How to enable integrated fingerprint reader with BioAPI
Contents |
This page describes the process of getting the fingerprint reader to work. It is based on experiences in Ubuntu on a T43. The same works on Fedora 4. |
Basic driver installation
Getting required libs and tools
Installing the bioapi source
- Get the bioapi source:
- I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:
$ tar xjf bioapi-1.2.2.tar.bz2
$ cd bioapi-1.2.2
$ ./configure --with-Qt-dir=no
$ make
- and then as root
# make install
- and if you want to compile pam_bioapi for auth later
# cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include
- Be aware that checkinstall will not work!
Installing the driver
- Download TFMESS_BSP_LIN_1.0beta2.zip from http://www.qrivy.net/~michael/blua/upek-bsp.html and unzip it into a seperate folder, as it will not create one.
- Change to that folder and do as root:
# sh install.sh
# chmod 777 -R /usr/local/var/bioapi/
- Actually this depends on where you installed, if you did as suggested, it should work. Otherwise you probably know what you're doing anyways. :)
# touch /var/log/BSP.log && chmod 666 /var/log/BSP.log
# chmod -R a+X /proc/bus/usb
# chmod 666 /proc/bus/usb/`lsusb | grep "0483:2016" | sed -e "s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/"`
- It might be nessecary to put the above line into a startup script somewhere.
Testing the driver
Go to the folder where you extracted TFMESS_BSP_LIN_1.0beta2.zip and do:
# cd NonGUI_Sample
# chmod +x Sample
# ./Sample
If it doesn't work, ask for help at: t43fingerprint (at) badcode.de
GDM Login via pam_bioapi
Getting required libs & tools
Installing pam_bioapi
- Get and compile the pam_bioapi module.
$ wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-0.2.1.tar.bz2
$ tar xjf pam_bioapi-0.2.1.tar.bz2
$ cd pam_bioapi-0.2.1
$ wget http://badcode.de/downloads/fingerprint.patch
$ patch -p0 < fingerprint.patch
- If you want to, review the patch. In general you should review all code you download and compile, if possible.
The patch comes from this thread.
$ ./configure && make
- and as root
# make install
# cp /usr/local/lib/security/* /lib/security/
- Use the sample tool from the fingerprint reader to create <username>.bir
<username> must be the username you want to login with, gdm will probably break for any login name that has no .bir file.
- As root do:
# BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-
- It should print something like
{5550454b-2054-464d-2f45-535320425350}
- If it does, do:
# mkdir /etc/bioapi1.10/pam/`BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-`
# cp <username>.bir /etc/bioapi1.10/pam/`BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-`
Configuring pam
The following part is distribution specific. On Ubuntu you can modify /etc/pam.d/common-auth (on Gentoo and Fedora it is /etc/pam.d/system-auth) to look like this:
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/ password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/ auth required pam_unix.so nullok_secure
With this modification pam immediatelly starts to use the fingerprint reader to do local authorization (e.g. sudo/gdm use the fingerprint reader).
On Fedora, you may need to add /usr/local/lib to your LD_LIBRARY path so that the libraries referenced from pam_bioapi.so get picked up properly.
Now gdm should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
Make xscreensaver use the scanner
$ wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz
$ tar xzf xscreensaver-4.23.tar.gz
$ cd xscreensaver-4.23
$ wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff
After reviewing the patch (it's small and straightforward), do
$ patch -p1 < xscreensaver-4.22_alternativeAuth.diff
The patch should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
This patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case pam and pam_bioapi. Compile with
$ ./configure --with-pam && make
and then install as root with
# make install
.
Make sure that the newly compiled xscreensaver is used
$ which xscreensaver
should return/usr/local/bin/xscreensaver
.
In case it doesn't, try
$ export PATH=/usr/local/bin:$PATH
and retry.
$ xscreensaver-command -exit
kills your running instance of xscreensaver. Make sure you have the following line in your ~/.xscreensaver:
alternativeAuth: True
now look at /etc/pam.d/xscreensaver. If you're on Ubuntu Breezy and you have already changed /etc/pam.d/common-auth you should be good to go. Otherwise check that the following line is at the top of the file:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam
start the new xscreensaver
$ xscreensaver
There should be a splash screen with version 4.23.
Now try with:
$ xscreensaver-command -lock
If you have questions or problems with this procedure, ask: t43fingerprint (at) badcode.de .