Skip to main content
The cover image for "Setting up fingerprint auth on Kubuntu (Thinkpad X1)"

Setting up fingerprint auth on Kubuntu (Thinkpad X1)

2 min read (578 words)

Sidebar

Using a fingerprint to unlock your computer or elevate privileges (sudo) is a nice convenience, saving time during daily use of a computer. This article will show you how to set up fingerprint authentication on Ubuntu KDE. You'll still need to enter your password to login, but once logged in you will be able to use a fingerprint to unlock or use sudo. This guide is based on a Thinkpad X1 running Kubuntu 22.04, but it should work for most laptops with supported fingerprint sensors. You can check whether your fingerprint sensor is supported by searching for "Linux fingerprint" and your computer's make/model. The Arch wiki is [especially useful](https://wiki.archlinux.org/title/Lenovo_ThinkPad_X1_Carbon_(Gen_7)#Fingerprint_sensor) for this sort of thing, even if you don't use Arch. It goes without saying that this comes without warranty; backup your data, and have a LiveUSB ready. There are some pointers on recovering from mistakes at the bottom of this page. Luckily, I never needed to use a LiveUSB, I could easily recover from a virtual console.

Using a fingerprint to unlock your computer or elevate privileges (sudo) is a nice convenience, saving time during daily use of a computer. This article will show you how to set up fingerprint authentication on Ubuntu KDE. You’ll still need to enter your password to login, but once logged in you will be able to use a fingerprint to unlock or use sudo.

This guide is based on a Thinkpad X1 running Kubuntu 22.04, but it should work for most laptops with supported fingerprint sensors. You can check whether your fingerprint sensor is supported by searching for “Linux fingerprint” and your computer’s make/model. The Arch wiki is especially useful for this sort of thing, even if you don’t use Arch.

It goes without saying that this comes without warranty; backup your data, and have a LiveUSB ready. There are some pointers on recovering from mistakes at the bottom of this page. Luckily, I never needed to use a LiveUSB, I could easily recover from a virtual console.

Steps #

Install fprint #

Run lsusb and check that you can see your fingerprint sensor. For a Thinkpad X1, this will be 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader.

If you don’t, then your firmware may be outdated or the sensor may not be supported. You can use fwupdmgr to update your firmware.

Next install fprint: sudo apt install -y fprintd libpam-fprintd

Enroll Fingerprint #

You now need to enroll at least one finger so that fprint can recognise you.

You can do that using the GUI, by going to Settings > Users > Configure Fingerprint Authentication.

Alternatively, you can use the CLI: Run fprintd-enroll $USER and swipe your finger over the sensor 3 times.

Set up the Authentication Module (PAM) #

Enable the fprint pam module by running sudo pam-auth-update, checking Fingerprint, and selecting OK.

Manual Changes #

In theory, the above should be all that you need to do to use fingerprints for login and sudo auth, but I found that logins were broken. So we’ll need to do a few more steps to fix that.

The Pluggable Authentication Module (PAM) configuration files can be found at /etc/pam.d/, and are used to determine how to authenticate the user. I needed to change the order of the authentication methods to get it to work.

First, comment out the fprint line in /etc/pam.d/common-auth if present, to prevent fprint from always being used.

To use fingerprints for sudo, add the following lines to /etc/pam.d/sudo above @include common-auth:

auth [success=2 default=ignore] pam_fprintd.so max_tries=2 timeout=10

To use fingerprints to unlock, create a new file /etc/pam.d/kde:

auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so max_tries=2 timeout=10

Test It #

Lock your screen, and check you can still use your password to unlock - this is useful when the fingerprint sensor fails. Now check that the fingerprint works; press Enter on the password field and then touch the sensor.

Recovering from Mistakes #

When changing authentication settings, there’s always a possibility of being locked out; this happened a few times before I figured out how to make this work.

Using Virtual Consoles #

You can switch to a Virtual Console by pressing Ctrl + Alt + F2. This is a fullscreen console that allows you to log into the system without going through the lock screen. From here, you can edit the configuration files using nano or your CLI editor of choice.

See Linux Virtual Consoles Explained for more info.

Using a LiveUSB #

As a last resort, it’s possible to use a LiveUSB/LiveCD to edit the authentication configuration files. This is possible for both unencrypted and encrypted drives, as you can mount encrypted partitions using cryptsetup.

Conclusion #

Sources #

Image © 2019 Olena Bohovyk

Comments

Leave comment

Shown publicly next to your comment. Leave blank to show as "Anonymous".
Optional, to notify you if rubenwardy replies. Not shown publicly.
Max 1800 characters. You may use plain text, HTML, or Markdown.
Kubuntu user

If you are Kubuntu 23.04(KDE), you can following steps。(Because the steps above can not work for me)

  1. Install fprint

  2. Enroll Fingerprint and Set up the Authentication Module (PAM) (abve)

  3. Manual Changes: Add (auth sufficient pam_fprintd.so max_tries=2 timeout=10) at the top of /etc/pam.d/sddm

  4. To use fingerprints to unlock, create a new file /etc/pam.d/kde

    auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_fprintd.so max_tries=2 timeout=10

  5. Log out, try it. You must press Enter on the keyboard, then put the finger on the scanner.

Rik

Re Kubuntu user’s comment, i can confirm this works for 23.04.

Strangely, I am not able to login with the password --> that results in a screen freeze. Only when I then read my fingerprint does it log in.

Also, I needed to delete the line in /etc/pam.d/sudo to make fingerprint for sudo work (otherwise it asks but it does not accept it) I have in multiple places now that I can ONLY use fingerprint (login after reboot, sudo…). If anyone has a solution for that would be appreciated

rubenwardy

Hey, unfortunately I don’t use 23.04 so can’t help by trying it out. Hopefully you find the solution though