Difference between revisions of "Fprint"

From ArchWiki
Jump to: navigation, search
(Undo revision 287280 by Pizzapill (talk))
m (block quote style)
 
(14 intermediate revisions by 11 users not shown)
Line 1: Line 1:
 +
{{Lowercase title}}
 
[[Category:Input devices]]
 
[[Category:Input devices]]
 
[[bg:Fprint]]
 
[[bg:Fprint]]
 
[[fa:Fprint]]
 
[[fa:Fprint]]
 +
[[ja:Fprint]]
 +
{{Related articles start}}
 +
{{Related|Fingerprint-gui}}
 +
{{Related|ThinkFinger}}
 +
{{Related articles end}}
 +
 
From [http://www.freedesktop.org/wiki/Software/fprint/ the fprint homepage]:
 
From [http://www.freedesktop.org/wiki/Software/fprint/ the fprint homepage]:
  
:''The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.''
+
:The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.
  
The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).
+
The idea is to use the built-in fingerprint reader in some notebooks for login using [[PAM]]. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).
  
 
== Prerequisites ==
 
== Prerequisites ==
Line 15: Line 22:
 
== Installation ==
 
== Installation ==
  
Install {{Pkg|fprintd}} from the [[official repositories]]. {{Pkg|imagemagick}} might also be needed.
+
[[Install]] the {{Pkg|fprintd}} package. {{Pkg|imagemagick}} might also be needed.
  
 
== Configuration ==
 
== Configuration ==
Line 21: Line 28:
 
=== Login configuration ===
 
=== Login configuration ===
  
{{Note|If you use [[GDM]], the fingerprint-option is already available in the login menu. You can skip this section!}}
+
{{Note|If you use [[GDM]], the fingerprint-option is already available in the login menu (if not add yourself to the {{ic|input}} group). You can skip this section!}}
  
Add {{ic|pam_fprintd.so}} as sufficient to the top of the auth section of {{ic|/etc/pam.d/system-local-login}}:
+
Add {{ic|pam_fprintd.so}} as ''sufficient'' to the top of the auth section of {{ic|/etc/pam.d/system-local-login}}:
  
 
{{hc|/etc/pam.d/system-local-login|
 
{{hc|/etc/pam.d/system-local-login|
Line 31: Line 38:
 
}}
 
}}
  
This tries to use fingerprint login first, and if if fails or if it finds no fingerprint signatures in the give user's home directory, it proceeds to password login.
+
This tries to use fingerprint login first, and if it fails or if it finds no fingerprint signatures in the give user's home directory, it proceeds to password login.
  
 
You can also modify other files in {{ic|/etc/pam.d/}} in the same way, for example {{ic|/etc/pam.d/polkit-1}} for GNOME polkit authentication.
 
You can also modify other files in {{ic|/etc/pam.d/}} in the same way, for example {{ic|/etc/pam.d/polkit-1}} for GNOME polkit authentication.
Line 39: Line 46:
 
To add a signature for a finger, run
 
To add a signature for a finger, run
 
  $ fprintd-enroll
 
  $ fprintd-enroll
 +
or create a new signature for all fingers ([username] must be replaced with your username)
 +
$ fprintd-delete [username]
 +
$ for finger in {left,right}-{thumb,{index,middle,ring,little}-finger}; do fprintd-enroll -f $finger [username]; done
  
You will be asked to scan the given finger. After that, the signature is created in {{ic|/var/lib/fprint/}}.
+
You will be asked to scan the given finger. Swipe your right index finger '''five times'''. After that, the signature is created in {{ic|/var/lib/fprint/}}.
  
 
For more information, see {{ic|man fprintd}}.
 
For more information, see {{ic|man fprintd}}.
  
== Setup fingerprint-gui ==
+
=== Restrict enrolling ===
{{out of date|packages do not exist anymore}}
 
 
 
An alternate fingerprint reader gui.
 
