I have recently gotten involved in setting up both latest Gnome (Ubuntu) and KDE (Manjaro) environment on two X230 Thinkpads with fingerprint sensors and the question of how to make them work appeared.

Turns out currently the support, well…sucks. Ubuntu developers seem to be well aware of this and reportedly want to fix it. However for now, the situation is following.

Ubuntu 18.04 – Gnome

Setting up fingerprint support is a matter of installing handful of fprintd related packages. The installation I’m using was upgraded from 17.10. so I can’t say if it’s already included in a clean 18.10 installation or not.

After installing a new option appears in “Users” settings – an option to enable fingerprint login, yay!

Flipping the switch to enabled really allows you to login using your fingerprint in a civilized way – e.g. the graphical interface asks you to login with your finger. So far so good. However after logging in the Gnome wallet asks for a password to unlock. Technically this because logging in via fingerprint doesn’t give PAM the necessary password to unlock the wallet. The only workaround at the moment is to remove the password protection and keep your passwords on disk in plaintext. No, thanks.

Apart from logging in the fingerprint sensor is not used anywhere – for sudo, upgrades, etc. you still have to enter the password manually. That makes the support in general pretty much useless.

KDE (Manjaro)

The traditional Gnome competitor KDE is arguably even a bit behind. There is basically zero support for fingerprints at all. The login manager (SDDM) doesn’t work with it, there are no configuration options in the settings, no KDE or at least Qt GUI related to fingerprints. Tickets related to these issues are many years old with no real progress so far.

If you manage to get the fingerprint login working via PAM (more on that later), kwallet gives you the same issues as gnome wallet on login.

PAM

It would seem that you are pretty much screwed as far as fingerprints go but that’s not entirely true. If you are ready to do some tinkering with PAM configuration, you can still use your fingers a bit.

PAM is the Linux authentication system that all the major desktop environments use in the background. It quite configurable and can work with fingerprints pretty well. The problem is that it doesn’t provide any GUI and if you enable fingerprint authentication the Gnome/KDE/whatever GUI you use will probably work in a strange way.

For example if you enable fingerprint login in PAM (ArchWiki has instructions), the login manager (for example SDDM) still asks you for a password. What you are supposed to do is

1. Turn on the computer, wait for login screen to appear
2. Select the user, don’t enter any password and press enter (to login)
3. See the fingerprint LED light up and swipe your finger

This is not exactly user friendly but if you know what you are doing, usable. It works the same way with other “enter password” prompts, if you configure the appropriate modules the right way. That is not that easy since there is sudo, kdesu, pkexec and probably others, and you have to configure them in PAM separately. The only place where you get asked to swipe your finger is the terminal… but not always. Some tools and scripts manipulating the stdout seem to discard the “Swipe your finger” prompt, leaving you staring at the screen “did it just crash?” until you notice the fingerprint LED is on.

Conclusion

Fingerprint sensor support in Linux desktop environments is pretty bad. It’s possible to get it working in a way if you really try but still feels hacky. However it seems that fingerprint sensors seem to be getting more widespread recently with the rise of mobile devices and at least the Ubuntu devs have noticed it. We are probably going to see some improvements in the near future at least in Ubuntu/Gnome and when that happens, we can expect people from competing projects trying to catch up.