Lenovo W510 Fingerprint Reader & Gnome Integration

This post is based upon setting up Gentoo on a Lenovo Thinkpad W510 and shows how to setup the fingerprint reader and integrate into Gnome desktop environment.
Following Debian GNU/Linux on the Thinkpad W510, the fingerprint work is still in progress. We spent some time to figure out, that the fprintd project is state of the art at least for desktop environments using DBus. The fprintd is using lfprint which is also available by portage.

Before we start, we have to make sure that the fingerprint read is recognized correctly. On the W510, the fingerprint reader is recognized as USB input device:

$ lsusb | grep Finger
Bus 001 Device 004: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor

If there is no appropriate device id, there might be something wrong with the kernel USB configuration. Refer to Gentoo on a Lenovo Thinkpad W510 and make sure, the USB configuration works fine.

Further we installed the corresponding Gentoo packages from portage.

$ emerge -av fprintd libfprint

Note that libfprint is required by fprintd, hence you must not explicit install that package. But it might be that the packages are masked as unstable and you have to unmask them:

$ tail -n3 /etc/portage/package.keywords
# Fingerprint reader setup, 2010-10-28
sys-auth/fprintd ~amd64
sys-auth/libfprint ~amd64

Finally we start recording fingerprints using fprintd-enroll:

$ fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
Enrolling right index finger.
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-stage-passed
Enroll result: enroll-completed

Note that we got some problems when we tried to envroll the fingerprint as non-root user:

$ fprintd-enroll
Using device /net/reactivated/Fprint/Device/0
failed to claim device: Not Authorized: net.reactivated.fprint.device.enroll

We fixed that by editing /usr/share/polkit-1/actions/net.reactivated.fprint.device.policy where we allow action id net.reactivated.fprint.device.verify and net.reactivated.fprint.device.enroll for any user and not only for the active one. There might be a bug in sys-auth/consolekit but we did not yet have time to work on that and hence are using that workaround.

Finally, we modified /etc/pam.d/system-auth configuration in order to use the fingerprint mechanism:

$ cat /etc/pam.d/system-auth
auth        required    pam_env.so
auth        sufficient  pam_fprintd.so
auth        sufficient  pam_unix.so try_first_pass likeauth nullok
#auth       required    pam_unix.so try_first_pass likeauth nullok
account     required    pam_unix.so

password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password    required    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session     required    pam_limits.so
session     required    pam_env.so
session     required    pam_unix.so
session     optional    pam_permit.so

Thank to the Dbus integration, there are no further needs to enable the fingerprint reader in e.g. the gnome screensaver (gnome-screensaver) or the gnome display manager (gdm) – that stuff works just out of the box:

$ su -
Swipe your right index finger on UPEK Eikon 2
  1. Nice guide. Thanks! :)

  2. Thanks. Used your guide on my Lenovo T410.

Leave a Reply

You must be logged in to post a comment.