From ArchWiki
Revision as of 18:00, 9 September 2017 by Lahwaacz.bot (talk | contribs) (update man page references, updated man page links (interactive))
Jump to: navigation, search

From the fprint homepage:

The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.

The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. This article will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).


Make sure you have one of the supported finger scanners. You can check if your device is supported by checking this list of supported devices. To check which one you have, type

# lsusb


Install the fprintd package. imagemagick might also be needed.


Login configuration

Note: If you use GDM, the fingerprint-option is already available in the login menu (if not add yourself to the input group). You can skip this section!

Add pam_fprintd.so as sufficient to the top of the auth section of /etc/pam.d/system-local-login:

auth      sufficient pam_fprintd.so
auth      include   system-login

This tries to use fingerprint login first, and if it fails or if it finds no fingerprint signatures in the give user's home directory, it proceeds to password login.

You can also modify other files in /etc/pam.d/ in the same way, for example /etc/pam.d/polkit-1 for GNOME polkit authentication.

Create fingeprint signature

To add a signature for a finger, run

$ fprintd-enroll

or create a new signature for all fingers ([username] must be replaced with your username)

$ fprintd-delete [username]
$ for finger in {left,right}-{thumb,{index,middle,ring,little}-finger}; do fprintd-enroll -f $finger [username]; done

You will be asked to scan the given finger. Swipe your right index finger five times. After that, the signature is created in /var/lib/fprint/.

For more information, see fprintd(1).

Restrict enrolling

By default you are allowed to enroll new fingerprints without prompting for the password or the fingerprint. You can change this behavior using Polkit rules.

In the following example only superuser can enroll fingerprints:

polkit.addRule(function (action, subject) {
  if (action.id == "net.reactivated.fprint.device.enroll") {
    return subject.user == "root" ? polkit.Result.YES : polkit.result.NO