Hi, I managed get login and sudo to work with the fingerprint reader under KDE, Arch Linux.

What I was trying now under Arch Linux

I can enroll my fingerprint using the KDE system settings, it seems to work fine.
I checked that fprintd is installed (if not, install it pacman -S fprintd)

pacman -Qi fprintd

I enrolled my fingerprint again using fprintd-enroll.
I edited /etc/pam.d/login,sudo and kde so that they now look like this (eg. use sudo vim)

#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login
password   include      system-local-login

➜  ~ cat /etc/pam.d/sudo
#%PAM-1.0
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_fprintd.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

➜  ~ cat /etc/pam.d/kde
#%PAM-1.0
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_fprintd.so
auth            include         system-login

account         include         system-login

password        include         system-login

session         include         system-login

restart your system and consider making a full upgrade. Fingerprint works for unlocking the screen (not for login, when starting the system) and sudo, to do it when prompted for the sudo password press enter and then you will get asked for the fingerprint like this

➜  ~ sudo echo test
[sudo] password for ******:
Place your finger on the fingerprint reader
test

for unlock: press enter and then you get asked for fingerprint.

Let me know if this worked on your system

I had it all set up at one point, but have since reverted to password based login. I could not achieve a “fingerprint or password, whichever comes first” setup. Depending on whether I was docked to my desk fp might be more convenient, or password might be significantly more convenient. In fact, I ran into situations where PAM would only proceed using a FP, even after correctly applying a password at a prompt.

So, yes, it is possible under Arch, but I’ve since trashed my recipe for it so cannot give you the exact steps.

While I don’t officially support Arch, we test against GNOME on Fedora 38 and Ubuntu 22.04.3.
I don’t have anything to add outside of what D.H shared, so I’m just following this thread.

pam-fprint-grosshackAUR might be what you are looking for.

It is mentioned in the fprint page in the Arch Wiki

I’m looking for a way to allow login via either password or fingerprint on Kubuntu 22+. It seems it isn’t yet possible.

There is a technique for Kubuntu 20 that has worked for some non-Framework devices (askubuntu) but it hasn’t worked on Framework 13 13th gen for me.

I tried the above after successfully enrolling a fingerprint on Kubuntu 22. Note that if you use dark mode, you should use light mode temporarily because some distributions like Ubuntu 22 do not show guidance about lifting and resting one’s finger on the sensor 10+ times to reach a final “complete” stage of enrollment. Commandline tool fprintd-enroll doesn’t provide such guidance either. I was able to login with my fingerprint on Ubuntu 22 but it uses a different authentication module than Kubuntu/KDE’s SDDM module.

Also, if you keep your SSD encrypted, no distro seems able to use the fingerprint sensor to decrypt the drive (unlike Win10, which can).

IMO, even without being able to use the fingerprint sensor, KDE’s personalization options are much wider than Ubuntu 22 or Fedora 39’s, so I hope Framework adopts Kubuntu as a supported distro.

Sorry, I haven’t used sddm recently, but maybe I can provide some helpful information.

Ubuntu common modules are listed in /etc/pam.d/common-auth. On my original Ubuntu 23.10 installation it looked something like this:

auth	[success=3 default=ignore]	pam_fprintd.so ........
auth	[success=2 default=ignore]	pam_unix.so nullok try_first_pass
auth	[success=1 default=ignore]	pam_sss.so use_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
....

In this file success=N means that on success the next N lines are skipped (doc in man pam.conf). So pam_fprintd.so is used first, and if successful following lines are skipped until pam_permit.so. If pam_fprintd.so is not successful then pam_unix.so(password prompt) is used, etc…

You can do it with some work and scripts. Personally I choose to keep my encrypted home directory filesystem decryptable only with my password. But using the TPM2 a script run by a pam module should be able to store/get an encryption secret.

In my case, to enable home dir fs decryption I choose this path: when I login, if the home dir key in not loaded, the finger print module is skipped, so I have to prompt my password.

I modified the pam file into this one:

auth [success=1 default=ignore] pam_exec.so quiet quiet_log /opt/home-unlock/check-if-unlocked.sh
auth	[success=3 default=ignore]	pam_fprintd.so max-tries=2 timeout=5
auth optional pam_exec.so quiet quiet_log expose_authtok /opt/home-unlock/home-unlocker.sh
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
...

