I have a Lenovo Thinkpad x230, with an integrated fingerprint reader. The system runs Arch. This describes how to identify and register your fingerprint, and then use it to authenticate your
sudo actions via PAM.
First, identify the model of fingerprint reader which you have.
$ sudo lsusb Bus 003 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 005: ID 5986:02d2 Acer, Inc Bus 001 Device 004: ID 0a5c:21e6 Broadcom Corp. BCM20702 Bluetooth 4.0 [ThinkPad] *Bus 001 Device 003: ID 147e:2020 Upek TouchChip Fingerprint Coprocessor (WBF advanced mode)* Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
This device is supported by the
fprintd package, se we will install this with the package manager (you can probably substitute
yay here if you’re not a
$ yay -s fprintd
Now it’s time to ‘enroll’ your fingerprint. Your fingerprint data will be stored in
/var/lib/fprintd/. This process will require you to swipe your right index finger five times. You can see from the output below that I mis-swiped once. Just keep swiping until the process if complete:
$ fprintd-enroll Using device /net/reactivated/Fprint/Device/0 Enrolling right-index-finger finger. Enroll result: enroll-stage-passed Enroll result: enroll-stage-passed Enroll result: enroll-swipe-too-short Enroll result: enroll-stage-passed Enroll result: enroll-stage-passed Enroll result: enroll-completed
Finally, we will update two files,
/etc/pam.d/su to enable the
fprintd backend. Add the following line to both files:
auth sufficient pam_fprintd.so
As a complete example, my
/etc/pam.d/su file looks like this:
#%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_fprintd.so auth required pam_unix.so account required pam_unix.so session required pam_unix.so
Save these files, and then you can authenticate with your fingerprint:
$ sudo echo "Hello, world!" Swipe your finger across the fingerprint reader Hello, world!