Hello everyone…new Framework 16 owner here!
I am wondering if anyone has got fingerprint support working on KUbubtu 25.04. I installed fprintd and pam-fprint and it partially works.
I can use fprintd-enroll to add fingerprints in Konsole, and they verify with fprintd-verify. However, the connection to the KDE User setup for fingerprint setup is not active - it does nothing when prompting the user to repeatedly touch the sensor after selecting a finger. I’m wary of editing the pam configuration files, as that can make the computer inaccessible.
I’d appreciate any guidelines or suggestions before I start entering bugs for the fprintd project team.
Thanks!
Paul
There’s a separate KDE package for fingerprint authentication; Arch’s wiki has great docs for this (and almost everything): https://wiki.archlinux.org/title/Fprint
In /etc/pam.d/ I’ve got a kde-fingerprint file that has:
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth requisite pam_faillock.so preauth
-auth required pam_fprintd.so
auth optional pam_permit.so
auth required pam_env.so
account include system-local-login
password required pam_deny.so
session include system-local-login
If you’re got the right bits installed, this should already be there.
I also had to tweak the system-auth file in there, you can see the pam_fprintd.so line I added to it:
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=2 default=ignore] pam_systemd_home.so
# chrish added this one:
auth sufficient pam_fprintd.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
Be careful messing with the system-auth file as you can mess things up enough to disable authentication (to prevent authentication or just allow anything).
My setup intentionally doesn’t allow fingerprint authentication at the login screen, only at the desktop for wake from sleep, sudo, applications (like 1Password), etc. Not sure if KUbuntu uses SDDM, but I see some sddm-* files in the pam.d directory that look promising if that’s something you want.
I’m using EndeavourOS, so I didn’t try to suggest packages to install, but the config stuff should all be the same.