Hi, I managed get login and sudo to work with the fingerprint reader under KDE, Arch Linux.
What I was trying now under Arch Linux
I can enroll my fingerprint using the KDE system settings, it seems to work fine.
I checked that fprintd is installed (if not, install it pacman -S fprintd)
pacman -Qi fprintd
I enrolled my fingerprint again using fprintd-enroll.
I edited /etc/pam.d/login,sudo and kde so that they now look like this (eg. use sudo vim)
#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login
password include system-local-login
âžś ~ cat /etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so
auth include system-auth
account include system-auth
session include system-auth
âžś ~ cat /etc/pam.d/kde
#%PAM-1.0
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so
auth include system-login
account include system-login
password include system-login
session include system-login
restart your system and consider making a full upgrade. Fingerprint works for unlocking the screen (not for login, when starting the system) and sudo, to do it when prompted for the sudo password press enter and then you will get asked for the fingerprint like this
âžś ~ sudo echo test
[sudo] password for ******:
Place your finger on the fingerprint reader
test
for unlock: press enter and then you get asked for fingerprint.
I had it all set up at one point, but have since reverted to password based login. I could not achieve a “fingerprint or password, whichever comes first” setup. Depending on whether I was docked to my desk fp might be more convenient, or password might be significantly more convenient. In fact, I ran into situations where PAM would only proceed using a FP, even after correctly applying a password at a prompt.
So, yes, it is possible under Arch, but I’ve since trashed my recipe for it so cannot give you the exact steps.
While I don’t officially support Arch, we test against GNOME on Fedora 38 and Ubuntu 22.04.3.
I don’t have anything to add outside of what D.H shared, so I’m just following this thread.
I’m looking for a way to allow login via either password or fingerprint on Kubuntu 22+. It seems it isn’t yet possible.
There is a technique for Kubuntu 20 that has worked for some non-Framework devices (askubuntu) but it hasn’t worked on Framework 13 13th gen for me.
I tried the above after successfully enrolling a fingerprint on Kubuntu 22. Note that if you use dark mode, you should use light mode temporarily because some distributions like Ubuntu 22 do not show guidance about lifting and resting one’s finger on the sensor 10+ times to reach a final “complete” stage of enrollment. Commandline tool fprintd-enroll doesn’t provide such guidance either. I was able to login with my fingerprint on Ubuntu 22 but it uses a different authentication module than Kubuntu/KDE’s SDDM module.
Also, if you keep your SSD encrypted, no distro seems able to use the fingerprint sensor to decrypt the drive (unlike Win10, which can).
IMO, even without being able to use the fingerprint sensor, KDE’s personalization options are much wider than Ubuntu 22 or Fedora 39’s, so I hope Framework adopts Kubuntu as a supported distro.
In this file success=N means that on success the next N lines are skipped (doc in man pam.conf). So pam_fprintd.so is used first, and if successful following lines are skipped until pam_permit.so. If pam_fprintd.so is not successful then pam_unix.so(password prompt) is used, etc…
You can do it with some work and scripts. Personally I choose to keep my encrypted home directory filesystem decryptable only with my password. But using the TPM2 a script run by a pam module should be able to store/get an encryption secret.
In my case, to enable home dir fs decryption I choose this path: when I login, if the home dir key in not loaded, the finger print module is skipped, so I have to prompt my password.
To implement automatic home unlock with a script that uses a secret saved in the TPM you may try something like the following. The idea is that the tpm2 script is run only if the fingerprint module is successful.
so that those lines appear before the following, as yours do:
# here's the fallback if no module succeeds
auth requisite pam_deny.so
To test this, and be sure that the change is noticed, I rebooted. But like before this change, SDDM’s lock screen does not indicate that biometrics can be used. And the method that has worked on other distros using SDDM, hitting the Enter key so the lock screen dims and then using the fingerprint sensor, still has no effect.