint(s):


I previously enrolled a print for root accidentally, needed to delete it (as well as for my user for good measure):
```bash
fprintd-enroll
```


$ fprintd-delete $(whoami)
Verify the enrollment works:
$ fprintd-delete root


Then enroll fresh print(s):
```bash
fprintd-verify
```


$ fprintd-enroll
## Configure PAM for swaylock
$ fprintd-verify


Then, to set the swaylock config:
Create the PAM configuration for swaylock:


$ sudo tee /etc/pam.d/swaylock << 'EOF'
```bash
doas tee /etc/pam.d/swaylock << 'EOF'
# Try password authentication first
# Try password authentication first
auth sufficient pam_unix.so nullok
auth sufficient pam_unix.so nullok
# If no password provided, try fingerprint
# If no password provided, try fingerprint
auth sufficient pam_fprintd.so ignore-empty-password
auth sufficient pam_fprintd.so ignore-empty-password
auth required pam_deny.so # Keep the wallet stuff
auth required pam_deny.so
-auth optional pam_kwallet.so
 
-auth optional pam_kwallet5.so
# KWallet integration (optional)
-session optional pam_kwallet.so auto_start
-auth   optional       pam_kwallet.so
-session optional pam_kwallet5.so auto_start
-auth   optional       pam_kwallet5.so
-session optional       pam_kwallet.so auto_start
-session optional       pam_kwallet5.so auto_start
EOF
EOF
```
## Usage
Once configured, swaylock will accept both authentication methods:
- **Password authentication:** Type your password and press Enter
- **Fingerprint authentication:** Press Enter without typing anything, then touch the fingerprint sensor
## Troubleshooting
- **Permission denied during enrollment:** Ensure you're in the `input` group and have logged out/in after adding the group
- **Fingerprint recognized but doesn't unlock:** Check that fingerprints are enrolled for the correct user (not root)
- **No fallback to password:** Verify the PAM configuration has `pam_unix.so` before `pam_fprintd.so`
## Extending to Other Services
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in `/etc/pam.d/` such as:
- `sudo` or `doas`
- `polkit-1`
- `login`
- `su`

Revision as of 13:34, 1 September 2025

  1. Fingerprint Authentication with swaylock

This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either: - `<enter password>` → `<hit enter>` - `<hit enter>` → `<touch fingerprint sensor>`

    1. Installation

Install the fprintd package:

```bash doas apk add fprintd ```

    1. Configure PolicyKit Permissions

Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the `input` group to manage fingerprints:

```bash doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF' polkit.addRule(function (action, subject) { 

   if (action.id.indexOf("net.reactivated.fprint.") == 0) {
       if (subject.isInGroup("input")) {
           return polkit.Result.YES;
       }
   }

}); EOF ```

Add your user to the `input` group:

```bash doas adduser $USER input ```

    • Note:** You must log out and back in (or reboot) for the group membership to take effect.
    1. Enroll Fingerprints

If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:

```bash

  1. Delete fingerprints for current user

fprintd-delete $(whoami)

  1. If you accidentally enrolled as root, delete those too

doas fprintd-delete root ```

Enroll your fingerprint(s):

```bash fprintd-enroll ```

Verify the enrollment works:

```bash fprintd-verify ```

    1. Configure PAM for swaylock

Create the PAM configuration for swaylock:

```bash doas tee /etc/pam.d/swaylock << 'EOF'

  1. Try password authentication first

auth sufficient pam_unix.so nullok

  1. If no password provided, try fingerprint

auth sufficient pam_fprintd.so ignore-empty-password auth required pam_deny.so

  1. KWallet integration (optional)

-auth optional pam_kwallet.so -auth optional pam_kwallet5.so -session optional pam_kwallet.so auto_start -session optional pam_kwallet5.so auto_start EOF ```

    1. Usage

Once configured, swaylock will accept both authentication methods:

- **Password authentication:** Type your password and press Enter - **Fingerprint authentication:** Press Enter without typing anything, then touch the fingerprint sensor

    1. Troubleshooting

- **Permission denied during enrollment:** Ensure you're in the `input` group and have logged out/in after adding the group - **Fingerprint recognized but doesn't unlock:** Check that fingerprints are enrolled for the correct user (not root) - **No fallback to password:** Verify the PAM configuration has `pam_unix.so` before `pam_fprintd.so`

    1. Extending to Other Services

You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in `/etc/pam.d/` such as: - `sudo` or `doas` - `polkit-1` - `login` - `su`

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Setting_up_fprintd_for_swaylock&oldid=30827"