Confusion regarding how to add fingerprint-auth to login using PAM

I have reinstalled F41-Sway after running an amalgam of KDE, Sway and leftover gnome apps for 6 months. In that period, I managed to get fingerprint auth to work by tinkering with one of the files in /etc/pam.d (something similar to this)

auth		sufficient  	pam_unix.so try_first_pass likeauth nullok
auth		sufficient  	pam_fprintd.so

Are there resources explaining how to setup fprintd for pam on fedora (F40, F41) specifically?
Which files should I add lines similar to the above in?
My goal is to use fingerprint auth for sudo, swaylock and LightDM / SDDM.

I have enabled with-fingerprint using authselect, and the output of authselect test local with-fingerprint seems to indicate so. (doesnt seem to be doing much since I am using LightDM as a greeter)

I am happy to add logs, command outputs or change the topic to become better.

Contents of /etc/pam.d/

total 156
drwxr-xr-x. 1 root root  634 Jan  8 00:30 .
drwxr-xr-x. 1 root root 4670 Jan  8 00:12 ..
-rw-r--r--. 1 root root  272 Aug  8 02:00 atd
-rw-r--r--. 1 root root  192 Jul 20 02:00 chfn
-rw-r--r--. 1 root root  192 Jul 20 02:00 chsh
-rw-r--r--. 1 root root  232 Nov 25 01:00 config-util
-rw-r--r--. 1 root root  322 Feb 15  2019 crond
-r--r--r--. 1 root root  134 Dec  6 01:00 cups
lrwxrwxrwx. 1 root root   32 Jan  8 00:12 fingerprint-auth -> /etc/authselect/fingerprint-auth
-rw-r--r--. 1 root root  127 Jul 18 02:00 hddtemp
-rw-r--r--. 1 root root  280 Jan  3  2024 initial-setup
-rw-r--r--. 1 root root  925 Jul 18 02:00 lightdm
-rw-r--r--. 1 root root  660 Jul 18 02:00 lightdm-autologin
-rw-r--r--. 1 root root  409 Jul 18  2022 lightdm-greeter
-rw-r--r--. 1 root root  676 Jul 20 02:00 login
-rw-r--r--. 1 root root  154 Nov 25 01:00 other
-rw-r--r--. 1 root root  168 Oct 10 02:00 passwd
lrwxrwxrwx. 1 root root   29 Jan  8 00:12 password-auth -> /etc/authselect/password-auth
-rw-r--r--. 1 root root  510 Apr 11  2024 pluto
lrwxrwxrwx. 1 root root   25 Jan  8 00:12 postlogin -> /etc/authselect/postlogin
-rw-r--r--. 1 root root  144 Jul 19 02:00 ppp
-rw-r--r--. 1 root root  640 Jul 20 02:00 remote
-rw-r--r--. 1 root root  143 Jul 20 02:00 runuser
-rw-r--r--. 1 root root  138 Jul 20 02:00 runuser-l
-rw-r--r--. 1 root root  923 Oct 15 02:00 sddm
-rw-r--r--. 1 root root  668 Oct 15 02:00 sddm-autologin
-rw-r--r--. 1 root root  397 Oct 15 02:00 sddm-greeter
lrwxrwxrwx. 1 root root   30 Jan  8 00:12 smartcard-auth -> /etc/authselect/smartcard-auth
-rw-r--r--. 1 root root  727 Oct 16 02:00 sshd
-rw-r--r--. 1 root root  214 Dec 10 01:00 sssd-shadowutils
-rw-r--r--. 1 root root  540 Jul 20 02:00 su
-rw-r--r--. 1 root root  238 Jul 20 02:00 sudo
-rw-r--r--. 1 root root  178 Jul 20 02:00 sudo-i
-rw-r--r--. 1 root root  137 Jul 20 02:00 su-l
-rw-r--r--. 1 root root  161 Aug 23 22:39 swaylock
lrwxrwxrwx. 1 root root   27 Jan  8 00:12 system-auth -> /etc/authselect/system-auth
-rw-r--r--. 1 root root   84 Jul 18 02:00 vlock
-rw-r--r--. 1 root root  159 Jul 18 02:00 vmtoolsd
-rw-r--r--. 1 root root  356 Jan  8 00:30 wl-copy
-rw-r--r--. 1 root root   61 Mar 20  2023 xfce4-screensaver
-rw-r--r--. 1 root root  128 Dec 20 01:00 xserver

It sounds like all you should have left to do is enroll some fingerprints (fprintd-enroll), and you should then be prompted to verify them when there’s a password prompt. You shouldn’t need to edit anything in pam.d, as that’s what authselect does.

