[TRACKING] Fingerprint scanner compatibility with linux (ubuntu, fedora, etc)

I am using Ubuntu 22.04 and “sudo pam-auth-update” and enabling “fingerprint” worked for me.
Not very intuitive putting the * in the box to enable “fingerprint”. Use the arrow keys to select the box and then the spacebar to activate the feature and finally tab to save.

Update; the fingerprint reader has stopped working I think its something to do with a resent Ubuntu update.

I am running Debian sid, with KDE plasma 5. But using the current fingerprint is just not an option for me. What desktop env are you using?

When I enable fingerprint, I can no longer unlock my system with a password. Despite the screen asks for it, I have to type on wrong try and after that is denied I can use the fingerprint, not before. When logging into the system it doesnt even respond with s/t like “wrong password”. It simply does not proceed from the login screen, nor does the fingerprint auth work for the login at all.

I was using Gnome, default for Debian 11. I never did get the finger print reader to ‘verify’ anything. I could record prints fine. I could use the reader just fine in Windows 10, 11. But on Debian 11, and the default Gnome environment, and installing the driver/libraries, it never would verify. I could record prints fine.

But I did not have any issues using password, that always worked, for ‘su’ as well as initial login through GDM (login screen).

1 Like

No matter what I do I cannot get the fingerprint scanner to work on Ubuntu 22.04. I should not that I have had it working on Windows 10, 11, Ubuntu 18.04, Fedora 34 and 35. I just can’t seem to get it working now.

The python script to delete previous scanned fingers, just keeps giving me the udev error I mentioned earlier. Has anyone had any luck getting the scanner working after having similar issues?

1 Like

Hi! I’m running Ubuntu 22.01 LTS on my Framework and my fingerprint scanner is working fine.

Are you perhaps dual-booting between Ubuntu and Windows (or another OS) on the same SSD? In my experience, it seems like if I boot two or more OSs from the internal SSD, only one OS gets to “own” the fingerprint scanner, and the other OS can’t access it.

On my Framework I have Windows booting from the SSD and Ubuntu booting from a 256GB expansion card. Fingerprint authentication works fine on both OSs.

2 Likes

I had Windows on the nvme before the current Ubuntu install but never at the same time. There is definitely some kind of lock on it.

I am also dual-booting Ubuntu 22.01 & Windows 11. Windows has no problem using the fingerprint reader, however, ubuntu wont read as well. Seems as though the “owning” aspect of the fingerpring reader is the correct assumption.

Is there any way around this or is a security feature?

Just wanted to explain what is going on here. Finger print readers do have their own onboard storage. In most cases they take a black and white 256x288 resolution picture of your finger when you present it. When you present your finger multiple times during the enrolling process it’s actually taking another, and another, and another picture of your finger from different angles. So it’s actually storing anywhere 10x256x288@8bit pictures each finger you enroll. That’s ~74kB for each picture 10 times for a total of around ~750kB for each person. Each scanner has about ~150 slots available for around ~11059200bytes of memory (~11MB).

The 256x288 is enough resolution to give a 1 in 100,000 incidental access. The different angles help is so when you place your finger on the scanner as long as it’s close to how you enrolled it it should accept it. So, pretty good. Depending on the time out of the sensor, it would take many, years to get into a device unless someone had a finger print that was fairly close to yours.

Now there are commands that can be sent directly to the fingerprint sensor itself. Indeed the sensor has a microcontroller that runs the whole show. It’s very much like an RP2040, just beefed up to handle image processing so it might be an M3 core and not an M0 core like the RP2040. This little bit of extra processing power and Instruction Set Architecture extensions makes is so the sensor isn’t painfully slow when processing your finger print.

When you enroll your finger, the OS sends the enroll command to the device. Normally for safes, 1 finger gets one image and that’s it. There is ether custom firmware or custom software sitting on top of this whole software stack that’s assigning 10 images to one person. When you present your finger to the scanner, it will send a message to the system saying that the finger matched this image ID and it’s confidence in that match, or it didn’t match at all. It’s up to the OS to accept a threshold of confidence as well as the firmware. For example it could be programmed so that the currently logged in user would allow for a lower level of confidence on their finger print acquisitions because that user is already signed into the computer. It makes for a better user experience without much cost to security. Whereas a threshold of confidence might be 99% that it’s the same image for logins, it only needs to be 90% for re-acquisitions and privilege escalations for the current user.

It should be noted that unless the finger print messages are signed to the host, they can be spoofed. The hardware that is acquiring the finger prints really must also have a hardware root of trust and be able to attest that "I am the same device that you’ve been talking to all along and you can prove that by checking my signature attached to this report with my public key. Otherwise replay attacks may occur.

