Talk:How to enable integrated fingerprint reader with BioAPI
Contents
- 1 Removing the GUI Prompt
- 2 chmod 777 -R /usr/local/var/bioapi/
- 3 Qt Compilation Success
- 4 using absolute paths for commands
- 5 BioAPI error #3
- 6 Permission errors exclusive to xscreensaver
- 7 Driver Expiring!!!
- 8 Updated xscreensaver patch
- 9 Fingerprint or password
- 10 KDE screensaver
- 11 fingerprint reader in action.
- 12 A little feedback...
- 13 pam_bioapi.so is not linked to libbioapi100.so
- 14 xscreensaver 4.23+fingerprint.patch causes xscreensaver-gl to crash kernel
- 15 gdm hangs on kde logout
- 16 'gksudo' Doesn't show biopam finger swipe prompt...
- 17 Multifinger
- 18 GNOME Screensaver support
- 19 No sources for bioapi 1.2.3
- 20 Strange issue on GDM login
- 21 Don't ask for finger scan when lid closed
- 22 Unable to initialize Bioapi framework, BioAPI error #:3
- 23 Security level
- 24 How good is it?
- 25 Patch for new versions of xdm
- 26 Using instructions with OpenSuSE 10.1
- 27 64-bit architecture/OSS release
- 28 Alternative ThinkFinger "Driver"
Removing the GUI Prompt
For all of you that have had the oppertunity to see the fingerprint image, I think we can all agree that this needs to be changed at ounce. A couple of ideas come to mind, first is to trick bioapi to think that X is not running, and secound is to figure out where the images are being pulled from and then edit them. The later would be nice, but I have been experimenting with strace for several hours and have came up with nothing. Any other ideas?
--Paul Strefling 18:42, 18 July 2006 (CEST)
chmod 777 -R /usr/local/var/bioapi/
Is the above necessary? I just made a debian package of xscreensaver with the patch applied, and when using the bioapi debian pacakge from Michael R. Crusoe's site which has this directory put in /usr/var/bioapi I had not to change the permissions to world-writeable there. Write access to the logfile and usb device are necessary, but that directory works with 755 as well (even though it comes with 777 in Michael's package), and all files and subdirectories are 644/755 too.
--spiney 00:08, 11 Nov 2005 (CET)
Qt Compilation Success
Here it worked with qt ;)
--
I didn't get it to work anyway, but I'm curious about your Qt version(s) as it seemed to want Qt 3 when I was playing with it.
--keegan 05:07, 24 Dec 2005 (CET)
using absolute paths for commands
I don't know whether using absolute paths in the articles is a good idea, at least not for tools like lsusb
which are not established utilities (i.e. used for more than a decade or something ;)) and happen to be in different locations in different distributions. E.g. said lsusb
resides in /usr/sbin on Debian systems.
--spiney 16:45, 12 Nov 2005 (CET)
I'm using debian testing and it's in /usr/bin. I agree that the confusion is bad; dropping the absolute paths and adding a general note about checking $PATH
in case of problems is probably good.
--keegan
BioAPI error #3
Its kind of strage it used to work with everythig (kdm,console,lock,etc) Now it only works with kdm. It allways gives back:
pam_bioapi[8113]: Unable to initialize Bioapi framework, BioAPI error #:3.
Even when I set the right permissions on /proc/bus/usb.
I am able to run the Sample program as normal user after setting the permissions, but when I change within a user session by su I amnot able to run the Sample program a also get an error Code #3.
From an other terminal (alt+strg+Fx) I am able to run the Sample program but at the login I still get the error #3.
I cant remember to have changed anything an d bevor I was able to login in a console with my fingerprint now only kdm is working even kde lock-session isnt working anymore.
Any suggestions ?
Permission errors exclusive to xscreensaver
I followed the instructions above and got everything working, including non-root programs like xscreensaver. However, the script to change usbfs permissions is finicky and fails to work with a lot of things like suspend/resume. Therefore, I switched to specifying devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 as mount parameters for usbfs, where group 108 is a group I created and added my normal user to. This seems like a much better way of doing things, and it almost works. However, xscreensaver (using the newer patch) gives the familiar Unable to load BioAPI BSP with UUID of {5550454b-2054-464d-2f45-535320425350}, BioAPI error #194d. error in /var/log/auth.log. I don't think this is a straightfoward permissions problem because
- the permissions in /proc/bus/usb are correct by inspection
- I can write to the device file as my normal user
- other programs like
test_verify-pam_bioapi
andpamtester
work as my normal user - the weirdest one: xscreensaver works when the
xscreensaver
daemon is launched from withinstrace
. It's still running as my normal user (strace
is not setuid root). I have absolutely no idea what would cause this. I thought it might be an environment issue, but the difference in environment between thestrace
session and my normal session is trivial.
