Thinkpad x230 fingerprint reader on Arch Linux
2019-05-11
I have a Lenovo Thinkpad x230, with an integrated fingerprint reader. The system runs Arch. This describes how to identify and register your fingerprint, and then use it to authenticate your sudo
actions via PAM.
First, identify the model of fingerprint reader which you have.
$ sudo lsusb
Bus 003 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 005: ID 5986:02d2 Acer, Inc
Bus 001 Device 004: ID 0a5c:21e6 Broadcom Corp. BCM20702 Bluetooth 4.0 [ThinkPad]
*Bus 001 Device 003: ID 147e:2020 Upek TouchChip Fingerprint Coprocessor (WBF advanced mode)*
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
This device is supported by the fprintd
package, se we will install this with the package manager (you can probably substitute pacman
for yay
here if you're not a yay
user):
$ yay -s fprintd
Now it's time to 'enroll' your fingerprint. Your fingerprint data will be stored in /var/lib/fprintd/
. This process will require you to swipe your right index finger five times. You can see from the output below that I mis-swiped once. Just keep swiping until the process if complete:
$ fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right-index-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-swipe-too-short
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed
Finally, we will update two files, /etc/pam.d/sudo
and /etc/pam.d/su
to enable the fprintd
backend. Add the following line to both files:
auth sufficient pam_fprintd.so
As a complete example, my /etc/pam.d/su
file looks like this:
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_fprintd.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
Save these files, and then you can authenticate with your fingerprint:
$ sudo echo "Hello, world!"
Swipe your finger across the fingerprint reader
Hello, world!