If you are more interested in the topic, you can checkout Adafruit’s website where they sell some finger print scanners to play around with on Microcontrollers as well as including guides on how to get up and running with it.

I take it you enrolled different fingers on each OS? If you enrolled the same finger it might just be a lucky happenstance that you clobbered the same IDs that the other OS was using. I’d be intrested to see what order you enrolled in on what OS. Maybe windows sets the tone sand say "This is the first finger print image, and so you finger print scanner ARE going to put this into fingerPrintImageSlot 1. As the other OS was also using finger print image slot one for it’s print of you on it’s side the fact that it clobbered the image with another image of your same finger it didn’t actually matter.

Kind of yes. As Craig’s report where multiple OSes are using the same finger print database it clearly can be done, but the quirks of implementations are what it comes down to. Whereas fingerprintd will reject a similar enrollment as it seems to always want to use the next available slot and not clobber previous items. It’s being a kind citizen. I have a theory that Craig enrolled on Linux (Or “Other OS”) first and Windows said “Oh, Surely I’m the only OS that wants to use this hardware, and I don’t see any fingerprints enrolled in my database, so we are going to start indexing these finger prints from one all over again, previous images be damned.”

8 Likes

Thanks for contributing this. I’d reinstalled Fedora 36 after messing up initial install. Only thing not working was fingerprint reader. Ran your scipt. Now all works.

Should be ‘Framework official guide’ for this.

(12th Gen Batch 1)

1 Like

Thank you for your detailed explanation! I understand how it works a lot better now.

When I first got my Framework I dual-booted between Windows and Ubuntu. I first enrolled on Windows, and it worked fine. I was unable to enroll on Ubuntu – it just couldn’t seem to initialize the fingerprint reader.

Later I scrapped my Ubuntu partition and gave the whole SSD to Windows. I bought a 256GB expansion card and loaded the same version of Ubuntu on it. When I booted to Ubuntu from the card, I was able to enroll with the fingerprint scanner and now it works fine on both OSs.

So it seems my guess about an OS “owning” the scanner was wrong. But I don’t have any other explanation for the behavior. :man_shrugging:

Thanks again for explaining how it works! It was a really interesting read.

Craig

1 Like

Thank you good sir! This did the trick!

1 Like

Like many other thank yous, this worked for me - even when the other Python script wouldn’t. I’m on Arch Linux, with standard installs of fprintd / libfprint - but the Goodix reader had fingerprints from prior OSes saved. After running your AppImage I was able to use GNOME settings and add fingerprints thru the user accounts section of settings.

THANKS.

For those on nixos, you can use the python script below (Found in a post by Kani on framework discord)

#!/usr/bin/env python3

import gi
gi.require_version('FPrint', '2.0')
from gi.repository import FPrint

ctx = FPrint.Context()

for dev in ctx.get_devices():
    print(dev)
    print(dev.get_driver())
    print(dev.props.device_id);

    dev.open_sync()

    dev.clear_storage_sync()
    print("All prints deleted.")

    dev.close_sync()

Run it as root via

nix-shell -p gobject-introspection -p libfprint -p gusb -p 'python3.withPackages (p: with p; [pygobject3])' --run ./fprintclear.py

Note there are no args/options. It will immediately delete all other OS fingerprints

6 Likes

Thanks a lot for posting this here. I was close to just going back to Arch after two days of NixOS until I tried this. Never got the python script to work with flake/shell.nix & this magically worked!

@Shy_Guy I’m not an expert in Python, and tried execute your script in Fedora and this is what I got.


[auser@fedora ~]$ sudo ./fprintclear.py 
[sudo] password for auser: 
<__gi__.FpiDeviceElanmoc object at 0x7f059f1d7080 (FpiDeviceElanmoc at 0x556ee70611b0)>
elanmoc
0
libusb: error [udev_hotplug_event] ignoring udev action change
libusb: error [udev_hotplug_event] ignoring udev action change
Traceback (most recent call last):
  File "/home/auser/./fprintclear.py", line 16, in <module>
    dev.clear_storage_sync()
gi.repository.GLib.GError: fp - device - error - quark: Device doesn't support clearing storage. (1)
libusb: warning [libusb_exit] device 3.4 still referenced
libusb: warning [libusb_exit] device 3.1 still referenced
libusb: warning [libusb_exit] application left some devices open

(process:11227): libfprint-device-WARNING **: 10:07:14.612: User destroyed open device! Not cleaning up properly!
[auser@fedora ~]$ 

