Fingerprint unlock after suspend/sleep with fprintd and PAM does not work

[ddnomad]

I'm submitting a…

[X] Bug
[ ] Feature Request
[ ] Other (Please describe in detail)

Current Behavior

I'm using fprintd to unlock my laptop (Lenovo X250) with fingerprint. Using i3lock for this works fine all the time except for when I attempt to authenticate against i3lock after getting from suspend/sleep.

This issue is similar to this one.

Relevant pieces of configuration:

• /etc/pam.d/i3lock

auth sufficient pam_fprintd.so
auth include    system_auth

• /etc/systemd/system/suspend@service

[Unit]
Description=Suspend setting lock screen
Before=sleep.target

[Service]
User=%I
Type=forking
Environment=DISPLAY=:0
ExecStart=/usr/bin/lock_screen
ExecStartPost=/usr/bin/sleep 1

[Install]
WantedBy=sleep.target

• /usr/bin/lock_screen

!/usr/bin/env bash
set -euo pipefail

i3lock & 

Expected Behavior

I can trigger fingerprint authentication pressing Enter after suspend/sleep (using i3lock) and authenticate successfully without entering password.

Reproduction Instructions

Just save the above configuration files in your system and suspend the laptop. Do not forget to enable suspend@$USER.service.

Environment

Output of i3lock --version:

i3lock: version 2.11.1 © 2010 Michael Stapelberg

[stapelberg]

I don’t have a fingerprint reader, so I can’t look into this.

I don’t know what would be different after suspend/resume, though. Try checking the PAM logs? i3lock just uses PAM, it doesn’t know about fingerprint readers.

[kakawait]

@ddnomad do you find any workaround or more information? I've same exact issue. Fingerprint is working great when lauching i3lock manually but not after systemctl suspend

[ddnomad]

@kakawait I've decided to get rid of fingerprint PAM module completely on my machine. This and other issues were causing to much grief.

I've narrowed it down to PAM kicking in before the dkms module for a fingerprint loads hence PAM assumes this auth method fails.

[Jaegrqualm]

I'm interested in this feature working correctly as well, so I looked into it. There's a bug report open for PAM on this issue: linux-pam/linux-pam#301
stating that appropriate support is not really on the table, and that the only solution at this point is to run two PAM sessions at once. I don't know if that's something that could be implemented, or if it's something I could just set up myself, but I'm interested in others' opinions.

[advilm]

I've sort of managed to get it to work.

I tried piping the output of the fprintd-verify into a file to view the log. It was outputting

Using device /net/reactivated/Fprint/Device/0
failed to claim device: GDBus.Error:net.reactivated.Fprint.Error.PermissionDenied: Not Authorized: net.reactivated.fprint.device.enroll

The arch wiki has an example for restricting fprintd fprint#Restrict_enrolling which I essentially modified to allow anybody to use fprintd-verify. That way when the systemd service tries to use fprintd-verify it wouldn't have to be authorized.

/usr/share/polkit-1/rules.d/50-net.reactivated.fprint.device.verify.rules

polkit.addRule(function (action, subject) {
  if (action.id == "net.reactivated.fprint.device.verify") {
    return polkit.Result.YES
  }
})

And that somehow made it work. There is probably a better solution to this, but this works for now.
One drawback is I have to press enter before using fingerprint. This happens for me with sxlock and seems to be a known issue (lahwaacz/sxlock#8). Lightdm would also force me to press enter first 50% of the time.

Also, if anyone is curious, here are other files related to my setup: gist

[advilm]

On further investigation, I realized the reason it only works after pressing enter is because after you press enter it enters the verifying mode. Once in the verifying mode it doesn't let you type password anymore. So simply starting the verification mode automatically probably isn't a good solution for most. Like @Jaegrqualm said, two PAM sessions are probably necessary for complete support.

[advilm]

Found a workaround where I could use either password or fingerprint reader.
This script uses xss-lock so that I can pause audio and turn on DND.
xss-lock -- ~/scripts/lock.sh

With xss-lock I needed to add this systemd service in order to delay suspend until i3lock starts.

[Unit]
Description=Delay suspend until i3lock starts
Before=sleep.target suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'while ! pidof i3lock; do sleep 1; done'

[Install]
WantedBy=sleep.target suspend.target hibernate.target hybrid-sleep.target suspend-then-hibernate.target

The script:

#!/bin/sh

if ! pidof i3lock; then
    scrot -o /tmp/screenshot.png
    convert /tmp/screenshot.png -blur 0x5 /tmp/screenshot.png
    
    # Turn on DND
    old="$(xfconf-query -c xfce4-notifyd -p /do-not-disturb)"
    xfconf-query -c xfce4-notifyd -p /do-not-disturb -s true
    
    # Pause stuff and mute audio
    playerctl -a pause > /dev/null
    aold="$(amixer get Master | tail -2 | grep '\[on\]')"
    amixer set Master mute > /dev/null
    
    i3lock -ui /tmp/screenshot.png
    
    while pidof i3lock > /dev/null; do
        if (timeout 5 fprintd-verify | grep -q verify-match); then
            pkill i3lock
        fi
    done
    
    # Set settings back to what they were before
    if ! [ -z "$aold" ]; then
        amixer set Master unmute > /dev/null
    fi
    xfconf-query -c xfce4-notifyd -p /do-not-disturb -s $old
fi

[stapelberg]

With xss-lock I needed to add this systemd service in order to delay suspend until i3lock starts.

I think you can use xss-lock’s --transfer-sleep-lock flag instead. i3lock supports it.

[advilm]

Oh, thanks! I updated the gist with a script that works.

[Animeshz]

This is very specific scenario of just locking and unlocking the DE/WM, is there a generic method that works with sudo (and if possible also polkit authentication) too at time of any cli/app to have a superuser acquisition?

[demure]

This is very specific scenario of just locking and unlocking the DE/WM, is there a generic method that works with sudo (and if possible also polkit authentication) too at time of any cli/app to have a superuser acquisition?

The point of the ticket was unlocking i3lock. Getting sudo working is outside the scope of i3wm and i3lock.

You can get sudo working with fprintd fairly easily -- https://wiki.archlinux.org/title/fprint

[stapelberg]

I’m closing this issue in favor of tracking all PAM improvement work (which will help with fingerprint readers and other setups) in issue #217