At this point I'm hoping it's something dumb, but I'm out of ideas. The xscreensaver
error is pam_authenticate (...) ==> 7 (Authentication failure), for the record.
--keegan
I had the same problem and found that it was caused by the setuid permission on xscreensaver. After chmod'ing it to 755 and restarting xscreensaver, bioapi authentication worked.
--henning 09:22, 8 Aug 2006 (CET)
Could you provide all the log lines between pam_start and pam_end when running xscreensaver -verbose
?
BTW, the idea with using the mount options for usbfs is very good, maybe you should add that info to the article page? I use the permission changing script without problems, also after resume, but the usbfs version is probably easier to set up, most people will be able to find /etc/fstab.
--spiney 10:12, 23 Dec 2005 (CET)
xscreensaver: 20:56:01: alternative_pam: 1 -> pam service: xscreensaver-alternative xscreensaver: 20:56:01: pam_start ("xscreensaver-alternative", "keegan", ...) ==> 0 (Success) xscreensaver: 20:56:01: pam_set_item (p, PAM_TTY, ":0.0") ==> 0 (Success) xscreensaver: 20:56:01: PAM ECHO_OFF("Password: ") ==> password xscreensaver: 20:56:03: pam_authenticate (...) ==> 7 (Authentication failure) xscreensaver: 20:56:03: pam_end (...) ==> 0 (Success) xscreensaver: 20:56:03: prompting for password. xscreensaver: 20:56:03: 0: creating password dialog. xscreensaver: 20:56:03: 0: mouse is at 442,412. xscreensaver: 20:56:03: grabbing server... xscreensaver: 20:56:03: 0: ungrabbing mouse (was 0x48). xscreensaver: 20:56:03: 0: grabbing mouse on 0xe0002b... GrabSuccess. xscreensaver: 20:56:03: ungrabbing server. xscreensaver: 20:56:05: alternative_pam: 12582928 -> pam service: xscreensaver xscreensaver: 20:56:05: pam_start ("xscreensaver", "keegan", ...) ==> 0 (Success) xscreensaver: 20:56:05: pam_set_item (p, PAM_TTY, ":0.0") ==> 0 (Success) xscreensaver: 20:56:05: PAM ECHO_OFF("Password: ") ==> password xscreensaver: 20:56:05: pam_authenticate (...) ==> 0 (Success) xscreensaver: 20:56:05: pam_acct_mgmt (...) ==> 9 (Authentication service cannot retrieve authentication info.) xscreensaver: 20:56:05: pam_setcred (...) ==> 0 (Success) xscreensaver: 20:56:05: pam_end (...) ==> 0 (Success) xscreensaver: 20:56:05: password correct.
So we've got the first attempt with pam_bioapi
, which fails immediately (no sign of the GUI fingerprint prompt, nor a "silent" chance to swipe the finger as with xdm), then the fallback to pam_unix
which succeeds. Earlier I had xscreensaver set up to only try pam_bioapi
, with essentially the same result -- it gives up on pam entirely and does unix auth itself.
I'd really like to strace the pam module and see what it's attempting to do to /proc/bus/usb, but as that actually fixes the problem I'm kinda at a loss. Maybe there's some kernel option to print debugging info for usbfs? I'd be all for changing the article to suggest using mount options in /etc/fstab, if it weren't for this one weird bug. Has anyone else had the same problem?
