I made it work on my notebook again. Maybe it helps someone if I describe what I did.
DISCLAIMER: Enabling fprint authentication is not secure. It is just a small step better than automatic login, so do not try to protect vital data with this.
Having said that, it seems the only missing links on my system were, that the stored fingerprints are now expected in a different location and enrolling was only allowed for root. Maybe the fingerprints are also stored in a different format now, I did not check with the old files, just enrolled again.
- I made sure I have the necessary packages installed (they were already installed)
$ sudo zypper install libfprint0 pam_fprint
Daten des Repositories laden ...
Installierte Pakete lesen ...
'pam_fprint' ist bereits installiert.
Kein Aktualisierungskandidat für 'pam_fprint-0.2-12.1.2.x86_64'. Die neueste Version ist bereits installiert.
'libfprint0' ist bereits installiert.
Kein Aktualisierungskandidat für 'libfprint0-0.5.0-3.1.3.x86_64'. Die neueste Version ist bereits installiert.
Paketabhängigkeiten auflösen ...
Keine auszuführenden Aktionen.
- Next I checked pam is configured to use fprint authentication (not sure this check is complete, it was already ok)
$ sudo pam-config --query --fprint
auth:
if the output is empty (not auth: ), then add module fprint to pam like this:
$ sudo pam-config --add --fprint
- Now I enrolled a fingerprint for root
$ sudo pam_fprint_enroll
Switching to root (e.g. sudo) now asks for fingerprint, and only falls back to password if scan does not work.
- Finally enrolled fingerprint for “normal” user
Problem is, the scan device is owned by root. Normal users cannot use it. We change that by creating an udev rule for it that gives write access to group users:
a) Find the vendor and product id of the scanner with lsusb. Mine is an Upek with vendor id 147e and product id 2016:
$ lsusb
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 046d:c526 Logitech, Inc. Nano Receiver
Bus 001 Device 004: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor
Bus 001 Device 005: ID 0a5c:217f Broadcom Corp. BCM2045B (BDC-2.1)
Bus 001 Device 006: ID 17ef:480f Lenovo Integrated Webcam [R5U877]
Bus 002 Device 003: ID 05c6:9204 Qualcomm, Inc.
b) Add an udev rule file for this device (using your vendor and product id’s of course)
$ sudo echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="147e", ATTR{idProduct}=="2016", MODE="0664", OWNER="root", GROUP="users"' >/etc/udev/rules.d/70-fprint.rules
c) Activate the rules
sudo udevadm control --reload-rules
sudo udevadm trigger
d) Now you should be able to call pam_fprint_enroll as normal user.
To log into a kde session on the login screen you can now enter your username, then hit Enter, click on OK button, then scan. If the scan does not recognize you, also enter the password before pressing Enter and then scan. This is clumsy (On windows you enter nothing, just scan), but I still like it.