Fingerprint scanner: Difference between revisions

Latest revision as of 16:48, 2 February 2025

Fingerprint scanners (on laptop computers) can be used to unlock devices instead of using passwords.

Install

# Start the driver at boot
systemd.services.fprintd = {
  wantedBy = [ "multi-user.target" ];
  serviceConfig.Type = "simple";
};

# Install the driver
services.fprintd.enable = true;
# If simply enabling fprintd is not enough, try enabling fprintd.tod...
services.fprintd.tod.enable = true;
# ...and use one of the next four drivers
services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix; # Goodix driver module
# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-elan; # Elan(04f3:0c4b) driver
# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090; # driver for 2016 ThinkPads
# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)

# however for focaltech 2808:a658, use fprintd with overidden package (without tod)
# services.fprintd.package = pkgs.fprintd.override {
#   libfprint = pkgs.libfprint-focaltech-2808-a658;
# };

Enroll fingerprint

Fingerprint enrollment can be done via the CLI or the UI in the Desktop Environment if available.

CLI

$ sudo fprintd-enroll

Gnome

In Gnome, the the fingerprints can be configured through the Settings application.

Open Gnome Settings
Scroll down to System
Enter the Users menu
Enter Fingerprint Login and add fingerprints

Note: If the Fingerprint Login item is not available, the fprintd driver might not be configured correctly.

Login

While services.fprintd.enable = true; enables fingerprint login for the majority of display manager via the corresponding PAM module, it can sometimes disable the ability to login using a password. This is addressed in the GitHub issue 171136. In that issue, a possible workaround is addressed using a custom PAM module for the gnome display manager:

security.pam.services.login.fprintAuth = false;
security.pam.services.gdm-fingerprint = lib.mkIf (config.services.fprintd.enable) {
      text = ''
        auth       required                    pam_shells.so
        auth       requisite                   pam_nologin.so
        auth       requisite                   pam_faillock.so      preauth
        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
        auth       optional                    pam_permit.so
        auth       required                    pam_env.so
        auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
        auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so

        account    include                     login

        password   required                    pam_deny.so

        session    include                     login
        session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
      '';
    };
};

@@ Line 15: / Line 15: @@
 # ...and use one of the next four drivers
 services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix; # Goodix driver module
-# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-elan # Elan(04f3:0c4b) driver
+# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-elan; # Elan(04f3:0c4b) driver
 # services.fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090; # driver for 2016 ThinkPads
-# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix-550a # Goodix 550a driver (from Lenovo)
+# services.fprintd.tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)
+# however for focaltech 2808:a658, use fprintd with overidden package (without tod)
+# services.fprintd.package = pkgs.fprintd.override {
+#   libfprint = pkgs.libfprint-focaltech-2808-a658;
+# };
 </syntaxhighlight>
 == Enroll fingerprint ==
-Just run <syntaxhighlight lang="bash">sudo fprintd-enroll</syntaxhighlight> or use the UI in the Desktop Environment if available.
+Fingerprint enrollment can be done via the [[Command Shell|CLI]] or the UI in the Desktop Environment if available.
+=== CLI ===
+<syntaxhighlight lang="bash">$ sudo fprintd-enroll</syntaxhighlight>
+=== Gnome ===
+In [[GNOME|Gnome]], the the fingerprints can be configured through the Settings application.
+# Open Gnome Settings
+# Scroll down to ''System''
+# Enter the ''Users'' menu
+# Enter ''Fingerprint Login'' and add fingerprints
+'''Note:''' If the ''Fingerprint Login'' item is not available, the <code>fprintd</code> driver might not be configured correctly.
 == Login ==
@@ Line 35: / Line 51: @@
          auth       optional                    pam_permit.so
          auth       required                    pam_env.so
-         auth       [success=ok default=1]      ${pkgs.gnome.gdm}/lib/security/pam_gdm.so
+         auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
-         auth       optional                    ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
+         auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
          account    include                     login
@@ Line 43: / Line 59: @@
          session    include                     login
-         session    optional                    ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
+         session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
        '';
      };