Fingerprint reader
- how to enroll a fingerprint for a specific user
- GNOME/KDE integration and development status of this features
- Configure PAM to use fprintd
the three things above should be finished but they may need to be checked and expanded upon
Some laptops (especially those of the ThinkPad persuasion) come with an integrated fingerprint reader which can be used for authentication.
Many guides expect the fingerprint reader to be used in the place of a password. It is highly imperative to note: fingerprint reader technology is not considered to be secure by security experts.[1] Fingerprints should not be substituted for passwords for any device. Passwords can be easily changed; fingers cannot.[2] There are many known techniques to extract fingerprints from the device casing in order to gain access to the system through the fingerprint reader.
With the warning being understood, it is perfectly acceptable to use a fingerprint to identify the user account before signing with key-based or another form of authentication.
Available software
The fprint project is probably the most advanced approach to provide a solution for integrating fingerprint readers in Linux - other solutions such as thinkfinger are mostly outdated and do not provide such a general approach as well as fprint.
| Name | Package | Homepage | Description |
|---|---|---|---|
| fprint | sys-auth/fprintd | https://cgit.freedesktop.org/libfprint/fprintd/ | fprint consists of several components. The primary being a daemon which provides access to fprint functionality through D-Bus to applications, such as login managers (GDM, KDM, ...), screen locking mechanisms etc. |
| thinkfinger | sys-auth/thinkfinger | http://thinkfinger.sourceforge.net/ | Support for the UPEK/SGS Thomson Microelectronics fingerprint reader, often seen in ThinkPad laptops. |
| python-validity | sys-auth/python-validity-0.12::vowstar | Some hardware needs open-fprintd fprintd-clients python3-validity packages to use fingerprint scaners, like Synaptics, Inc. Metallica MIS Touch Fingerprint Reader, etc. This packages extend fprint. |
Enrolling a fingerprint
Enroll a fingerprint as a user:
user $fprintd-enrollTo enroll a fingerprint to a specific user[3], use the fprintd-enroll utility:
root #fprintd-enroll <user>To enroll a certain finger:
root #fprintd-enroll -f right-index-finger <user>To test if the finger is enrolled, use the fprintd-verify command:
user $fprintd-verify -f right-index-fingerGraphical Integration
KDE supports the adding/removing of fingerprints via their system settings app under the users tab by clicking configure fingerprint authentication.[4]
As for the enabling of it for graphical authentication you are able to login, wake up from sleep, and sudo in the terminal however it is unknown at this time whether you can replace the authentication popups.
Configuring fprintd for use with PAM
PAM is the authentication service used by Linux. To use a fingerprint reader with PAM, insert the following command in to the configuration file to make eligible for fingerprint.
/etc/pam.d/(pam.d service)auth sufficient pam_fprintd.so
References
- ↑ https://www.schneier.com/blog/archives/2013/09/iphone_fingerpr.html
- ↑ http://motherboard.vice.com/read/stealing-fingerprints
- ↑ https://www.makeuseof.com/set-up-fingerprint-scanner-with-pam-on-linux/
- ↑ https://9to5linux.com/kde-plasma-5-24-desktop-environment-to-introduce-support-for-fingerprint-readers