This works with libfprint-unstable which has support for the new Upeksonly readers, such as,
 
the new Thinkpad W510 T510 T410 T420 Upeksonly reader with USB ID 147e:2016
 
 
 
http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader
 
 
 
http://www.n-view.net/Appliance/fingerprint/
 
 
 
Install as dependency {{Pkg|libfakekey}} and {{Pkg|fingerprint-gui}}.
 
 
 
Please make sure your user is a member of "plugdev" and "scanner" group if you use UPEK non-free library. You may also have to log out and back in for these changes to take effect.
 
# gpasswd -a USER plugdev
 
# gpasswd -a USER scanner
 
 
 
fingerprint-polkit-agent conflicts with files in {{ic|/etc/xdg/autostart}} that must
 
be removed:
 
"polkit-gnome-authentication-agent-1.desktop" and
 
"polkit-kde-authentication-agent-1.desktop".
 
 
 
Edit your PAM configuration (e.g., {{ic|<nowiki>/etc/pam.d/{login,su,sudo,gdm}</nowiki>}}).
 
 
 
Change the auth section to read:
 
  
auth      required pam_env.so
+
By default you are allowed to enroll new fingerprints without prompting for the password or the fingerprint. You can change this behavior using Polkit rules.
auth      sufficient  pam_fingerprint-gui.so
 
auth      sufficient  pam_unix.so try_first_pass likeauth nullok
 
auth      required pam_deny.so
 
  
Add this to your ~/.bashrc file if you get an error saying that it can't connect to X desktop (see [[Xhost#The_.27cannot_connect_to_X_server_:0.0.27_output|this]] for more details).
+
In the following example only superuser can enroll fingerprints:
xhost + >/dev/null
 
  
Now run fingerprint-gui and register fingerprints for the current user. You will need to run fingerprint-gui and register fingerprints as all users you want to use the fingerprint reader, i.e. as root to use it for "su" login.
+
{{hc|/etc/polkit-1/rules.d/50-net.reactivated.fprint.device.enroll.rules|<nowiki>polkit.addRule(function (action, subject) {
 +
  if (action.id == "net.reactivated.fprint.device.enroll") {
 +
    return subject.user == "root" ? polkit.Result.YES : polkit.result.NO
 +
  }
 +
})</nowiki>}}

Latest revision as of 23:18, 10 May 2017

Related articles

From the fprint homepage:

The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.

The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).

Prerequisites

Make sure you have one of the supported finger scanners. You can check if your device is supported by checking this list of supported devices. To check which one you have, type

# lsusb

Installation

Install the fprintd package. imagemagick might also be needed.

Configuration

Login configuration

Note: If you use GDM, the fingerprint-option is already available in the login menu (if not add yourself to the input group). You can skip this section!

Add pam_fprintd.so as sufficient to the top of the auth section of /etc/pam.d/system-local-login:

/etc/pam.d/system-local-login
auth      sufficient pam_fprintd.so
auth      include   system-login
...

This tries to use fingerprint login first, and if it fails or if it finds no fingerprint signatures in the give user's home directory, it proceeds to password login.

You can also modify other files in /etc/pam.d/ in the same way, for example /etc/pam.d/polkit-1 for GNOME polkit authentication.

Create fingeprint signature

To add a signature for a finger, run

$ fprintd-enroll

or create a new signature for all fingers ([username] must be replaced with your username)

$ fprintd-delete [username]
$ for finger in {left,right}-{thumb,{index,middle,ring,little}-finger}; do fprintd-enroll -f $finger [username]; done

You will be asked to scan the given finger. Swipe your right index finger five times. After that, the signature is created in /var/lib/fprint/.

For more information, see man fprintd.

Restrict enrolling

By default you are allowed to enroll new fingerprints without prompting for the password or the fingerprint. You can change this behavior using Polkit rules.

In the following example only superuser can enroll fingerprints:

/etc/polkit-1/rules.d/50-net.reactivated.fprint.device.enroll.rules
polkit.addRule(function (action, subject) {
  if (action.id == "net.reactivated.fprint.device.enroll") {
    return subject.user == "root" ? polkit.Result.YES : polkit.result.NO
  }
})