[GUIDE/SOLVED] Sudo and Login with Fingerprint Reader under KDE/Arch Linux

Caspar_Gutsche · September 23, 2023, 9:31am

Hi, I managed get login and sudo to work with the fingerprint reader under KDE, Arch Linux.

What I was trying now under Arch Linux

I can enroll my fingerprint using the KDE system settings, it seems to work fine.
I checked that fprintd is installed (if not, install it pacman -S fprintd)

pacman -Qi fprintd

I enrolled my fingerprint again using fprintd-enroll.
I edited /etc/pam.d/login,sudo and kde so that they now look like this (eg. use sudo vim)

#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login
password   include      system-local-login

➜  ~ cat /etc/pam.d/sudo
#%PAM-1.0
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_fprintd.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

➜  ~ cat /etc/pam.d/kde
#%PAM-1.0
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_fprintd.so
auth            include         system-login

account         include         system-login

password        include         system-login

session         include         system-login

restart your system and consider making a full upgrade. Fingerprint works for unlocking the screen (not for login, when starting the system) and sudo, to do it when prompted for the sudo password press enter and then you will get asked for the fingerprint like this

➜  ~ sudo echo test
[sudo] password for ******:
Place your finger on the fingerprint reader
test

for unlock: press enter and then you get asked for fingerprint.

Let me know if this worked on your system

D.H · September 23, 2023, 1:03pm

I had it all set up at one point, but have since reverted to password based login. I could not achieve a “fingerprint or password, whichever comes first” setup. Depending on whether I was docked to my desk fp might be more convenient, or password might be significantly more convenient. In fact, I ran into situations where PAM would only proceed using a FP, even after correctly applying a password at a prompt.

So, yes, it is possible under Arch, but I’ve since trashed my recipe for it so cannot give you the exact steps.

Matt_Hartley · September 25, 2023, 4:37pm

While I don’t officially support Arch, we test against GNOME on Fedora 38 and Ubuntu 22.04.3.
I don’t have anything to add outside of what D.H shared, so I’m just following this thread.

gdweozdr · November 3, 2023, 3:57am

pam-fprint-grosshackAUR might be what you are looking for.

It is mentioned in the fprint page in the Arch Wiki

David_P1 · March 31, 2024, 10:52am

I’m looking for a way to allow login via either password or fingerprint on Kubuntu 22+. It seems it isn’t yet possible.

There is a technique for Kubuntu 20 that has worked for some non-Framework devices (askubuntu) but it hasn’t worked on Framework 13 13th gen for me.

I tried the above after successfully enrolling a fingerprint on Kubuntu 22. Note that if you use dark mode, you should use light mode temporarily because some distributions like Ubuntu 22 do not show guidance about lifting and resting one’s finger on the sensor 10+ times to reach a final “complete” stage of enrollment. Commandline tool fprintd-enroll doesn’t provide such guidance either. I was able to login with my fingerprint on Ubuntu 22 but it uses a different authentication module than Kubuntu/KDE’s SDDM module.

Also, if you keep your SSD encrypted, no distro seems able to use the fingerprint sensor to decrypt the drive (unlike Win10, which can).

IMO, even without being able to use the fingerprint sensor, KDE’s personalization options are much wider than Ubuntu 22 or Fedora 39’s, so I hope Framework adopts Kubuntu as a supported distro.

Ulmondil · March 31, 2024, 8:22pm

Sorry, I haven’t used sddm recently, but maybe I can provide some helpful information.

Ubuntu common modules are listed in /etc/pam.d/common-auth. On my original Ubuntu 23.10 installation it looked something like this:

auth	[success=3 default=ignore]	pam_fprintd.so ........
auth	[success=2 default=ignore]	pam_unix.so nullok try_first_pass
auth	[success=1 default=ignore]	pam_sss.so use_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
....

In this file success=N means that on success the next N lines are skipped (doc in man pam.conf). So pam_fprintd.so is used first, and if successful following lines are skipped until pam_permit.so. If pam_fprintd.so is not successful then pam_unix.so(password prompt) is used, etc…

You can do it with some work and scripts. Personally I choose to keep my encrypted home directory filesystem decryptable only with my password. But using the TPM2 a script run by a pam module should be able to store/get an encryption secret.

In my case, to enable home dir fs decryption I choose this path: when I login, if the home dir key in not loaded, the finger print module is skipped, so I have to prompt my password.

I modified the pam file into this one:

auth [success=1 default=ignore] pam_exec.so quiet quiet_log /opt/home-unlock/check-if-unlocked.sh
auth	[success=3 default=ignore]	pam_fprintd.so max-tries=2 timeout=5
auth optional pam_exec.so quiet quiet_log expose_authtok /opt/home-unlock/home-unlocker.sh
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
...

To implement automatic home unlock with a script that uses a secret saved in the TPM you may try something like the following. The idea is that the tpm2 script is run only if the fingerprint module is successful.

auth	[success=ignore default=1] pam_fprintd.so max-tries=NTIMES timeout=MSECONDS
auth [success=2 default=ignore] pam_exec.so quiet quiet_log PATH/to/script/to/unlock/from/TPM2/secret
auth optional pam_exec.so quiet quiet_log expose_authtok PATH/to/script/to/unlock/with/user/password
auth	[success=1 default=ignore] pam_unix.so nullok try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
...

David_P1 · April 1, 2024, 7:29am

Thanks very much. This didn’t solve the problem for me, but it helps me understand more.

What I tried on Kubuntu 22 was:

Reviewed pam_fprintd(8) — Arch manual pages to see what I should do about the dots after pam_fprintd.so; I realized I should delete them.
sudo vi /etc/pam.d/common-auth (which I hadn’t edited before) and replaced

auth    [success=1 default=ignore]      pam_unix.so nullok

with

# https://man.archlinux.org/man/pam_fprintd.8.en
auth    [success=3 default=ignore]      pam_fprintd.so
auth    [success=2 default=ignore]      pam_unix.so nullok try_first_pass
auth    [success=1 default=ignore]      pam_sss.so use_first_pass

so that those lines appear before the following, as yours do:

# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

To test this, and be sure that the change is noticed, I rebooted. But like before this change, SDDM’s lock screen does not indicate that biometrics can be used. And the method that has worked on other distros using SDDM, hitting the Enter key so the lock screen dims and then using the fingerprint sensor, still has no effect.

Thanks also for your tip about using a fingerprint to decrypt the drive. I’m now considering a method that would not involve any potentially fragile scripting: the Vaults feature of KDE Plasma How to lock away sensitive information on Linux with KDE Vaults | ZDNET