Fingerprint authentication in DE pop-ups

fl4nd1 · 2026-06-10 19:28:49

Since my laptop is equipped with a fingerprint reader I configured it to work at login and with sudo prompts in the terminal, but one thing I can't wrap my head around is system pop-ups.
I run KDE, (with plans to switch to Hyprland when I feel like it™), but everytime there is an authentication popup it only prompts me for a password.

As of this Reddit post, I added the following lines to my /etc/pam.d/system-auth file:

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

But now I just get prompted for the password anyways and then for the fingerprint scan.

What should I do to fix this behaviour?

My current /etc/pam.d/system-auth file looks like this:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

# Added for fingerprint support in popups
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

Also, is it possible to allow sddm fingerprint authentication without pressing enter before scanning the finger?

seth · 2026-06-10 19:40:06

https://wiki.archlinux.org/title/Fprint … kit_agent.

Last edited by seth (2026-06-10 19:40:32)

fl4nd1 · 2026-06-10 19:52:57

Even after trying that it still prompts me for the fingerprint after putting the password

seth · 2026-06-10 19:59:22

Oh, the pam modules are tested in order, putting the fprint entries into some block at the end will use that venue last.
Also you don't want to have the double pam_unix, see https://wiki.archlinux.org/title/Fprint#Configuration

fl4nd1 · 2026-06-10 20:30:20

Thank you

I'd figured it had to be in order wasn't sure of where to put it, guess I should have checked the wiki earlier.

Where should (if I should) I put the other two entries or for those the order isn't important?

Last edited by fl4nd1 (2026-06-10 20:30:35)

seth · 2026-06-10 20:42:56

You already have pam_env and you don't need https://man.archlinux.org/man/pam_deny.8 at all.

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

fl4nd1 · 2026-06-10 20:51:27

I removed the last two entries, now my fingerprint works as expected, but my password doesn't:
- in sddm it waits way longer than it should, then works;
- in the system popup it still waits, then prompts for a password again, then works;
- in sudo it works properly, but the when I cancel the fingerprint to use the password (by pressing ^C while prompted to scan) it prompts for fingerprint again this also results in it giving you 6 tries to scan instead of 3 before falling back to the password

seth · 2026-06-10 21:21:40

https://wiki.archlinux.org/title/SDDM#U … int_reader and please post all pam files you've changed

fl4nd1 · 2026-06-10 21:27:29

/etc/pam.d/system-auth

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_fprintd.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

/etc/pam.d/sddm

#%PAM-1.0

auth 			[success=1 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
auth 			sufficient  	pam_fprintd.so				
auth        include     system-login
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so

account     include     system-login

password    include     system-login
-password   optional    pam_gnome_keyring.so    use_authtok

session     optional    pam_keyinit.so          force revoke
session     include     system-login
-session    optional    pam_gnome_keyring.so    auto_start
-session    optional    pam_kwallet5.so         auto_start

/etc/pam.d/sudo

#%PAM-1.0
auth            sufficient      pam_fprintd.so
auth		include		system-auth
account		include		system-auth
session		include		system-auth

seth · 2026-06-10 21:37:54

Remove the entry in sudo - you're starting w/ pam_fprintd, then continue w/ system-auth … which starts w/ pam_fprintd

The sddm config should™ ask you for a password and on hitting enter ask you for your fingerprint.
If there's a delay between hitting enter and the fingerprint request, try to add "nodelay" to the pam_unix.so line, https://man.archlinux.org/man/pam_unix.8

Can you please elaborate on the "system popup" situation? What exactly do you do and experience?

fl4nd1 · 2026-06-10 21:54:12

Sorry I wasn't clear:
by "system popup" I meant the polkit window in KDE. The example test I do to test it was opening Ente Auth and unlocking since I set up the pin with device unlock,
if I scan my fingerprint Ente Auth opens immediately, if I enter my password it waits for about 15 seconds greying out the text box, then reopens polkit again, inserting the password the second time opens Ente Auth.

Also I'm not having the delay in SDDM when pressing enter with a blank password, but when logging in with the password instead of fingerprint, stays on "logging in" for about 20 seconds and then KDE starts.

