Setting up fingerprint auth on Kubuntu (Thinkpad X1)

Using a fingerprint to unlock your computer or elevate privileges (sudo) is a nice convenience, saving time during daily use of a computer. This article will show you how to set up fingerprint authentication on Ubuntu KDE. You’ll still need to enter your password to login, but once logged in you will be able to use a fingerprint to unlock or use sudo.

This guide is based on a Thinkpad X1 running Kubuntu 22.04, but it should work for most laptops with supported fingerprint sensors. You can check whether your fingerprint sensor is supported by searching for “Linux fingerprint” and your computer’s make/model. The Arch wiki is especially useful for this sort of thing, even if you don’t use Arch.

It goes without saying that this comes without warranty; backup your data, and have a LiveUSB ready. There are some pointers on recovering from mistakes at the bottom of this page. Luckily, I never needed to use a LiveUSB, I could easily recover from a virtual console.

Steps

Install fprint

Run lsusb and check that you can see your fingerprint sensor. For a Thinkpad X1, this will be 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader.

If you don’t, then your firmware may be outdated or the sensor may not be supported. You can use fwupdmgr to update your firmware.

Next install fprint: sudo apt install -y fprintd libpam-fprintd

Enroll Fingerprint

You now need to enroll at least one finger so that fprint can recognise you.

You can do that using the GUI, by going to Settings > Users > Configure Fingerprint Authentication.

Alternatively, you can use the CLI: Run fprintd-enroll $USER and swipe your finger over the sensor 3 times.

Set up the Authentication Module (PAM)

Enable the fprint pam module by running sudo pam-auth-update, checking Fingerprint, and selecting OK.

Manual Changes

In theory, the above should be all that you need to do to use fingerprints for login and sudo auth, but I found that logins were broken. So we’ll need to do a few more steps to fix that.

The Pluggable Authentication Module (PAM) configuration files can be found at /etc/pam.d/, and are used to determine how to authenticate the user. I needed to change the order of the authentication methods to get it to work.

First, comment out the fprint line in /etc/pam.d/common-auth if present, to prevent fprint from always being used.

To use fingerprints for sudo, add the following lines to /etc/pam.d/sudo above @include common-auth:

auth [success=2 default=ignore] pam_fprintd.so max_tries=2 timeout=10

To use fingerprints to unlock, create a new file /etc/pam.d/kde:

auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so max_tries=2 timeout=10

Test It

Lock your screen, and check you can still use your password to unlock - this is useful when the fingerprint sensor fails. Now check that the fingerprint works; press Enter on the password field and then touch the sensor.

Recovering from Mistakes

When changing authentication settings, there’s always a possibility of being locked out; this happened a few times before I figured out how to make this work.

Using Virtual Consoles

You can switch to a Virtual Console by pressing Ctrl + Alt + F2. This is a fullscreen console that allows you to log into the system without going through the lock screen. From here, you can edit the configuration files using nano or your CLI editor of choice.

See Linux Virtual Consoles Explained for more info.

Using a LiveUSB

As a last resort, it’s possible to use a LiveUSB/LiveCD to edit the authentication configuration files. This is possible for both unencrypted and encrypted drives, as you can mount encrypted partitions using cryptsetup.

Conclusion

Sources

Image © 2019 Olena Bohovyk

• https://unix.stackexchange.com/questions/655203/how-do-i-implement-fprintd-into-login-in-kubuntu
• https://wiki.archlinux.org/title/fprint
• https://www.reddit.com/r/kde/comments/sohmso/the_new_fingerprint_feature_is_not_working/