-- keegan
Same here, I had the whole setup workin flawlessly (I really need to get that 'never-touch-a-running-system' mantra burnt into the back of my hands), but after a fresh install of the same distro (Ubuntu) and following the same procedure to get things working i get exactly this behaviour. Login works (now even with multifinger, although there are other issues with that), I can use test_verify-pam_bioapi as a user. and the stock xscreensaver works, albeit only after entering a bogus password first. The patched xscreensaver works when run within a strace (Now that sucks) but fails otherwise. And as i said before, I had this working...
open("/dev/bus/usb", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 13 fstat64(13, {st_mode=S_IFDIR|0755, st_size=140, ...}) = 0 fcntl64(13, F_SETFD, FD_CLOEXEC) = 0 getdents64(13, /* 7 entries */, 4096) = 168 getdents64(13, /* 0 entries */, 4096) = 0 close(13) = 0 open("/dev/bus/usb/003", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 13 fstat64(13, {st_mode=S_IFDIR|0755, st_size=80, ...}) = 0 fcntl64(13, F_SETFD, FD_CLOEXEC) = 0 getdents64(13, /* 4 entries */, 4096) = 96 open("/dev/bus/usb/003/002", O_RDWR) = -1 EACCES (Permission denied) open("/dev/bus/usb/003/002", O_RDONLY) = 14 ioctl(14, USBDEVFS_CONNECTINFO, 0xafd5bd34) = -1 EPERM (Operation not permitted) read(14, "\22\1\0\1\0\0\0\10\203\4\26 \1\0\1\2\0\1", 18) = 18 read(14, "\t\2\'\0\1\1\0\240", 8) = 8 read(14, "2\t\4\0\0\3\377\0\0\0\7\5\201\2@\0\0\7\5\2\2@\0\0\7\5\203"..., 31) = 31 close(14) = 0
Here is all the excitement from the strace on xscreensaver. As I originally thought, you cannot get away with just playing with the proc entries :P You also need to deal with the counterpart in /dev. We can wrap up all the permissions issues with a single UDEV rule:
# fingerprint fun BUS=="usb", DRIVER=="usb", SYSFS{product}=="Biometric Coprocessor", GROUP="bioapi", SYMLINK="misc/fingerprint", RUN+="/bin/sh -c 'chgrp bioapi /proc/$RESULT; chmod g+rw /proc/$RESULT'"
I created a 'bioapi' group and configured pam to add groups to anyone logging in locally. Now all you need to do is amend the pam configuraion files below. We use 'wdm', but of course its as applicable for all those resource hungry touchy-feely gdm/kdm folk out there too ;)
/etc/security/group.conf
# local group settings login; tty*; *; al0000-2400; audio,floppy,video,cdrom,nvram,plugdev,bioapi wdm; :*; *; al0000-2400; audio,floppy,video,cdrom,nvram,plugdev,bioapi
/etc/pam.d/login
[snipped] # group *has* to go here auth optional pam_group.so # fingerprint action auth sufficient /usr/local/lib/security/pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/ # Standard Un*x authentication. @include common-auth # This allows certain extra groups to be granted to a user # based on things like time of day, tty, service, and user. # Please edit /etc/security/group.conf to fit your needs # (Replaces the `CONSOLE_GROUPS' option in login.defs) #auth optional pam_group.so [snipped]
/etc/pam.d/wdm
#%PAM-1.0 auth required pam_nologin.so auth required pam_env.so # local tweak auth optional pam_group.so # fingerprint action auth sufficient /usr/local/lib/security/pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/ @include common-auth @include common-account @include common-session
N.B. as with all pam related things, the order is important
-- Jim diGriz
Driver Expiring!!!
Don't anyone notice that both betas of the UPEK driver is expiring in about a month in the new year, Jan 1st 2006? They really mean it! I set my computer date to next year and get a message "the driver has expired" when using fingerprint reader! This is a grave threat to our computer lifestyle, i.e. for those of us who got it working and use it daily:) Is there any workaround other than setting the date back a year when new year come and wait for new driver? Is there a way to figure out where exactly in the driver it checked the date and how? The must have set it somewhere in file libtfmessbsp.so, but it is binary and I can't figure out how to Reverse Engineer it.
---Jiang
Yes, the beta driver will expire. The final version (which is due REALLY soon now) will not.
Sumedha
Any news? Just 9 days left to expiry. --Thinker 21:36, 22 Dec 2005 (CET)
The final is out, get it at UPEK's download page. And how does one edit the industry watch section of the main page?
--spiney 21:39, 22 Dec 2005 (CET)
Ah, great! Both the article page and the driver page it points to are out of date... For the news, just follow the "News" link in the main page.
--Thinker 21:44, 22 Dec 2005 (CET)
As this is now very soon I've updated the article page to link to the final driver, which is better in a few ways anyway. This is unless anyone minds (are there any unresolved issues with the final that don't exist in the betas?).
