How to Set Up Your Fingerprint Scanner With PAM on Linux

The fingerprint is one of the most common entries for authorization. The use of biometric data for authorization confirms the physical existence of individuals by using an element that is relatively inseparable from them.

In addition, biometric data provides security to the person by using data specific to almost every individual. Leaving aside the legal usage limits of biometric data, these features highlight the use of fingerprints over other second-factor tools.

Here’s how you can set up your fingerprint scanner on Linux using PAM (Pluggable Authentication Modules).

Things to Consider About Fingerprints

The fingerprint method is not the safest choice among your options. There are some reasons for this:

  • You cannot change your fingerprint. As a result, the importance of ensuring the security of this data increases.
  • People leave their fingerprints in many places, so it is easy to obtain.
  • It is possible to cheat fingerprint scanning systems. Although advanced equipment makes it difficult to do this, it is not entirely impossible.
  • Fingerprint scans can fail to identify the person. In particular, physical changes such as injuries can make scanning impossible.

For the above reasons, it is useful to use fingerprints as a third factor or only weak evidence to prove the physical existence of people.

Adding fingerprint authentication to the only password-protected system will provide some more security. It makes sense to use fingerprints, especially on devices with a built-in fingerprint scanner as the cost of doing this is almost zero.

Setting Up the Requirements

Of course, you need a fingerprint scanner to add the fingerprint feature to your device with the GNU/Linux operating system. Most devices these days now have fingerprint scanners.

If you have a fingerprint scanner, the next step is to install the fprintd package on your system.

On Debian-based (Ubuntu, Mint, etc.) systems:

sudo apt-get install fprintd

Arch Linux users can install fprintd using Pacman:

sudo pacman -S fprintd

On Red Hat-based (Fedora, CentOS, etc.) systems:

sudo yum install fprintd

After installation, you will have installed fprintd and the internal PAM module. Enter the following command to start the fingerprint scan:

fprintd-enroll -f [finger_name]

You need to tell fprintd which finger you are scanning with. This way, you can know which finger it’s asking you during scanning. Valid finger names are:

Command Finger Name
left-thumb Left thumb
left-index-finger Left index finger
left-middle-finger Left middle finger
left-ring-finger Left ring finger
left-little-finger Left little finger
right-thumb Right thumb
right-index-finger Right index finger
right-middle-finger Right middle finger
right-ring-finger Right ring finger
right-little-finger Right little finger

Accordingly, the example command to introduce your left little finger would be as follows:

fprintd-enroll -f left-little-finger

You will then need to scan your finger four times and if successful, you will have added the fingerprint.

Using device /net/reactivated/Fprint/Device/0
Enrolling left-little-finger finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed

To test the success of the process, you can run the command below and read your finger:

fprintd-verify -f left-little-finger

Your registered fingerprints will be listed and you will receive a confirmation upon scanning the finger you specified.

Using device /net/reactivated/Fprint/Device/0
Listing enrolled fingers:
Verify result: verify-match (done)

PAM Settings You Need to Do

Regarding data integrity and protection of personal rights, PAM is gaining more and more importance in the cybersecurity world. When malicious people attack a device, they take advantage of attacks such as privilege escalation to exploit the device. Therefore, PAM is a precaution against such attacks.

PAM is the software responsible for user authorization on GNU/Linux systems. You can adjust the behavior of PAM with the configuration files located under the /etc/pam.d directory. If you wish, you can customize the PAM settings according to your needs.

To add fingerprint authentication to all PAM-controlled logins of your device, open the following file with a text editor of your choice:

sudo vim /etc/pam.d/common-auth

You will see text similar to the following:


Please note that if there is a problem at this stage and you enable your screen lock, you may not be able to log in to your device again.

Add the following line at the end of the file:

auth required

If you use Vim, type :wq after pressing Escape. Hit Enter after typing, save the file, and exit.

After this point, the system will ask you for your fingerprint for all authorization processes on your device.

To make sure everything is fine and to fix it effortlessly if there is a problem, open another terminal from the sudo authorized terminal you kept open. Following the advice above, enter:

sudo ls ~

Your system should ask you for a password and fingerprint for sudo authorization. If this did not happen or the files under the home directory were not listed successfully, go back and check if you made a mistake in the steps.

If you encounter a problem, you can prevent your device from locking by undoing and saving the changes you made in the /etc/pam.d/common-auth file from the sudo authorized terminal.

If you have passed the test successfully, you can now start using your device a little more securely with your fingerprint.

Considerations for Non-Admin Users

fingerprint is-a-serious-method-to-protect-your-personal-devices

If there is more than one user on the device and only one user uses a fingerprint, you can change the /etc/pam.d/common-auth configuration to the following so that only users with fingerprint setup need the second factor. However, this is a step that you should consider carefully, as it will exclude the root user from 2FA:

auth required nullok

If you want to log in as the root user with fingerprint, you need to repeat the above steps with the root user.

Protecting Your Linux Device With Fingerprint

Fingerprints are not an easy hurdle for malicious users to gain access to your device. Therefore, if you have taken all the precautions to protect your device, you can also take advantage of the security power of fingerprints. However, you should not forget that you must do the fingerprint configuration step by step correctly.

The fingerprint scanner you are using should not let you down. That’s why you need to trust your hardware. In addition, there are much easier methods you can take for your device security. However, fingerprints should not be neglected.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *