Page MenuHomeSolus
Create Task
Maniphest T10356

Fingerprint unlocking integration for polkit & KDE
Open, NormalPublic
Actions

Description

Currently fingerprint unlocking does not work on KDE or for polkit actions

You can enroll a fingerprint but cannot unlock a session with it after installing fprintd libfprint

To resolve by creating the file /usr/share/defaults/etc/pam.d/fprint with the contents

#%PAM-1.0

auth    sufficient  pam_unix.so try_first_pass likeauth nullok
auth    sufficient  pam_fprintd.so

Then in /usr/share/defaults/etc/pam.d/polkit-1 and /usr/share/defaults/etc/pam.d/kde

Paste auth include fprint above of auth include system-auth

This enables screen unlocking in KDE with your fingerprint as well as authorizing polkit actions.

If fprintd and libfprint are uninstalled, actions can still be authorized with a password like normal.

Related Objects
Search...

Event Timeline

joebonrichie triaged this task as Normal priority.Aug 23 2022, 9:20 AM
joebonrichie created this task.
joebonrichie moved this task from Backlog to System and Configuration Fixes on the Software board.
joebonrichie added a parent task: T7929: META: fprintd integration improvements.Aug 23 2022, 9:25 AM
joebonrichie updated the task description. (Show Details)Aug 23 2022, 9:42 AM
joebonrichie added a comment.EditedAug 23 2022, 9:46 AM

Before I go ahead with this the question is whether the pam stuff looks okay and/or is there any obvious security risk?

Potentially we could abstract even future and have systemd-auth include fprint which should allow all auth actions to be completed with the fingerprint. Whether that is desirable or not is another question for now.

joebonrichie added a comment.Aug 23 2022, 10:00 AM

The main annoyance here is you have to press enter before it'll prompt you to use the fingerprint (i'm guessing due to try_first_pass)

ReillyBrogan added a subscriber: ReillyBrogan.Aug 23 2022, 5:32 PM
In T10356#197694, @joebonrichie wrote:

The main annoyance here is you have to press enter before it'll prompt you to use the fingerprint (i'm guessing due to try_first_pass)

What happens if you swap the order of the pam_fprintd.so and pam_unix.so lines?

Staudey added a subscriber: Staudey.Aug 23 2022, 5:40 PM

@ReillyBrogan I had the same thought before, and according to the Arch Wiki it's the following problem:

Adding pam_fprintd.so as sufficient to any configuration file in /etc/pam.d/ when a fingerprint signature is present will only prompt for fingerprint authentication. This prevents the use of a password if you cannot Ctrl+c fingerprint authentication (due to the lack of a shell).

Which they follow up with Joey's solution as a way around that.

ReillyBrogan added a comment.Aug 23 2022, 5:43 PM
This comment was removed by ReillyBrogan.
joebonrichie added a comment.Aug 23 2022, 7:02 PM

What let me down this rabbithole is that kde supposedly has support for fingerprint unlocking for kscreensaver but I seemingly had to provide my own pam files for it to work unlike gdm which seems to work by default. Making matters more interesting is that fprintd states that unlocking with either a fingerprint or password (via pam_fprintd.so) is not supported and the pam config above seems to be more of a workaround to that.

https://github.com/freedesktop/libfprint-fprintd/blob/master/pam/README#L24

joebonrichie added a comment.Aug 26 2022, 10:31 AM

Looks like this was supposed to have been merged for 5.25 but has stalled for whatever reason. https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/15 Which explains why the string in 'Users' is wrong.

TClark77 added a subscriber: TClark77.Jun 17 2023, 5:27 AM
TClark77 added a comment.Fri, Jul 21, 3:08 AM

@joebonrichie , is this still an issue? I'm using fingerprints to unlock my Plasma session, but I don't know what the status of polkit is.

Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.