To implement automatic home unlock with a script that uses a secret saved in the TPM you may try something like the following. The idea is that the tpm2 script is run only if the fingerprint module is successful.

auth	[success=ignore default=1] pam_fprintd.so max-tries=NTIMES timeout=MSECONDS
auth [success=2 default=ignore] pam_exec.so quiet quiet_log PATH/to/script/to/unlock/from/TPM2/secret
auth optional pam_exec.so quiet quiet_log expose_authtok PATH/to/script/to/unlock/with/user/password
auth	[success=1 default=ignore] pam_unix.so nullok try_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so
...

Thanks very much. This didn’t solve the problem for me, but it helps me understand more.

What I tried on Kubuntu 22 was:

1. Reviewed pam_fprintd(8) — Arch manual pages to see what I should do about the dots after pam_fprintd.so; I realized I should delete them.
2. sudo vi /etc/pam.d/common-auth (which I hadn’t edited before) and replaced

auth    [success=1 default=ignore]      pam_unix.so nullok

with

# https://man.archlinux.org/man/pam_fprintd.8.en
auth    [success=3 default=ignore]      pam_fprintd.so
auth    [success=2 default=ignore]      pam_unix.so nullok try_first_pass
auth    [success=1 default=ignore]      pam_sss.so use_first_pass

so that those lines appear before the following, as yours do:

# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

To test this, and be sure that the change is noticed, I rebooted. But like before this change, SDDM’s lock screen does not indicate that biometrics can be used. And the method that has worked on other distros using SDDM, hitting the Enter key so the lock screen dims and then using the fingerprint sensor, still has no effect.

Thanks also for your tip about using a fingerprint to decrypt the drive. I’m now considering a method that would not involve any potentially fragile scripting: the Vaults feature of KDE Plasma How to lock away sensitive information on Linux with KDE Vaults | ZDNET

I found another way to do this that is more “proper” and also respects pam_faillock, which locks authentification for 10 minutes after 3 bad tries. The specific way I implemented it though gives you 10s to try fingerprint, and only after that elapses or it fails, gives you the option to use the password. You can use the password first, then fingerprint way, too, of course.
I also have some notes on unlocking with fingerprint in Plasma 5 vs Plasma 6, where they seem to have added native support for both, although it is quite scuffed IMO and needs fixing.

The main reason I investigated this is because I wasn’t happy with the often recommended way of adding the following:

auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_fprintd.so

I used it before and it works, but it seems to a) skip the pam_faillock check so an attacker can try again and again without a 10min check, and b) I do not fully understand likeauth to determine if it is safe to use here.
So here’s my “proper” alternative:

Basic authentification for sudo

To start off, I copied `system-auth` to `system-auth-fprintf` as that is the file specifying the password-based authentification used by all other modules. I added the `pam_fprintd.so` line to run before `pam_unix.so` and edited the success parameters to account for the extra line. Now it looks like this (though I recommend starting with your distributions default):

-- cat system-auth-fprintf
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_fprintd.so       max-tries=3 timeout=10
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

# Just to allow using this instead of system-auth for all types
account		include		system-auth
session		include		system-auth

Now with this, I can edit any other file to use this authentification on a granular level. E.g. sudo:

-- cat sudo
#%PAM-1.0

auth		include		system-auth-fprintd
account		include		system-auth
session		include		system-auth

And what it does is first ask for fingerprint, three tries (default), with a timeout of 10 seconds (minimum, sadly), and asks for password afterwards. Works wonderfully.
If you want to use the password-first way, this would be it:

-- cat system-auth-fprintf
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
auth       [success=1 default=bad]     pam_fprintd.so       max-tries=3 timeout=10
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

# Just to allow using this instead of system-auth for all types
account		include		system-auth
session		include		system-auth

Unlock in Plasma 5 / Other

Now we could apply the same to the unlock session (`kde`) and it would work similarly.

Make a copy of system-login called system-login-fprintf, because its auth types are used by both kde (unlocking, via system-local-login) and various others like sddm, login, etc (which should be password only for kwallet decryption).

