Setting up fprintd for swaylock: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
= Fingerprint Authentication with swaylock = | |||
This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either: | This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either: | ||
* <code><enter password></code> → <code><hit enter></code> | |||
* <code><hit enter></code> → <code><touch fingerprint sensor></code> | |||
== Installation == | |||
Install the fprintd package: | Install the fprintd package: | ||
<syntaxhighlight lang="bash"> | |||
doas apk add fprintd | doas apk add fprintd | ||
</syntaxhighlight> | |||
== Configure PolicyKit Permissions == | |||
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the | Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the <code>input</code> group to manage fingerprints: | ||
<syntaxhighlight lang="bash"> | |||
doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF' | doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF' | ||
polkit.addRule(function (action, subject) { | polkit.addRule(function (action, subject) { | ||
| Line 27: | Line 27: | ||
}); | }); | ||
EOF | EOF | ||
</syntaxhighlight> | |||
Add your user to the | Add your user to the <code>input</code> group: | ||
<syntaxhighlight lang="bash"> | |||
doas adduser $USER input | doas adduser $USER input | ||
</syntaxhighlight> | |||
{{Note|You must log out and back in (or reboot) for the group membership to take effect.}} | |||
== Enroll Fingerprints == | |||
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: | If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: | ||
<syntaxhighlight lang="bash"> | |||
# Delete fingerprints for current user | # Delete fingerprints for current user | ||
fprintd-delete $(whoami) | fprintd-delete $(whoami) | ||
| Line 47: | Line 47: | ||
# If you accidentally enrolled as root, delete those too | # If you accidentally enrolled as root, delete those too | ||
doas fprintd-delete root | doas fprintd-delete root | ||
</syntaxhighlight> | |||
Enroll your fingerprint(s): | Enroll your fingerprint(s): | ||
<syntaxhighlight lang="bash"> | |||
fprintd-enroll | fprintd-enroll | ||
</syntaxhighlight> | |||
Verify the enrollment works: | Verify the enrollment works: | ||
<syntaxhighlight lang="bash"> | |||
fprintd-verify | fprintd-verify | ||
</syntaxhighlight> | |||
== Configure PAM for swaylock == | |||
Create the PAM configuration for swaylock: | Create the PAM configuration for swaylock: | ||
<syntaxhighlight lang="bash"> | |||
doas tee /etc/pam.d/swaylock << 'EOF' | doas tee /etc/pam.d/swaylock << 'EOF' | ||
# Try password authentication first | # Try password authentication first | ||
| Line 79: | Line 79: | ||
-session optional pam_kwallet5.so auto_start | -session optional pam_kwallet5.so auto_start | ||
EOF | EOF | ||
</syntaxhighlight> | |||
== Usage == | |||
Once configured, swaylock will accept both authentication methods: | Once configured, swaylock will accept both authentication methods: | ||
* '''Password authentication:''' Type your password and press Enter | |||
* '''Fingerprint authentication:''' Press Enter without typing anything, then touch the fingerprint sensor | |||
== Troubleshooting == | |||
* '''Permission denied during enrollment:''' Ensure you're in the <code>input</code> group and have logged out/in after adding the group | |||
* '''Fingerprint recognized but doesn't unlock:''' Check that fingerprints are enrolled for the correct user (not root) | |||
* '''No fallback to password:''' Verify the PAM configuration has <code>pam_unix.so</code> before <code>pam_fprintd.so</code> | |||
== Extending to Other Services == | |||
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in | You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in <code>/etc/pam.d/</code> such as: | ||
* <code>sudo</code> or <code>doas</code> | |||
* <code>polkit-1</code> | |||
* <code>login</code> | |||
* <code>su</code> | |||
Revision as of 13:36, 1 September 2025
Fingerprint Authentication with swaylock
This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:
<enter password>→<hit enter><hit enter>→<touch fingerprint sensor>
Installation
Install the fprintd package:
<syntaxhighlight lang="bash"> doas apk add fprintd </syntaxhighlight>
Configure PolicyKit Permissions
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the input group to manage fingerprints:
<syntaxhighlight lang="bash"> doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF' polkit.addRule(function (action, subject) {
if (action.id.indexOf("net.reactivated.fprint.") == 0) {
if (subject.isInGroup("input")) {
return polkit.Result.YES;
}
}
}); EOF </syntaxhighlight>
Add your user to the input group:
<syntaxhighlight lang="bash"> doas adduser $USER input </syntaxhighlight>
Enroll Fingerprints
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:
<syntaxhighlight lang="bash">
- Delete fingerprints for current user
fprintd-delete $(whoami)
- If you accidentally enrolled as root, delete those too
doas fprintd-delete root </syntaxhighlight>
Enroll your fingerprint(s):
<syntaxhighlight lang="bash"> fprintd-enroll </syntaxhighlight>
Verify the enrollment works:
<syntaxhighlight lang="bash"> fprintd-verify </syntaxhighlight>
Configure PAM for swaylock
Create the PAM configuration for swaylock:
<syntaxhighlight lang="bash"> doas tee /etc/pam.d/swaylock << 'EOF'
- Try password authentication first
auth sufficient pam_unix.so nullok
- If no password provided, try fingerprint
auth sufficient pam_fprintd.so ignore-empty-password auth required pam_deny.so
- KWallet integration (optional)
-auth optional pam_kwallet.so -auth optional pam_kwallet5.so -session optional pam_kwallet.so auto_start -session optional pam_kwallet5.so auto_start EOF </syntaxhighlight>
Usage
Once configured, swaylock will accept both authentication methods:
- Password authentication: Type your password and press Enter
- Fingerprint authentication: Press Enter without typing anything, then touch the fingerprint sensor
Troubleshooting
- Permission denied during enrollment: Ensure you're in the
inputgroup and have logged out/in after adding the group - Fingerprint recognized but doesn't unlock: Check that fingerprints are enrolled for the correct user (not root)
- No fallback to password: Verify the PAM configuration has
pam_unix.sobeforepam_fprintd.so
Extending to Other Services
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in /etc/pam.d/ such as:
sudoordoaspolkit-1loginsu