← All writeups

System-Wide Fingerprint Auth on Arch Linux

System-wide fingerprint auth (SDDM, sudo, polkit, etc.) on Arch Linux using fprintd + libfprint + PAM.

avatar

Riki Phukon

Β· views

System-Wide Fingerprint Auth on Arch Linux post image

Since switching from Windows 11 to CachyOS, my machine has been running better than ever. It's cooler, faster, and beautifully customized.

With a finely-tuned setup including Hyprland, an encrypted Btrfs drive with periodic snapshots for system recovery, and a blazing-fast Kitty terminal, everything feels seamless.

There was just one catch: my long, secure password. Typing it out for every login, sudo command, and application prompt quickly became cumbersome.

So, I went through the Arch bible to find a way to make my fingerprint reader work system-wide.

You can check if your fingerprint scanner device is supported by checking the list of supported devices or list of unsupported devices.


To check which one you have, type: lsusb in your terminal

By the end, you'll have a seamless fingerprint login experience that works everywhere from the SDDM login screen to the terminal and graphical prompts.

SDDM, which stands for Simple Desktop Display Manager, is a display manager for Linux systems that provides a graphical login interface for users to access their desktop environment. It's a modern and secure alternative to older display managers.

  1. Update System & Install Required Packages

First, ensure your system is up-to-date and you have the necessary packages. fprintd and libfprint contain the essential fingerprint drivers.

sudo pacman -Syu
sudo pacman -S fprintd
sudo pacman -S libfprint
  1. Enroll Your Fingerprint

Now, it's time to register your fingerprints with the system under your user account.

You will need multiple touches, each with a slight difference from the other.
fprintd-enroll

Follow the on-screen prompts until the enrollment process is successful. To verify which fingers are enrolled, use the following command:

fprintd-list $USER
  1. Configure PAM for Fingerprint Authentication

This is the most crucial step. We will configure PAM (Pluggable Authentication Modules) to use fingerprint authentication as a primary method while retaining a password fallback.

Edit /etc/pam.d/system-auth Add the fingerprint module at the very top of the auth section in your /etc/pam.d/system-auth file.

auth            sufficient                      pam_fprintd.so
# add the line above

auth            required                        pam_faillock.so         preauth
-auth           [success=2 default=ignore]      pam_systemd_home.so
auth            [success=1 default=bad]         pam_unix.so             try_first_pass nullok
auth            [default=die]                   pam_faillock.so         authfail
auth            optional                        pam_permit.so
auth            required                        pam_env.so
auth            required                        pam_faillock.so         authsucc

This configuration sets the fingerprint authentication (pam_fprintd.so) as sufficient. This means if the fingerprint scan is successful, the PAM stack proceeds without requiring a password. If the scan fails, it gracefully falls back to the standard password authentication.

Pluggable Authentication Modules (PAM) is a framework used in Linux and UNIX-based systems to provide a flexible and modular approach to user authentication.

PAM separates the authentication mechanism from the applications that require authentication, allowing administrators to configure and modify authentication methods without altering the application code.

PAM's behavior is defined through configuration files, typically located in /etc/pam.d/. Each file corresponds to a specific service or application (e.g., login, sudo, ssh) and specifies the order and types of modules to be used for authentication, account management, session management, and password management.

By default, SDDM will still show a password field. You can trigger the fingerprint scan by simply pressing Enter on an empty password field.

  1. Test Fingerprint Authentication

Now, let's verify that your new configuration is working across the system.

SDDM Login

SDDM managed login screen. Notice πŸ”Ž the fingerprint auth prompt!

Place your finger on the sensor to log in without a password. You can also press Enter on the empty password field to trigger a fingerprint scan.

sudo

Fingerprint auth on sudo command. This fallbacks to password auth.
sudo -K
sudo whoami

This should first prompt you for your fingerprint and then fall back to a password prompt if the scan fails.

Polkit GUI Prompts

Polkit is used for controlling system-wide privileges. It provides an organized way for non-privileged processes to communicate with privileged ones.

Check if graphical prompts (e.g., when installing software) now ask for your fingerprint.

Troubleshooting

If you encounter any issues, here are some common commands to help you diagnose the problem.

Check if the fprintd service is running:

systemctl status fprintd

View the logs for the fprintd service:

journalctl -u fprintd -f

If your device is not detected:

lsusb | grep 04f3:0c8c

04f3:0c8c is my fingerprint device. Find yours using the lsusb command.

Recovery (If Fingerprint Fails)

In the rare event that your fingerprint setup breaks and locks you out of your system, you can use these steps to recover.

Switch to a TTY by pressing Ctrl + Alt + any function key from F1 to F4

Log in with your password.

Comment out the pam_fprintd.so line in the /etc/pam.d/system-auth file by adding a # at the beginning of the line.

✨ And there you go! You have your fingerprint auth setup for your Arch Linux machine.

Footnotes:

Setup fprint (Arch wiki)
Using a fingerprint reader (Arch wiki)

← All writeups