swaylock
swaylock copied to clipboard
swaywm
Have to scan fingerprint after entering password
Swaylock version: 1.3 OS: Arch Linux Sway version: 1.0 Laptop: Thinkpad T540p
If I lock the screen with swaylock I have to enter the password (obviously), but after entering the correct password, it will not let me in. This is when my fingerprint reader starts showing its "scanning" light. It only lets me in when I scan my fingerprint.
The scanner doesn't start until I enter something (Not necessarily my actual password - can even press Enter) and doesn't work even if entering right password (until I scan my fingerprint).
It appears that the fingerprint scanner doesn't start automatically until a key press triggers the login process.
I'm not sure if this is a bug. What is happening is that PAM is launched when you press "Return" key. Your PAM must be configurated to first request fingerprint so even if you write your password PAM will ignore the input and wait for the fingerprint.
In a GDM this is not an issue because there are two steps.
Step 1: request the user to login Step 2: request password
After step 1 PAM is called. But in the end, sway-lock is not a GDM, is just a tool to lock a wayland session.
As workaround you could:
- Configure PAM to not request fingerprint for swaylock.
or
- Unlock without password. Just press enter to unlock and put your finger in the fingerprint reader.
or
- Fork sway lock to add some functionality to make the election of fingerprint or password depending on the /etc/pam.d/swaylock pam configuration.
Fork sway lock to add some functionality to make the election of fingerprint or password depending on the /etc/pam.d/swaylock pam configuration.
I'm facing the same behavior as the one described in this issue, and I'd like to try to implement this feature.
I imagine a flag like --early-pam or something like that, that would trigger the verification right away. Would this be an interesting feature to merge on swaylock once implemented ?
Fork sway lock to add some functionality to make the election of fingerprint or password depending on the /etc/pam.d/swaylock pam configuration.
I'm facing the same behavior as the one described in this issue, and I'd like to try to implement this feature. I imagine a flag like
--early-pamor something like that, that would trigger the verification right away. Would this be an interesting feature to merge on swaylock once implemented ?
Would be sweet if you're still thinking about it, an important note is that fprintd will (and should) timeout, so I'm not sure how feasible this is.
Any news on this? I'm having a hard time with swaylock after adding fingerprint auth in Gnome.
Any news on this? I'm having a hard time with swaylock after adding fingerprint auth in Gnome.
Not sure if you read the other comments, you don't have to enter your password... When you hit enter swaylock will attempt to authenticate with pam, in this case rather than sending your password, pam will call fprintd and wait for your fingerprint to auth.
So in summary, hit enter, scan finger, will unlock
Might be worth closing this issue as it doesn't seem realistic to change that behaviour, unless sway can detect your default authentication method which seems like security risk. Or implement a solution similar to GDM that lets you auth with both at any point.
The current behaviour is super-unintuitive so I don’t think this issue should be closed without either making it work more intuitively or (more likely) documenting it with a howto or similar.
Maybee You are interested how to do the workaround mentioned by @rsansores.
- Unlock without password. Just press enter to unlock and put Your finger in the fingerprint reader.
So here an elaboration:
According to https://wiki.archlinux.org/title/Fprint having these 2 lines at the very top of /etc/pam.d/swaylock
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so
...
will still allow You to authenticate with a password as usuall. However additionally if You provide a blank, so just by pressing enter with no prior input, it will switch to finger print authentication. However make sure that You allow blank input in the swaylock configuration for this to work. Namely delete (or comment out) ignore-empty-password in ~/.config/swaylock/config if it is present.
Hope this helps someone.
Fork sway lock to add some functionality to make the election of fingerprint or password depending on the /etc/pam.d/swaylock pam configuration.
I'm facing the same behavior as the one described in this issue, and I'd like to try to implement this feature. I imagine a flag like
--early-pamor something like that, that would trigger the verification right away. Would this be an interesting feature to merge on swaylock once implemented ?Would be sweet if you're still thinking about it, an important note is that fprintd will (and should) timeout, so I'm not sure how feasible this is.
Another potential issue worth considering is when swaylock is used with swayidle's before-sleep. On my machine at least, PAM fails after a sleep when waiting for a fingerprint because the fingerprint module is powered off. You could just use after-resume, but then there's the issue of the desktop being briefly visible after waking up but before swaylock starts.
A workaround might be to have a separate command-line program that just spawns a layer-shell to cover the desktop before sleep, and spawns a swaylock process on any sort of activity (so we only start swaylock after resume).
using https://frame.work with Sway on arch and I was so confused...
any update / pointer to where to implement this?
@Moelf I'm using Sway on Fedora on a Framework laptop as well.
It's been about half a year without issue using @andrino-meli's comment above with @rsansores's workaround: https://github.com/swaywm/swaylock/issues/61#issuecomment-965175390
Note that with some applications like Swaylock, you may need to first press enter to submit a blank password, then swipe your finger.
