Feature request: Linux fingerprint reader support (via fprint)

[goetzc]

Summary

On GNU/Linux this can be done around fprint, which is the current general method to manage fingerprint readers.

From the projects' homepage:

The fprint project aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices.

More info:

https://www.freedesktop.org/wiki/Software/fprint/ http://www.linux-pam.org/

Context

Opening a Linux-specific ticket, similar to the Windows-specific one, as the general issue can be to broad to support both potential bounties for each OS.

---

IssueHunt Summary

### Backers (Total: $210.00) - [ goetzc](https://issuehunt.io/u/goetzc) ($100.00) - [ spiregarden](https://issuehunt.io/u/spiregarden) ($40.00) - $70.00 have been anonymously funded. #### [Become a backer now!](https://issuehunt.io/r/keepassxreboot/keepassxc/issues/5991) #### [Or submit a pull request to get the deposits!](https://issuehunt.io/r/keepassxreboot/keepassxc/issues/5991) ### Tips - Checkout the [Issuehunt explorer](https://issuehunt.io/r/keepassxreboot/keepassxc/) to discover more funded issues. - Need some help from other developers? [Add your repositories](https://issuehunt.io/r/new) on IssueHunt to raise funds.

[issuehunt-oss[bot]]

@goetzc has funded $100.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[issuehunt-oss[bot]]

@johanricher has funded $2.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[issuehunt-oss[bot]]

@johanricher has funded $18.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[issuehunt-oss[bot]]

An anonymous user has funded $20.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[issuehunt-oss[bot]]

@spiregarden has funded $40.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[appetrosyan]

Is anyone working on this issue?

[benwaffle]

1password supports this as quick unlock. On startup you enter your master password, and for quickunlock it's done via polkit so that a native GNOME fingerprint dialog pops up.

[michaelk83]

it's done via polkit so that a native GNOME fingerprint dialog pops up.

There's probably more than one way to do it. It's just that there are multiple other things that need to be finished first.

edit: This could be done with platform-specific ifdefs without waiting for all the other stuff, but it will be cleaner if at least the common interface is implemented first.

[michaelk83]

Implementation note:
If this is going to save the encrypted DB passphrase similar to the TouchID and WinHello implementations, the user-space keyring (secret service) is not what you want for that (especially when KPXC is itself used as the secret service backend). This should use the kernel keyring:
https://man7.org/linux/man-pages/man7/keyrings.7.html
https://man7.org/linux/man-pages/man7/persistent-keyring.7.html

[issuehunt-oss[bot]]

An anonymous user has funded $50.00 to this issue.

---

• Submit pull request via IssueHunt to receive this reward.
• Want to contribute? Chip in to this issue via IssueHunt.
• Checkout the IssueHunt Issue Explorer to see more funded issues.
• Need help from developers? Add your repository on IssueHunt to raise funds.

[Qix-]

⚠️ IssueHunt is abandoned.

If you are putting money into it, you are losing it. Nobody will be able to receive that money as IssueHunt is not responding to withdrawal requests.

Just a heads up. It's best to just forget about it.

[droidmonkey]

Github really needs to start an internal bounty program...

[issuehunt-oss[bot]]

@johanricher has cancelled funding for this issue.(Cancelled amount: $2.00) See it on IssueHunt

[issuehunt-oss[bot]]

@johanricher has cancelled funding for this issue.(Cancelled amount: $18.00) See it on IssueHunt

[michaelk83]

I don't know if there are really problems with IssueHunt, but there is no message about it on their website, and no relevant results in a quick Google search. It looks functional.

[droidmonkey]

There is chatter on Twitter, but it looks like a recent development

[MatthewFallon]

Want to check on the status of this.

Some form of speed authentication in general on trusted devices, especially for the length of the login session or active process, seems like an absolutely acceptable thing to support if it is not difficult to support long term.

Based on some of the comments above, it seems that the process could go something like this:

1. Require verification through polkit to authorize saving the password.
   • allow polkit agents on major distributions to handle authentication with fprint and/or password based on user preferences
2. Save password using the linux kernels in-mem keyring as mentioned above. Save to the process-keyring with only permissions for the active main process to find and access this information itself.
   • Will only last for the length of the process running keypass, closing keypass or closing the session will allow this data to be deleted by the system.
   • Similar to how the current implementation of windows hello auth is working from my observations.
3. Upon database being locked, require the unlock to re-authenticate through polkit as the user before retrieving the password as the main process for unlocking the database avoiding password re-entry.

I've not been around the block so to speak as a programmer so if any of that is way off base please feel free to let me know, otherwise if it's not already in process would be happy to help put in work as I genuinely love this project and use it everywhere.

