Fingerprint Authentication with swaylock: Difference between revisions

From Alpine Linux
No edit summary
mNo edit summary
Line 29: Line 29:
  doas adduser $USER input
  doas adduser $USER input


'''Note:''' You must log out and back in (or reboot) for the group membership to take effect.
'''Note:''' You must log out and back in (or reboot) for the group membership & PolicyKit rule to take effect.


== Enroll Fingerprints ==
== Enroll Fingerprints ==

Revision as of 14:11, 1 September 2025

Fingerprint Authentication with swaylock

This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using either:

  • <enter password><hit enter>
  • <hit enter><touch fingerprint sensor>

Installation

Install the fprintd package: 

doas apk add fprintd

Configure PolicyKit Permissions

Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the input group to manage fingerprints: 

doas tee /etc/polkit-1/rules.d/50-fingerprint.rules << 'EOF'
polkit.addRule(function (action, subject) {
    if (action.id.indexOf("net.reactivated.fprint.") == 0) {
        if (subject.isInGroup("input")) {
            return polkit.Result.YES;
        }
    }
});
EOF

Add your user to the input group: 

doas adduser $USER input

Note: You must log out and back in (or reboot) for the group membership & PolicyKit rule to take effect.

Enroll Fingerprints

If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: 

# Delete fingerprints for current user
fprintd-delete $(whoami)

# If you accidentally enrolled as root, delete those too
doas fprintd-delete root

Enroll your fingerprint(s): 

fprintd-enroll

Verify the enrollment works: 

fprintd-verify

Configure PAM for swaylock

Create the PAM configuration for swaylock: 

doas tee /etc/pam.d/swaylock << 'EOF'
# Try password authentication first
auth sufficient pam_unix.so nullok
# If no password provided, try fingerprint
auth sufficient pam_fprintd.so ignore-empty-password
auth required pam_deny.so

# KWallet integration (optional)
-auth    optional        pam_kwallet.so
-auth    optional        pam_kwallet5.so
-session optional        pam_kwallet.so auto_start
-session optional        pam_kwallet5.so auto_start
EOF

Usage

Once configured, swaylock will accept both authentication methods:

  • Password authentication: Type your password and press Enter
  • Fingerprint authentication: Press Enter without typing anything, then touch the fingerprint sensor

Troubleshooting

  • Permission denied during enrollment: Ensure you're in the input group and have logged out/in after adding the group
  • Fingerprint recognized but doesn't unlock: Check that fingerprints are enrolled for the correct user (not root)
  • No fallback to password: Verify the PAM configuration has pam_unix.so before pam_fprintd.so

Extending to Other Services

You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in /etc/pam.d/ such as:

  • sudo
  • polkit-1
  • login
  • su
Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Fingerprint_Authentication_with_swaylock&oldid=30834"