I want to use a fingerprint reader to login rather than typing a password every-time. Would this work?
https://www.hidglobal.com/products/4500-fingerprint-reader
Seems like it works with linux from the comments I’ve seen on it on Amazon. It also says it supports Linux here:
https://www.hidglobal.com/documents/hid-digitalpersona-4500-reader-datasheet
So I assume it would work with whatever default Fingerprint reader functionality Fedora has built in?
If it can be used for U2F, I think so
sudo dnf install pamu2fcfg pam-u2f
pamu2fcfg > ~/'u2f_keys' && sudo mv ~/'u2f_keys' '/etc/u2f_mappings'
GDM/log-in:
sudo -e '/etc/pam.d/gdm-password'
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
And sudo:
sudo -e '/etc/pam.d/sudo'
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
It’s generally safer to use authselect rather than edit the files in pam.d directly.
Fingerprint authentication can be enabled (on a normal Fedora install at least) using authselect by running:
sudo authselect enable-feature with-fingerprint
and making sure that fprintd is installed:
sudo dnf install fprintd fprintd-pam
Fingerprints can then be associated with a user using fprintd-enroll
It does look like there are some hardware issues with that specific device though: libfprint - issue #626
There’s some more information about authselect and some recentish changes here: Authselect in Fedora Linux 40: Migrating to the new "local" profile - Fedora Magazine
U2F is normally associated with yubikeys and similar devices - in my experience it isn’t involved with fingerprint readers.
The equivalent authselect command for those would be sudo authselect enable-feature with-pam-u2f, and the key enrolled with:
mkdir -p ~/.config/Yubico
pamu2fcfg --pin-verification > ~/.config/Yubico/u2f_keys
See this Fedora Magazine article for more information on that one: Use FIDO U2F security keys
Idk if all 4500 versions are supported by libfprint (s.a. supported devices). I use one with USB ID 045e:000a. Current libfprint version 1.94.9 (provided by Fedora 42+) works with some constraints: 100% of enrolled fingerprints fail to verify.
However I can use the device with a acceptable verification rate if the finger is pressed moderately on the scanning area (during enrollment and verification). A relaxed touch (sufficient under Windows) creates a scan image with very weak contrast. AFAIS there is no libfprint development ongoing for the affected driver uru4000, i.e. a fix is not expected.
I don’t know about this particular fingerprint reader. One thing to keep in mind, though: if you log in with the fingerprint reader, PAM does not have a password to unlock your DE’s keyring (Gnome keyring or kwallet), you will have to do that separately after logging in. Or you can work around that issue by typing your password on first login and only using the fingerprint reader after you locked your session or for sudo/polkit authentication.
Just so you know what to expect.