Note that you still need to trigger an authentication attempt, so with swaylock for example you will need to hit enter first and then scan your fingerprint - no prompt is displayed in swaylock at that point, but you might get an LED lit on the fingerprint reader. sudo does give a suitable prompt, and I suspect LightDM will as well.

Hope that helps!

Hi,
I have already enrolled my fingerprint (fprint-verify -f right-index-finger returns a pass)
With the previous installation of Fedora I was running I had to manually edit one of the files in pam.d (not the ones managed by authselect, I think).

after checking journalctl I found that fprintd service had been disabled on jan 3, so around the time I installed F41 Sway.

After checking systemctl, fprintd service seems to be disabled, systemctl status fprintd returns:

The unit files have no installation config (WantedBy=, RequiredBy=, UpheldBy=,
Also=, or Alias= settings in the [Install] section, and DefaultInstance= for
template units). This means they are not meant to be enabled or disabled using systemctl.

Possible reasons for having these kinds of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/, .requires/, or .upholds/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.

My thinking is that either there is an issue with the pam.d configuration / fprint never gets called, or fprintd is misconfigured and is disabled by default due to that issue. (no clue what to do about that tho)

Which pam.d file manages authentication in F41 specifically? since every distro seems to do it differently, guides are not of enormous help.

I have added the lines:

[Install]
WantedBy=multi-user.target

following this post on framework community forums, however I am unsure if this is useful or has a point, beyond the fprintd service now running.

Hope this helps understand the issue at hand a little better.

Sorry about the quality of the post, I am not used to posting on forums.

You shouldn’t need to edit anything though, so it seems to me like there’s something odd going on.
Can you post the output of the following?

  • dnf list fprintd* (just in case there’s something missing)
  • authselect current and authselect check (just in case something isn’t set right)
  • journalctl -u fprintd -b
  • systemctl status fprintd (the output you posted looks like the output from ‘enable’ rather than ‘status’)

Here you go. I think the issue is not with fprintd itself but somewhere else, such as the systemd conf, or pam.

dnf list fprintd*:

Updating and loading repositories:
Repositories loaded.
Installed packages
fprintd.x86_64       1.94.4-1.fc41 updates
fprintd-pam.x86_64   1.94.4-1.fc41 updates

Available packages
fprintd-devel.noarch 1.94.4-1.fc41 updates

authselect current

Profile ID: local
Enabled features:
- with-fingerprint

authselect check: Current configuration is valid

journalctl -u fprintd -b:
as normal user (with admin perms): nothing
as root:

Jan 09 11:21:18 eiger systemd[1]: Starting fprintd.service - Fingerprint Authentication Daemon...
Jan 09 11:21:18 eiger systemd[1]: Started fprintd.service - Fingerprint Authentication Daemon.
Jan 09 11:21:47 eiger systemd[1]: fprintd.service: Deactivated successfully.
Jan 09 11:21:59 eiger systemd[1]: Starting fprintd.service - Fingerprint Authentication Daemon...
Jan 09 11:21:59 eiger systemd[1]: Started fprintd.service - Fingerprint Authentication Daemon.
Jan 09 11:22:30 eiger systemd[1]: fprintd.service: Deactivated successfully.

systemctl status fprintd

○ fprintd.service - Fingerprint Authentication Daemon
     Loaded: loaded (/usr/lib/systemd/system/fprintd.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf, 50-keep-warm.conf
     Active: inactive (dead) since Thu 2025-01-09 11:22:30 CET; 2min 45s ago
   Duration: 30.366s
 Invocation: c78defd23ee94f648603fdf726797cf4
       Docs: man:fprintd(1)
    Process: 2862 ExecStart=/usr/libexec/fprintd (code=exited, status=0/SUCCESS)
   Main PID: 2862 (code=exited, status=0/SUCCESS)
   Mem peak: 6.8M
        CPU: 131ms

Jan 09 11:21:59 eiger systemd[1]: Starting fprintd.service - Fingerprint Authentication Daemon...
Jan 09 11:21:59 eiger systemd[1]: Started fprintd.service - Fingerprint Authentication Daemon.
Jan 09 11:22:30 eiger systemd[1]: fprintd.service: Deactivated successfully.

Well on the plus side, that looks like I’d expect. The downside is that I’m not sure what to check next.
My home machine (also on F41 sway) has a working configuration, I’ll take a look later and see if I can spot any differences.

maybe take a look at the pam configurations for authentication? that was the solution last time for me