--keegan 05:06, 24 Dec 2005 (CET)
Updated xscreensaver patch
I've tried to address some usability issues with the old patch, e.g. that it calls the PAM bioapi module twice before falling back to the normal authentication methods. It can be found on my Fingerprint Reader page, feedback is very welcome.
--spiney 20:36, 22 Dec 2005 (CET)
Fingerprint or password
Is there any way to have PAM accept either a password or a finger swipe, right away? Sometimes one is more convenient, sometimes the other, so and it's a lot of trouble to wait for the UPEK scanner prompt and then cancel it in order to reach the password entry.
--Thinker 19:27, 24 Dec 2005 (CET)
KDE screensaver
If you get the following in /var/log/secure when you try to unlock the KDE screensaver, it means you forgot to set the USB device permissions.
localhost pam_bioapi[24981]: Unable to load BioAPI BSP with UUID of {5550454b-2054-464d-2f45-535320425350}, BioAPI error #194d.
--Thinker 21:21, 24 Dec 2005 (CET)
fingerprint reader in action.
small video with fingerprint reader in action with login: http://chao.ch/tmp/mov01302.mpg
--62.202.35.30 17:57, 29 Dec 2005 (CET)
A little feedback...
...for all the editors of this article:
"How to enable the fingerprint reader over at ThinkWiki.org is some real exhaustive documentation for getting the fingerprint scanner working on the ThinkPads. There is also a troubleshooting section towards the end that might be very useful to anyone messing around with it.
Thanks to those responsible for taking the time to write up this excellent guide."
Those thanks come from LinuxBiometrics.com
Wyrfel 01:24, 9 Jan 2006 (CET)
pam_bioapi.so is not linked to libbioapi100.so
I downloaded the pam_bioapi package and patched the file by following the wiki. However, I got the following result:
~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$ ls -la total 48 drwxr-xr-x 2 louis users 248 2006-01-12 01:18 ./ drwxr-xr-x 4 louis users 312 2006-01-12 01:18 ../ lrwxrwxrwx 1 louis users 16 2006-01-12 01:18 pam_bioapi.la -> ../pam_bioapi.la -rw-r--r-- 1 louis users 824 2006-01-12 01:18 pam_bioapi.lai -rw-r--r-- 1 louis users 19716 2006-01-12 01:18 pam_bioapi.o lrwxrwxrwx 1 louis users 19 2006-01-12 01:18 pam_bioapi.so -> pam_bioapi.so.0.0.0* lrwxrwxrwx 1 louis users 19 2006-01-12 01:18 pam_bioapi.so.0 -> pam_bioapi.so.0.0.0* -rwxr-xr-x 1 louis users 21789 2006-01-12 01:18 pam_bioapi.so.0.0.0* ~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$ ldd pam_bioapi.so linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/tls/libc.so.6 (0x40025000) /lib/ld-linux.so.2 (0x80000000) ~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$
pam_bioapi.so is NOT linked to libbioapi100.so. The latter is in the ld path:
~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$ ldconfig -p |grep bioapi libtfmessbsp.so (libc6) => /opt/bioapi/lib/libtfmessbsp.so libpwbsp.so.0 (libc6) => /opt/bioapi/lib/libpwbsp.so.0 libpwbsp.so (libc6) => /opt/bioapi/lib/libpwbsp.so libmds_util.so.0 (libc6) => /opt/bioapi/lib/libmds_util.so.0 libmds_util.so (libc6) => /opt/bioapi/lib/libmds_util.so libbioapi100.so.0 (libc6) => /opt/bioapi/lib/libbioapi100.so.0 libbioapi100.so (libc6) => /opt/bioapi/lib/libbioapi100.so libbioapi_mds300.so.0 (libc6) => /opt/bioapi/lib/libbioapi_mds300.so.0 libbioapi_mds300.so (libc6) => /opt/bioapi/lib/libbioapi_mds300.so libbioapi_dummy100.so.0 (libc6) => /opt/bioapi/lib/libbioapi_dummy100.so.0 libbioapi_dummy100.so (libc6) => /opt/bioapi/lib/libbioapi_dummy100.so
and the Sample program also works allowing me to enroll and test a fingerprint.
My system is SuSE 10 with the kernel of 2.6.13-15. Any ideas?
Thanks.
--Tyne 09:51, 12 Jan 2006 (CET)
xscreensaver 4.23+fingerprint.patch causes xscreensaver-gl to crash kernel
I've gotten bioapi and 'Sample' to allow me to enroll my fingerprint, and I've also experienced the 'two logon' issue.
