Swaylock unlocks only with fingerprint and not with password

ponies · March 23, 2025, 10:08pm

I have a Fedora KDE spin installation on a laptop with a fingerprint reader, onto which I have installed Sway WM (dnf group install @swaywm-extended). Under Plasma when I lock my screen I can unlock with a password just fine, but when locking the screen with Swaylock under Sway it seems to only want to accept my fingerprint. There’s no password entry box but as I type I can see the circle indicator reacting to my typing, and when I hit enter it says “Verifying” and then nothing happens - it just sits like that. If I touch my fingerprint reader at this point the screen will unlock, and this happens whether or not the password I entered was correct.

I haven’t made any changes to any pam.d files, so my assumption is that something is incompatible here out of the box, possibly because of KDE having been previously installed? And if it matters I’m using lightdm as my greeter.

Contents of /etc/pam.d/swaylock:

/etc/pam.d/swaylock

auth include login

Contents of /etc/pam.d/login:

/etc/pam.d/login

#%PAM-1.0
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
#pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

Contents of /etc/pam.d/system-auth:

/etc/pam.d/system-auth


auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        sufficient                                   pam_unix.so nullok
auth        required                                     pam_deny.so

account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

Contents of /etc/pam.d/postlogin:

/etc/pam.d/postlogin

session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp silent
session     optional                   pam_lastlog.so silent noupdate showfailed

What do I need to do to be able to use a password for unlocking my screen?

glb · March 24, 2025, 1:24am

I have a system with only Sway. At least the auth portion of my /etc/pam.d/swaylock and /etc/pam.d/login files is identical and swaylock works for me. Perhaps the difference is in system-auth or postlogin?

Edit: I haven’t tried this on my system, but I suspect the following line in /etc/pam.d/swaylock would be adequate for a local user account.

auth required pam_unix.so

If you replace auth include login with the above line, I think it might work.

P.S. You will want to be signed in on a secondary VT so you can undo the change just in case it doesn’t work.

ponies · March 24, 2025, 1:38am

I’ve added the contents of /etc/pam.d/system-auth to my original post. It has auth sufficient pam_unix.so but not required. I’ll try switching it tomorrow though.

glb · March 24, 2025, 1:40am

Just to be clear, I wouldn’t change /etc/pam.d/system-auth. I would only change /etc/pam.d/swaylock in order to limit the scope of the change.

If you really do want to change /etc/pam.d/system-auth for whatever reason, you should create a custom authselect profile.

ponies · March 24, 2025, 12:27pm

This worked to allow password authentication (still no text entry box but I assume this is normal?), but with that setting added fingerprint unlocking no longer seems to work. I might play with it a bit to see if I can get it to accept either option.

glb · March 24, 2025, 2:03pm

Yes, that is normal.

It looks like it might not be possible:

Topic		Replies	Views
Confusion regarding how to add fingerprint-auth to login using PAM Ask Fedora pam , sway , fprint , f41	6	290	January 9, 2025
Lock screen in KDE requires both password and fingerprint to unlock Ask Fedora kde , kde-plasma , fingerprint-reader , f39	6	3090	December 8, 2023
Passwordless Lockscreen, user can't log back in Ask Fedora kinoite-team , f38 , kde , kinoite	1	678	September 30, 2023
Default config of /etc/pam.d/sddm Ask Fedora f35 , kde	4	1333	November 22, 2021
Get T14 Fingerprint working Ask Fedora f36 , pam , fprint , fingerprint-reader	4	1114	May 7, 2022

Swaylock unlocks only with fingerprint and not with password

Related topics