-- cat system-login-fprintf
#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth-fprintd

account    include    system-login
password   include    system-login
session    include    system-login

Then edit kde as follows:

-- cat kde
#%PAM-1.0

auth       include                     system-login-fprintd
account    include                     system-local-login
password   include                     system-local-login
session    include                     system-local-login

Now I can use the fingerprint immediately without skipping the password explicitly first, and I can login with the password as well - unfortunately, it gives you exactly 10s to use the fingerprint, and only then allows you to unlock with a password. You can enter it before and hit enter, and it will unlock at exactly 10s (this is because of try_first_pass, it tries the password entered before pam_unix.so itself even had control). Not optimal. If you used the password-first way, you need to press enter first, but this annoyance is not there if you do need to use the password. Your choice.

Plasma 6

As mentioned before, Plasma 6 seems to have an interesting new way to handle fingerprint unlocking, it seems to use both `kde` and `kde_fingerprint` (probably run in parallel). However, as noted above, it has a serious issue where a successful fingerprint unlock still counts as a authfail to `pam_faillock.so`, so after three *successful* unlocks with the fingerprint, it denies you access for 10 mins anyway. I after several tries I successfully modified `kde_fingerprint` to fix this behaviour:

-- cat kde_fingerprint
#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth

# Default behaviour
#-auth      required                    pam_fprintd.so
#auth       optional                    pam_permit.so

# Default behaviour (rewritten)
#auth      [success=ok module_unknown=ignore ignore=ignore default=bad] pam_fprintd.so
#auth       optional                    pam_permit.so

# Solution 1 (no faillock support)
#auth       [success=ok ignore=ignore default=die] pam_fprintd.so max-tries=3 timeout=65535
#auth       optional                    pam_permit.so
#auth       required                    pam_faillock.so      authsucc

# Solution 2 (faillock support)
auth       [success=1 ignore=ignore module_unknown=die default=bad] pam_fprintd.so max-tries=3 timeout=65535
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_faillock.so      authsucc

auth       required                    pam_env.so
account    include                     system-local-login
password   required                    pam_deny.so
session    include                     system-local-login

This finally works as intended, and I can immediately unlock with both, without faillock incorrectly locking it after 3 tries.
I’ll likely submit this as a bug report to kde.

Explanation:

Timeout is disabled, necessary because it starts ticking down as soon as you trigger it, which is suboptimal. You can also set it lower and then catch it using authinfo_unavail - I considered adding authinfo_unavail=die to handle some failures to not trigger pam_faillock, but decided against it since I don’t know if you can exploit that.
Solution 1 skips pam_faillock entirely, e.g. if you fail 3 times, you rely on KDE to never show you the fingerprint again until you unlock - do check yourself if that can be exploited by e.g. going to sleep to give you infinite tries at unlocking with fingerprint without pam_faillock getting in your way.
Solution 2 is recommended and does use pam_faillock, though it still relies on other factors to prevent exploits, e.g. going to sleep needs to not reset the try counter, else you can bypass pam_faillock and try as much as you want.
Unfortunately, it’s not realistic to set max-tries to 1, since this kde implementation doesn’t retry at all, even with a pam_faillock authfail.
In the default KDE implementation, max-tries is “relied” upon to provide a faillock alternative. A proper implementation would retry kde-fingerprint as long as pam_faillock is properly used, and with max-tries=1, to provide a proper faillock.

System Auth:

Unfortunately, `system-auth` is not just used by other files, it's also used directly by e.g. changing system settings, or programs needing privileges temporarily. To allow fingerprint sensor usage there, but not in places where it's inapropriate, is difficult. I copied `system-auth` to `system-auth-pw` and redirected all `auth include system-auth` to that. Then, I modified `system-auth` to use fprint like before (e.g. by auth include `system-auth-fprintd`). Now I can use fingerprint for those as well (e.g. changing password, though interestingly not for adding more fingerprints). I'm not sure this is worth it and I might leave this password-only. Though, the security implications of typing in a password in public might outweigh the implications of a fingerprint here, anyway.

I’m not the OP but I posted here earlier. I’m on Kubuntu 22.04 KDE Plasma Version: 5.24.7

Although I have enrolled a fingerprint via the system settings GUI, that GUI also says that using a fingerprint is not supported for unlocking the system but might be used by some apps. Invoking pam-auth-update in a terminal does not show an option to enable fingerprints. I would like to get it working at least for the 1Password cli (to avoid leaving private keys and plaintext credentials on disk when using git/GitHub and the AWS cli).