The fingerprint device I have is Elan

[auser@fedora ~]$ lsusb | grep -i elan
Bus 003 Device 004: ID xxxx:xxxx Elan Microelectronics Corp. ELAN:ARM-M4
[auser@fedora ~]$ 

I have tried to make fingerprint in Ubuntu 22.04, Ubuntu 22.10 and Fedora 37 it doesn’t work anywhere. The python script provided by @Shy_Guy only tried in Fedora.

apt list fprintd -a

Listing... Done

fprintd/jammy-updates,now 1.94.2-1ubuntu0.22.04.1 amd64 [installed]

fprintd/jammy 1.94.2-1 amd64
root@alaptop:/home/auser# apt-get install fprintd=1.94.2-1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libfprint-2-2
The following NEW packages will be installed:
  fprintd libfprint-2-2
0 to upgrade, 2 to newly install, 0 to remove and 1 not to upgrade.
Need to get 386 kB of archives.
After this operation, 1,507 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://au.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libfprint-2-2 amd64 1:1.94.3+tod1-0ubuntu2~22.04.03 [288 kB]
Get:2 http://au.archive.ubuntu.com/ubuntu jammy/main amd64 fprintd amd64 1.94.2-1 [98.3 kB]
Fetched 386 kB in 0s (1,275 kB/s) 
Selecting previously unselected package libfprint-2-2:amd64.
(Reading database ... 198491 files and directories currently installed.)
Preparing to unpack .../libfprint-2-2_1%3a1.94.3+tod1-0ubuntu2~22.04.03_amd64.deb ...
Unpacking libfprint-2-2:amd64 (1:1.94.3+tod1-0ubuntu2~22.04.03) ...
Selecting previously unselected package fprintd.
Preparing to unpack .../fprintd_1.94.2-1_amd64.deb ...
Unpacking fprintd (1.94.2-1) ...
Setting up libfprint-2-2:amd64 (1:1.94.3+tod1-0ubuntu2~22.04.03) ...
Setting up fprintd (1.94.2-1) ...
fprintd.service is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for udev (249.11-0ubuntu3.6) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
root@alaptop:/home/auser# 
root@alaptop:/home/auser# 
root@alaptop:/home/auser# fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-unknown-error
root@alaptop:/home/auser# 

In Fedora

[root@fedora ~]# fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-unknown-error
[root@fedora ~]# 

What do I do?

Clean install of Fedora 37, fingerprint reader works well. Cannot speak for previous releases or any tweaks made to existing installations.

@Matt_Hartley I also did a clean install of Fedora 37 and it doesn’t work. May be we have different definition of clean install. I have 2 M2 slots. I have installed on one of the slots having Erase of the disk. It is not a dual boot drive but again I was booting into ubuntu 2204 from time to time which was on another M2 SSD drive.

I tend to believe this is kinda hardware/software issue as potentially different fingerprint scanners have different APIs. Some of them supporting different calls some of them not.
If you read my post above see the error which says

gi.repository.GLib.GError: fp - device - error - quark: Device doesn't support clearing storage. (1)

I tend to believe that Elan Microelectronics Corp. ELAN:ARM-M4 doesn’t support wiping, instead I have option in BIOS to wipe fingerprint data. I probably should try wipe out all fingerprints via BIOS and then repeat install Fedora 37 without booting Ubuntu or Windows.

@Matt_Hartley I wonder what finger print scanner you’ve got? Could you share what lsusb returns for you? BTW, may I ask you to do a favour ? To execute py script in Fedora 37 provided by Shy_Guy? if you run the script which was privided by @Shy_Guy the same way as I did what is your output?

FYI, this is the lsusb -v for my working fingerprint scanner on my 12th Gen Batch 1 DIY (using fprintd on Arch). It’s a Goodix, not an Elan device:


Bus 003 Device 002: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix USB2.0 MISC
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x27c6 Shenzhen Goodix Technology Co.,Ltd.
  idProduct          0x609c 
  bcdDevice            1.00
  iManufacturer           1 Goodix Technology Co., Ltd.
  iProduct                2 Goodix USB2.0 MISC
  iSerial                 3 UID00000000_XXXX_MOC_B0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0020
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          3 
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              4 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0

Give this a try:

sudo dnf upgrade
sudo dnf install fprintd fprintd-pam

Make sure the service is enabled and running

systemclt status fprintd.service

If it needs to be enabled or started

systemclt enable fprintd.service
systemclt start fprintd.service

Erase any old prints
fprintd-delete

Let’s enroll your prints
fprintd-enroll

Reboot

1 Like