Last edited by fl4nd1 (2026-06-10 21:54:52)

seth · Yesterday 07:26:21

Please post your complete system journal for the boot after
1. logging in w/ a password to sddm
2. entering a password into the polkit dialog twice

sudo journalctl -b | curl -s -H "Accept: application/json, */*" --upload-file - 'https://paste.c-net.org/'

A problem I can see w/ sddm is that pam_unix skips pam_fprintd but still invokes system-auth (which is what you generally want) but that has pam_unix again

fl4nd1 · Yesterday 11:45:23

Here's the logs:
https://paste.c-net.org/ObesityChosen

seth · Yesterday 12:58:01

Jun 11 13:42:18 L14Endi sddm[770]: Authentication information: SDDM::Auth::INFO_UNKNOWN "Place your right index finger on the fingerprint reader"
Jun 11 13:42:18 L14Endi sddm-greeter-qt6[906]: Information Message received from daemon:  "Place your right index finger on the fingerprint reader"
Jun 11 13:42:19 L14Endi systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Jun 11 13:42:30 L14Endi tailscaled[725]: [RATELIMIT] format("control: doLogin(regen=%v, hasUrl=%v)") (10 dropped)
…
Jun 11 13:42:47 L14Endi tailscaled[725]: [RATELIMIT] format("Received error: %v")
Jun 11 13:42:48 L14Endi sddm-helper[1374]: [PAM] Preparing to converse...
Jun 11 13:42:48 L14Endi sddm-helper[1374]: [PAM] Conversation with 1 messages
Jun 11 13:42:48 L14Endi sddm[770]: Authentication information: SDDM::Auth::INFO_UNKNOWN "Verification timed out"
Jun 11 13:42:48 L14Endi sddm-greeter-qt6[906]: Information Message received from daemon:  "Verification timed out"

SDDM still asks you to provide the fingerprint?
What happens if you undo the change to system-auth ?

Jun 11 13:43:28 L14Endi polkit-kde-authentication-agent-1[2066]: Info:  "Place your right index finger on the fingerprint reader"
Jun 11 13:43:32 L14Endi polkit-kde-authentication-agent-1[2066]: Dialog accepted
Jun 11 13:43:52 L14Endi flatpak[4689]:  [AuthUtil][WARNING] [2026-06-11 13:43:52.151460] System local authentication unavailable
Jun 11 13:43:52 L14Endi flatpak[4689]: ⤷ type: LocalAuthException
Jun 11 13:43:52 L14Endi flatpak[4689]: ⤷ error: LocalAuthException(code unknownError, Timeout was reached, null)
Jun 11 13:43:52 L14Endi polkit-kde-authentication-agent-1[2066]: cancelled_cb for  0x55d8159c86c0
Jun 11 13:43:52 L14Endi polkitd[723]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action com.ente.auth.unlock for system-bus-name::1.97 [<unknown>] (owned by unix-user:endi)
Jun 11 13:43:52 L14Endi polkit-kde-authentication-agent-1[2066]: Cancelling authentication

Can you "pkexec ls"?

fl4nd1 · Yesterday 13:06:56

SDDM still asks me for a fingerprint and if I scan it while it's waiting it starts KDE.

By undoing the change to system-auth SDDM still asks me for fingerprint, and there is no login delay or polkit issue, but no fingerprint in sudo and polkit.

I can run "pkexec ls" it then prompts polkit for authentication and then does nothing like doing ls in an empty folder.

seth · Yesterday 14:55:56

but no fingerprint in sudo and polkit.

This is expected, the problem are the stacked fprintd modules.
Replace

auth        include     system-login

w/

auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc

You should also prepend

auth       required                    pam_faillock.so      preauth

and I removed pam_systemd_home.so (assuming you're not using homed anyway)

I can run "pkexec ls" it then prompts polkit for authentication and then does nothing like doing ls in an empty folder.

So the problem there is limited to the flatpak?

fl4nd1 · Yesterday 16:30:33

By prepending do you mean putting it at the start of the file?

