[RESPONDED] Fingerprint sensor breaks SDDM on kubuntu

After setting up the fingerprint sensor up in kubuntu 23.04 it works flawlessly apart from the fact that i cannot login through sddm after rebooting the system. This ruins the fingerprint scanner feature as i need to switch to tty2 and remove the fingerprint and re-enroll it every time I turn the laptop off.

I have found a temporary solution of automatically logging in and using a script to force the kde plasma screensaver that requires login.

Hi @SirChipalot
From what I understand, this is an issue with SDDM, it does not support login with fingerprint with the current release version 0.19.0 at login.

If you do want to make it work, read through [RESPONDED] Fingerprint scanner compatibility with linux (ubuntu, fedora, etc)

I have seen people mention scripts and other workarounds.
I have not personally tried any of them, I don’t use the fingerprint at all.

1 Like

Yep, this is basically a part of it.

@SirChipalot Also we actively have what we are supporting on the landing page.

You just need to add

auth sufficient pam_fprintd.so

to the top of /etc/pam.d/common-auth

Do not run pam-auth-update

This will require fingerprint for sudo, and login at SDDM (sometimes it seems you press enter first to accept a blank password).

1 Like

I upgraded to 23.10. I tried both adding

auth sufficient pam_fprintd.so

and running pam-auth-update.

Adding the suggested line worked, but I couldn’t use my password any more with sudo or to login. With pam-auth-update I could use my password after 10 seconds. It appears that the fingerprint reader would block other means of auth for 10 seconds before trying other means of identification.

Neither of these are great. I would like to be able to auth with either my password or my finger.

Here is what pam-auth-update put into my common-auth file:

auth  [success=2 default=ignore]      pam_fprintd.so max-tries=1 timeout=10 # debug
auth  [success=1 default=ignore]      pam_unix.so nullok try_first_pass

I see the 10 second timeout and it looks like the unix login is trying to run, but is seems like it is blocked by the fprintd. Is there a way to make them run in parallel?

1 Like

I’m not sure why you’d want to use a lower security method like password, if biometric is available.

Regardless, I don’t think PAM can ask two questions at once.

Biometric is a lower security (coming from security/monitoring). The password is the most secure way to get into a system, cause they will have to get it out of you with force (hitting you and keep you awake) while the fingerprint, even if your are passed out, they can get it.

As for pam - it won’t ask 2 questions at once. It will go through all configured methods sequentially and the first one that works and is configured as sufficient will be “allowed”.

1 Like

I’ve posted this link about fingerprint bypass twice in fingerprint reader threads here and you haven’t seen it?

Sure I’ve seen it. Depends on your threat modal. Evil maids don’t come for most people so the trade off is fine for me.