# Fingerpint Reader Linux can utilize fringerprint readers through `fprintd`. It allows the Pluggable Authentication Modules (PAM) stack to check for registered biometric data before falling back to standard password entry. ## Installation Install the standard fingerprint imaging daemon from the official repositories: ~~~bash sudo pacman -S fprintd ~~~ ## Enrollment GNOME and KDE both offer fingerprint enrollment via their settings apps. Enrolling fingerprints this way also allows you to unlock your desktop session. If you'd rather enroll via the terminal, use `fprintd-enroll`: ~~~bash fprintd-enroll ~~~ Verify that the system successfully stored your fingerprint and reads the biometric data: ~~~bash fprintd-verify ~~~ ## Configuring PAM In order to use your fingerprint to authenticate `sudo` prompts in the terminal and on the desktop through Polkit, some additional setup is required. ### `sudo`

WARNING: Always keep a separate terminal window open with an active root shell (sudo -s) while modifying PAM configurations. There's no sanity checks in place and incorrect configurations can lock you out of your system.

Open the `sudo` configuration file: ~~~bash sudo nano /etc/pam.d/sudo ~~~ Insert the `pam_fprintd.so` module as `sufficient` directly below the file header. This instructs PAM to succeed immediately if a fingerprint matches, or fail cleanly to the password prompt if it does not. ~~~ #%PAM-1.0 auth sufficient pam_fprintd.so auth include system-auth account include system-auth session include system-auth ~~~ Verify everything works as expected by opening a brand new terminal window and open an interactive root shell with `sudo -i`. The system should prompt you to touch the fingerprint reader with a finger you enrolled. ### Polkit To allow graphical authentication banners in GNOME and KDE to accept biometric inputs, modify the Polkit configuration: ~~~bash sudo nano /etc/pam.d/polkit-1 ~~~ Replicate the structure used for `sudo`: ~~~ #%PAM-1.0 auth sufficient pam_fprintd.so auth include system-auth account include system-auth password include system-auth session include system-auth ~~~