Fingerprint Authentication with swaylock: Difference between revisions
No edit summary |
Prabuanand (talk | contribs) (added wikitags, category, see also section and reworded introduction and few other sentence) |
||
| Line 1: | Line 1: | ||
This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using fingerprint sensor with password as fallback. | |||
== Prerequisites == | |||
* Enable [[Polkit|Polkit]] | |||
== Installation == | |||
Install the {{pkg|fprintd}} package:{{Cmd|$ doas apk add fprintd}} | |||
== | == Configuration == | ||
To get the USB ID for your fingerprint reader, issue the command: {{Cmd|$ lsusb | grep finger}} | |||
Once onfigured this allows you to unlock using either: | |||
* <code><enter password></code> → <code><hit enter></code> | |||
* <code><hit enter></code> → <code><touch fingerprint sensor></code> | |||
== Configure | === Configure policyKit permissions === | ||
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule to allow members of the <code>input</code> group to manage fingerprints: | Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule {{Path|etc/polkit-1/rules.d/50-fingerprint.rules}} to allow members of the <code>input</code> group to manage fingerprints with contents as shown:{{Cat|etc/polkit-1/rules.d/50-fingerprint.rules|<nowiki>polkit.addRule(function (action, subject) { | ||
if (action.id.indexOf("net.reactivated.fprint.") == 0) { | |||
if (subject.isInGroup("input")) { | |||
return polkit.Result.YES; | |||
} | |||
} | |||
});</nowiki>}} | |||
Ensure that correct permissions are set:{{Cmd|<nowiki># chown root:root /etc/polkit-1/rules.d/50-fingerprint.rules | |||
# chmod 644 /etc/polkit-1/rules.d/50-fingerprint.rules</nowiki>}} | |||
Add your user to the <code>input</code> group: | Add your user to the <code>input</code> group:{{Cmd|$ doas adduser $USER input}} | ||
{{Note| You must log out and back in (or reboot) for the group membership & PolicyKit rule to take effect.}} | |||
=== Enroll fingerprints === | |||
== Enroll | |||
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: | If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments: | ||
To delete fingerprints for current user: {{Cmd|$ fprintd-delete $(whoami)}} | |||
If you accidentally enrolled as root, delete those too {{Cmd|$ doas fprintd-delete root}} | |||
Enroll your fingerprint(s): | Enroll your fingerprint(s):{{Cmd|$ fprintd-enroll}} | ||
Verify the enrollment works:{{Cmd|$ fprintd-verify}} | |||
=== Configure PAM for swaylock === | |||
Create the PAM configuration file {{Path|/etc/pam.d/swaylock}} for swaylock with contents as shown: {{Cat|/etc/pam.d/swaylock|<nowiki># Try password authentication first | |||
auth sufficient pam_unix.so nullok | |||
# If no password provided, try fingerprint | |||
auth sufficient pam_fprintd.so ignore-empty-password | |||
auth required pam_deny.so | |||
# KWallet integration (optional) | |||
-auth optional pam_kwallet.so | |||
-auth optional pam_kwallet5.so | |||
-session optional pam_kwallet.so auto_start | |||
-session optional pam_kwallet5.so auto_start | |||
</nowiki>}} | |||
Ensure that correct permissions are set:{{Cmd|<nowiki># chown root:root /etc/pam.d/swaylock | |||
# chmod 644 /etc/pam.d/swaylock</nowiki>}} | |||
== Extending to other services == | |||
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in <code>/etc/pam.d/</code> such as: | |||
* <code>sudo</code> | |||
* <code>polkit-1</code> | |||
* <code>login</code> | |||
* <code>su</code> | |||
== Usage == | == Usage == | ||
| Line 82: | Line 81: | ||
== Troubleshooting == | == Troubleshooting == | ||
=== Permission denied during enrollment=== | |||
If you receive ''' Permission denied''' message during enrollment ensure you're in the <code>input</code> group and have logged out/in after adding the group. | |||
=== Fingerprint recognized but doesn't unlock=== | |||
If Fingerprint is recognized but doesn't unlock, check that fingerprints are enrolled for the correct user (not root) | |||
=== No fallback to password === | |||
If there is no fallback to password when using fingerprint authentication verify the PAM configuration has <code>pam_unix.so</code> before <code>pam_fprintd.so</code> | |||
== See also == | |||
* [https://fprint.freedesktop.org/supported-devices.html list of supported fingerprint readers] | |||
[[Category:Authentication]] | |||
Revision as of 04:34, 2 September 2025
This guide shows how to configure fingerprint authentication for swaylock on Alpine Linux, allowing you to unlock using fingerprint sensor with password as fallback.
Prerequisites
- Enable Polkit
Installation
Install the fprintd package:
$ doas apk add fprintd
Configuration
To get the USB ID for your fingerprint reader, issue the command:
$ lsusb
Once onfigured this allows you to unlock using either:
<enter password>→<hit enter><hit enter>→<touch fingerprint sensor>
Configure policyKit permissions
Upon installation, standard users are not authorized to enroll fingerprints. Create a PolicyKit rule etc/polkit-1/rules.d/50-fingerprint.rules to allow members of the input group to manage fingerprints with contents as shown:
Contents of etc/polkit-1/rules.d/50-fingerprint.rules
Ensure that correct permissions are set:
# chown root:root /etc/polkit-1/rules.d/50-fingerprint.rules # chmod 644 /etc/polkit-1/rules.d/50-fingerprint.rules
Add your user to the input group:
$ doas adduser $USER input
Enroll fingerprints
If you previously enrolled fingerprints as root (or want to start fresh), delete existing enrollments:
To delete fingerprints for current user:
$ fprintd-delete $(whoami)
If you accidentally enrolled as root, delete those too
$ doas fprintd-delete root
Enroll your fingerprint(s):
$ fprintd-enroll
Verify the enrollment works:
$ fprintd-verify
Configure PAM for swaylock
Create the PAM configuration file /etc/pam.d/swaylock for swaylock with contents as shown:
Contents of /etc/pam.d/swaylock
Ensure that correct permissions are set:
# chown root:root /etc/pam.d/swaylock # chmod 644 /etc/pam.d/swaylock
Extending to other services
You can apply similar fingerprint authentication to other services by adding the same PAM configuration pattern to files in /etc/pam.d/ such as:
sudopolkit-1loginsu
Usage
Once configured, swaylock will accept both authentication methods:
- Password authentication: Type your password and press Enter
- Fingerprint authentication: Press Enter without typing anything, then touch the fingerprint sensor
Troubleshooting
Permission denied during enrollment
If you receive Permission denied message during enrollment ensure you're in the input group and have logged out/in after adding the group.
Fingerprint recognized but doesn't unlock
If Fingerprint is recognized but doesn't unlock, check that fingerprints are enrolled for the correct user (not root)
No fallback to password
If there is no fallback to password when using fingerprint authentication verify the PAM configuration has pam_unix.so before pam_fprintd.so