Jon Atkinson | Thinkpad x230 fingerprint reader on Arch Linux

Thinkpad x230 fingerprint reader on Arch Linux

2019-05-11

I have a Lenovo Thinkpad x230, with an integrated fingerprint reader. The system runs Arch. This describes how to identify and register your fingerprint, and then use it to authenticate your sudo actions via PAM.

First, identify the model of fingerprint reader which you have.

$ sudo lsusb

Bus 003 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 005: ID 5986:02d2 Acer, Inc 
Bus 001 Device 004: ID 0a5c:21e6 Broadcom Corp. BCM20702 Bluetooth 4.0 [ThinkPad]
*Bus 001 Device 003: ID 147e:2020 Upek TouchChip Fingerprint Coprocessor (WBF advanced mode)*
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

This device is supported by the fprintd package, se we will install this with the package manager (you can probably substitute pacman for yay here if you're not a yay user):

$ yay -s fprintd

Now it's time to 'enroll' your fingerprint. Your fingerprint data will be stored in /var/lib/fprintd/. This process will require you to swipe your right index finger five times. You can see from the output below that I mis-swiped once. Just keep swiping until the process if complete:

$ fprintd-enroll 
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-swipe-too-short
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed

Finally, we will update two files, /etc/pam.d/sudo and /etc/pam.d/su to enable the fprintd backend. Add the following line to both files:

auth sufficient pam_fprintd.so

As a complete example, my /etc/pam.d/su file looks like this:

#%PAM-1.0
auth            sufficient      pam_rootok.so
auth            sufficient      pam_fprintd.so
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

Save these files, and then you can authenticate with your fingerprint:

$ sudo echo "Hello, world!"
Swipe your finger across the fingerprint reader
Hello, world!