There is no system-auth file, no system-login file, nor a kde file under /etc/pam.d/ but there is a common-auth file, and its comments indicate “This file is included from other service-specific PAM config files,”. So I tried the edits above in it.

common-auth-fprintf

# /etc/pam.d/common-auth-fprintf
#
# Adapted from https://community.frame.work/t/guide-solved-sudo-and-login-with-fingerprint-reader-under-kde-arch-linux/37009/8

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_fprintd.so       max-tries=3 timeout=10
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

# Just to allow using this instead of system-auth for all types
account		include		system-auth
session		include		system-auth

sudo

#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

#Replaced with fprintf variant in an attempt to adapt https://community.frame.work/t/guide-solved-sudo-and-login-with-fingerprint-reader-under-kde-arch-linux/37009/8
#@include common-auth
@include common-auth-fprintf

@include common-account
@include common-session-noninteractive

As a test before exiting sudo su or rebooting, I opened a new KConsole and tried sudo su but was only prompted for a password, and then got this error:

sudo: PAM account management error: Permission denied
sudo: a password is required

So I reversed the commenting in my sudo file so that @include common-auth would be enabled again. Testing again in a new KConsole showed that worked, so I felt safe powering down.

I realize this thread is about Arch Linux, but if you have suggestions for Kubuntu based on my findings above, I would really appreciate it.

No problem. That is indeed odd. I also don’t know the @include syntax, only [auth/session/account/password] include, which is nice because that explicitly specifies what type to include. For your sudo file, I don’t know what the include does exactly.
But that does look correct otherwise.
I suggest reading the docs for pam.d and it’s modules. But if you want, do post your default common-auth, finding some examples online but if they’re up-to-date, you might have modified too much (e.g. this one is vastly different)

Either way, not sure how such password managers work, but you’ll likely have to find out yourself what pam.d file, if anything, it uses

When I ran pam-auth-update today before trying your suggestions, it warned that common-auth had been edited and it could not assist unless I reverted. I took the opportunity to revert because the changes I tried based on other guidance hadn’t worked.

Here’s what it reset me to:

auth	[success=1 default=ignore]	pam_unix.so nullok
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so 

And here’s what I had tried but didn’t work:

auth	[success=3 default=ignore]	pam_fprintd.so
auth	[success=2 default=ignore]	pam_unix.so nullok try_first_pass
auth	[success=1 default=ignore]	pam_sss.so use_first_pass

# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so 

Looks alright to me, though I don’t know what sss would do.
Though as you did before, I wouldn’t modify common-auth directly before you verified your modifications work with e.g. sudo.

Btw, if you do more testing, especially with locking, I recommend setting up a second tty (Ctrl+Alt+F4 for example), specifically with su so that you always have a fallback with sudo privileges. At one point managed to break system-auth completely and had no way to edit it in my main shell for another reason, so that was helpful to revert.
Also allows you to use loginctl unlock-session in case you broke the unlocking for good.

Hey guys i have also a question:

I got this config inside my ssdm pam file to unlock the greeter at startup. If i misstype my password, i need to login via fingerprint, which i sometimes dont want.
Is there are way to increase the tries of passsword before SDDM will switch to fingerprint login?

auth        [success=1 new_authtok_reqd=1 default=ignore]       pam_unix.so try_first_pass likeauth nullok
auth        sufficient          pam_fprintd.so

It’s a service for network authentication and other stuff.

No good way that I know of. I tried this with sudo and it prompt for password twice, not sure it will work with a display manager:

auth        [success=3 new_authtok_reqd=3 default=ignore]       pam_unix.so try_first_pass likeauth nullok
auth optional pam_python.so /opt/pam_clear.py
auth        [success=1 new_authtok_reqd=1 default=ignore]       pam_unix.so try_first_pass likeauth
auth        sufficient          pam_fprintd.so

With the following /opt/pam_clear.py:

def pam_sm_authenticate(pamh, flags, argv):
  print('Try again')
  pamh.authtok = None
  return pamh.PAM_AUTH_ERR

Warning: if you try this out maybe keep a root shell open in a tty to recover if auth doesn’t work.