Also I tested pkexec ls after removing fingerprint. So I don't think flatpak is related

Last edited by fl4nd1 (Yesterday 16:33:27)

seth · Yesterday 16:33:05

Below the shebang #%PAM-1.0 but yes.
It's supposed to be top of the stack

fl4nd1 · Yesterday 16:33:58

Do I put it in all three files?

seth · Yesterday 16:36:47

No, you're supposed to reset sudo to what it was (w/o the leading fprintd call) and merge the auth block of system-auth into sddm (instead of having fprintd and unix in sddm and then again when including system-auth)

fl4nd1 · Yesterday 16:41:53

By doing the modifications in the sddm file it no longer accepts password login and only fingerprint, if I try the password it prompts me with login failed

Last edited by fl4nd1 (Yesterday 16:42:03)

fl4nd1 · Yesterday 16:51:02

What am I doing wrong?

sddm

#%PAM-1.0

auth       required                    pam_faillock.so      preauth

auth 			[success=1 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
auth 			sufficient  	pam_fprintd.so				
#auth        include     system-login
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
#
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so

account     include     system-login

password    include     system-login
-password   optional    pam_gnome_keyring.so    use_authtok

session     optional    pam_keyinit.so          force revoke
session     include     system-login
-session    optional    pam_gnome_keyring.so    auto_start
-session    optional    pam_kwallet5.so         auto_start

system-auth

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_fprintd.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

sudo

#%PAM-1.0
auth		include		system-auth
account		include		system-auth
session		include		system-auth

seth · Yesterday 17:01:28

You're not skipping

auth       [default=die]               pam_faillock.so      authfail

…
auth 			[success=2 new_authtok_reqd=1 default=ignore]  	pam_unix.so try_first_pass likeauth nullok
auth 			[success=1 new_authtok_reqd=done default=ignore]  	pam_fprintd.so				
auth       [default=die]               pam_faillock.so      authfail
…

fl4nd1 · Yesterday 17:11:21

Ok now SDDM works properly, remains polkit when using the password (fingerprint works fine):
- with pkexec just waits a long time before authenticating
- with the flatpak app same as before, waits a long time using the password, prompts for it a second time and then works

seth · Yesterday 17:22:58

- with pkexec just waits a long time before authenticating

That wasn't the case before? Did you change system-auth as well? Or anything else?

Arch Linux

#1 2026-06-10 19:28:49

Fingerprint authentication in DE pop-ups

#2 2026-06-10 19:40:06

Re: Fingerprint authentication in DE pop-ups

#3 2026-06-10 19:52:57

Re: Fingerprint authentication in DE pop-ups

#4 2026-06-10 19:59:22

Re: Fingerprint authentication in DE pop-ups

#5 2026-06-10 20:30:20

Re: Fingerprint authentication in DE pop-ups

#6 2026-06-10 20:42:56

Re: Fingerprint authentication in DE pop-ups

#7 2026-06-10 20:51:27

Re: Fingerprint authentication in DE pop-ups

#8 2026-06-10 21:21:40

Re: Fingerprint authentication in DE pop-ups

#9 2026-06-10 21:27:29

Re: Fingerprint authentication in DE pop-ups

#10 2026-06-10 21:37:54

Re: Fingerprint authentication in DE pop-ups

#11 2026-06-10 21:54:12

Re: Fingerprint authentication in DE pop-ups

#12 Yesterday 07:26:21

Re: Fingerprint authentication in DE pop-ups

#13 Yesterday 11:45:23

Re: Fingerprint authentication in DE pop-ups

#14 Yesterday 12:58:01

Re: Fingerprint authentication in DE pop-ups

#15 Yesterday 13:06:56

Re: Fingerprint authentication in DE pop-ups

#16 Yesterday 14:55:56

Re: Fingerprint authentication in DE pop-ups

#17 Yesterday 16:30:33

Re: Fingerprint authentication in DE pop-ups

#18 Yesterday 16:33:05

Re: Fingerprint authentication in DE pop-ups

#19 Yesterday 16:33:58

Re: Fingerprint authentication in DE pop-ups

#20 Yesterday 16:36:47

Re: Fingerprint authentication in DE pop-ups

#21 Yesterday 16:41:53

Re: Fingerprint authentication in DE pop-ups

#22 Yesterday 16:51:02

Re: Fingerprint authentication in DE pop-ups

#23 Yesterday 17:01:28

Re: Fingerprint authentication in DE pop-ups

#24 Yesterday 17:11:21

Re: Fingerprint authentication in DE pop-ups

#25 Yesterday 17:22:58

Re: Fingerprint authentication in DE pop-ups

Board footer