I've also been dealing with this workaround for quite some time. I think swaylock should have some logic to detect an active fingerprint reader and - for example - give some kind of "press enter to scan finger" message, as well as skipping the aforementioned foot-guns (ignore-empty-password).
imo the behaviour as it stands doesn't make for good UX and should be improved upon to justify actually closing this issue, if it's closed as is I would expect new similar issues to be opened as people no longer find this one.
it's been 3 years, and swaylock still doesn't support FP readers properly /shrug
it's been 3 years, and swaylock still doesn't support FP readers properly /shrug
it's been 3 years, and nobody bothered submitting a patch nor doing some research on what would be required to improve swaylock /shrug
https://github.com/swaywm/swaylock/issues/61#issuecomment-965175390 works like a charm for this :+1:
Whilst I can unlock with my fingerprint reader, I am unclear as to what the actual method is! For instance, sometimes it'll happen instantly other times after 10 seconds. Sometimes it helps by pressing Enter once and other times twice.
I have:
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so
and no .config/swaylock/config (hence I assume there is no ignore-empty-password set).
@tombh My guess is the fingerprint scanner is finicky and doesn't always want to recognize the finger on the first try, and there's no UI feedback about that.
Thanks, yes that's what I thought too. But if I have dmesg tailed whilst doing say a sudo auth, I always see immediate "success" log lines.
Maybee You are interested how to do the workaround mentioned by @rsansores.
- Unlock without password. Just press enter to unlock and put Your finger in the fingerprint reader.
So here an elaboration:
According to https://wiki.archlinux.org/title/Fprint having these 2 lines at the very top of /etc/pam.d/swaylock
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_fprintd.so ...will still allow You to authenticate with a password as usuall. However additionally if You provide a blank, so just by pressing enter with no prior input, it will switch to finger print authentication. However make sure that You allow blank input in the swaylock configuration for this to work. Namely delete (or comment out)
ignore-empty-passwordin ~/.config/swaylock/config if it is present.Hope this helps someone.
This works fine, but there is a problem that it never tells me if I type an incorrect password, it just fails silently and password auth never works again (only fprint).
According to https://wiki.archlinux.org/title/Fprint having these 2 lines at the very top of /etc/pam.d/swaylock
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_fprintd.so ...will still allow You to authenticate with a password as usuall. However additionally if You provide a blank, so just by pressing enter with no prior input, it will switch to finger print authentication. However make sure that You allow blank input in the swaylock configuration for this to work. Namely delete (or comment out)
ignore-empty-passwordin ~/.config/swaylock/config if it is present.Hope this helps someone.
Hello,
First of all, thanks for sharing this here. It is so useful it should be added in the sway wiki.
My input to this issue is this.
Coming back to a wm from Gnome, I should say that having to press enter before using the scanner, isn't any worse than having to open the password prompt in GDM and then use the fingerprint scanner. It's the same process actually. You press enter or space to select the user and then scan your print.
BUT! I took me longer that I am willing to admit, to understand what was happening. It was only after randomly trying things that I managed to unlock my session.
The best thing I could hope for would be, to have an option to skip pressing enter altogether and just scan the fingerprint. But if it isn't straight forward, and no-one is willing to do it, I have some other suggestions.
- Add an (option for) indication that 2FA or a fingerprint scanner is enabled
- Add the above solution to the man page and
--help(if not in more places) - Add the configuration to /etc/pam.d/swaylock, by default, as a comment
Fingerprint scanners are getting more common. I bet that soon they are going to be added on mainstream keyboards. I understand that the goal is not to make swaylock more complicated, but it has to be a tiny bit better in the UX department. At the very least make the issue known to the users, without bringing them here.
Thanks for making my wm more secure.
I've started to implement fingerprint functionality into swaylock. It is based on fprintd DBus service. It will always wait for finger and will not require to press any button before scanning. It already works but I need to use normal event loop and test it.
https://github.com/SL-RU/swaylock-fprintd
Fingerprint scanning works perfectly now. BUT only if system doesn't suspends. After suspend fprintd cannot correctly wake up the device. This issue is already opened and even MR exists: https://gitlab.freedesktop.org/libfprint/libfprint/-/merge_requests/270
Now I'll be watching it's status and when it will be ready I'll finish that task
Package with fingerprint support on AUR: https://aur.archlinux.org/packages/swaylock-fprintd-git
@SL-RU, what is your
/etc/pam.d/swaylockconfiguration?
The default one
❯ cat /etc/pam.d/swaylock
#
# PAM configuration file for the swaylock screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/login)
#
auth include system-auth
Then what configuration is needed to prompt for the fingerprint?
Ooh, you need to add argument -p or alias --fingerprint. You can check --help. For example
swaylock -p -c 111111
For /etc/pam.d/swaylock I have this and it works fine.
# PAM configuration file for the swaylock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#
auth required pam_u2f.so authfile=/etc/u2f_mappings
auth include system-login
account include system-login
password include system-login
session include system-login
This is for a yubikey but I am sure you can modify it to fit your requirements. Now how it works for me is I first do a password then I touch the yubikey then it opens.
@SL-RU Your fork works perfectly! I'd love to see a bit more visual feedback (like the circle could pop up and say "scanning" or something when I place my finger on the reader), but your fork is awesome. No delays whether I use the fingerprint scanner or password, and no PAM changes needed.