I've seen some valid commentary back and forth on a few of these related issues. Yes, it would make it less secure on the device, and making it an opt-in per device if that is the concern is completely fine. Many less-technical users still understand the trade-off and are fine with it, the users that are not fine with this tradeoff can leave it off, that is totally fine.

I think that the general user pattern of making the password on the database file itself very long is a good idea to encourage if the file will be shared between systems. Avoiding users feeling the need to shorten their master password because of inconvenience on trusted devices seems like a fair call, especially as a product that helps keepass feel much more consumer friendly in general.

[michaelk83]

Sounds about right. I don't think anyone is working on this at the moment.

[dangarthwaite]

Do we need an app to promise payment for a bounty?

I pledge $200 USD via paypal, BTC, ETH, or ADA if apt install keepassxc supports the fingerprint reader on my framework laptop . Offer only good during 2023.

[mskvsk]

I pledge $200 USD via paypal, BTC, ETH, or ADA if apt install keepassxc supports the fingerprint reader on my framework laptop . Offer only good during 2023.

I am going to match that for pacman -S keepassxc and the latest Thinkpads.

[HexF]

My currently open PR to add support for Polkit should get fingerprint support working on any Linux laptop which has support from libfprint and thus Polkit.

[dangarthwaite]

So ifwhen this gets in - where do I send rewards?

[HexF]

So ifwhen this gets in - where do I send rewards?

Shoot me an email to the address on my GitHub (thomas@hexf.me) and we can work it out there

[mskvsk]

So ifwhen this gets in - where do I send rewards?

Shoot me an email to the address on my GitHub (thomas@hexf.me) and we can work it out there

If you have a crypto wallet you can drop me the address in DM when the PR is approved and I will send stablecoins (or any other major crypto) of your choice.

[dangarthwaite]

@hexf How's this going?

[HexF]

Waiting on it to get merged

[dangarthwaite]

So ifwhen this gets in - where do I send rewards?

Shoot me an email to the address on my GitHub (thomas@hexf.me) and we can work it out there

Email sent!

[xade93]

Is there any document on how to enable this? I do not find such option on database creation in latest keepassxc (2.7.6-2, archlinux), neither can I find any related material in user document.

[droidmonkey]

It's not available in a released version yet. You need to use a snapshot build: https://snapshot.keepassxc.org

[PostboxRetinal]

Seems Polkit is having some issues on latest OpenSUSE Tumbleweed, although fingerprint is already registered, it says Failed to authenticate with Quick Unlock: Polkit authorization failed Probably that's why it is an snapshot version, will wait until a release then.

[droidmonkey]

Snapshot has nothing to do with this feature functionality. The error message you received points to an issue with your polkit, not keepassxc. Double check that polkit works in general for you.

[bohwaz]

Is this in the 2.7.7 release? I can't see anything in changelog: https://github.com/keepassxreboot/keepassxc/blob/release/2.7.x/CHANGELOG.md

Thanks all for your work :)

[droidmonkey]

No it is not, we decided to withhold this feature as it isn't equally functional across distros at this time

[bohwaz]

That's sad to hear, but thanks anyway for taking time to reply :) Have a nice day.

[droidmonkey]

You can always run a snapshot build: https://snapshot.keepassxc.org

[reneas]

thanks for taking this challenge! do you know if this will be available in the next release?

[droidmonkey]

This is being released with 2.8.0

[xade93]

Sorry if this is dumb, but I just tried the latest snapshot version, and I dont find where can I enable fingerprint unlock?? Can someone enlighten me on this?

[droidmonkey]

You need to create the polkit authorization, see the PR for details

[luisfl]

You need to create the polkit authorization, see the PR for details

Sorry, but what is "PR"?

Can someone provide a link for this? I also was unable to find this INFO in the 2.8.0 snapshot documentation, since the "Online help" opens nothing.

[droidmonkey]

https://github.com/keepassxreboot/keepassxc/blob/develop/share%2Flinux%2Forg.keepassxc.KeePassXC.policy.in

You need to deploy this file to the polkit policy folder.

At this point if you can't do that then you will have to wait for this to be an official release. If you build develop branch on your own and install it as root then this file will be deployed for you.

[luisfl]

Thanks for the link. I added the file to /usr/share/polkit-1/actions folder, permission 644.

Yet, it still works exactly as 2.7.8, and I see no fingerprint options/config.

[droidmonkey]

You may need to rename it without the .in suffix

[luisfl]

I actually added a symlink without the .in when I created it.

Which would be the new behavior?

[rgarcia89]

Since this has been already closed. Has someone tested this and can confirm it is working properly?

[luisfl]

Since this has been already closed. Has someone tested this and can confirm it is working properly?

I tried the appimage of a a couple days ago, and it was working, in the sense that if you lock an open DB it allows you to unlock it with fingerprint. But you still need a password to open it initially.

Not what I wanted, but...