I compiled xscreensaver 4.23 (though it seemed that apt came with 4.24) and applied the patch. My goal was to have the fingerprint prompt come up and to see the "bad image" of the fingerprint scan.
The first time I did this, xscreensaver-gl took a dump and was causing kernel crashes. So I went and got the newest xscreensaver source and patches, and applied the bioapi patch to those. It worked (meaning it didnt crash the kernel anymore ;b )
It would seem that there is a /etc/pam.d/xscreensaver, so I commented everything out of that except the bioapi line.
Locking xscreensaver, then attempting to unlock didnt show me any fingerprint requirements, and my password didnt work.
I'm wondering if theres something that was left out of the xscreensaver howto? or if theres anyone out there who's gotten the xscreensaver portion of this to work, who would be willing to help me out :)
--Viss 11:15am, 5 Feb 2006 (PST)
gdm hangs on kde logout
Hi.
I am using a Thinkpad t43, installed with gentoo. I run gdm as the login manager, with kde 3.4 and enlightenment dr16 as the window manager.
I followed the steps in the wiki, and the biometric scanner is now working fine, appart from the fact that when I close/end the session I just get a blank screen, in place of the gdm login screen.
Disabling the biometrics (by setting the pam.d file back to their originals), the session ends fine. I do this for a few times, and then set the biometrics back again, and it work fine for a few logouts, and then back to the blank screen again.
I can do ctrl+shift+f1 to get to a console window and from there I can issue a shutdown. Although this works ok, it is a bit of a pain.
Any ideas ?
'gksudo' Doesn't show biopam finger swipe prompt...
Hey all,
First off... this is an excellent how-to! I have no real interest in using fingerprint scanner with xscreensaver, but it was up and working with everything else on my system pretty much effortlessly.
I'm running Ubuntu Breezy Badger 5.10 on an IBM T43p (2678) and have run into two oddities: 1) /etc/pam.d/xscreensaver - as it is initially configured, if you have an xscreensaver session set to require password (or xlock with screensaver) then you get prompted for the normal text-password entry and then will be prompted to swipe your finger... This is easily fixed by commenting out the '@include common-auth' line in /etc/pam.d/xscreensaver and adding the line 'auth required pam_unix.so nullok_secure'. After that change it only prompts for the text-password entry challenge.
2) gksudo - This is more of a pain... I can use the fingerprint scanner with gksudo, but gksudo doesn't prompt with the (ugly-but-functional) finger swipe dialog the way that gdm does during login or xscreensaver does when configured as mentioned above (pre-fix). So, if I start a Gnome app launcher that is prepended with gksudo, nothing appears to happen until I swipe my finger and then the app gets launched. That's cool and all, but there are times (esp. when multi-tasking) when I forget to swipe and then go "what happened to xxxxx? oh yeah..."
Anyway... does anyone have an idea of what I can do to get the dialog to appear?
thanx
--JELaVallee 05:56, 20 February 2006 (CET)
The gksudo problem is a restriction from the X server. It doesn't allow to grab the display for other users than the logged-in one. And the pam_bioapi is invoked as root.
--Whoopie 13:10, 20 February 2006 (CET)
That makes sense... so, now I have to wonder, is there a patchable work-around like the xscreensaver one that could allow for this to work? Where should I research such? gksu's project or is this more an issue at the X11-level?
--JELaVallee 19:38, 27 February 2006 (CET)
I got it working. Grab out the newer pam-bioapi from CVS (http://savannah.nongnu.org/cvs/?group=pam-bioapi). This version supports "multi-finger" when using the sqlite3 database. And it supports defining the used display. Change your line in your /etc/pam.d/ files like this:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/bioshadow.db :0
--Whoopie 14:27, 1 March 2006 (CET)
Very cool... Did you run into any issues rebuilding/installing this? I'll give it a shot this evening... THANKS!
--JELaVallee 21:07, 1 March 2006 (CET)
Invoke 'xhost +local:' should be able to let gksudo work. Or just blindly sweap the finger. ;)
--YChao 21:25, 7 March 2006 (CET)
Where do I have to put 'xhost +local:'?
Multifinger
Wow, theres a new version of pam_bioapi which supports multifinger enrollment and user identification. I'll break my system with that this evening :)
Yes, but I'm searching the patch for xdm. The download page from Josef Hajas (http://nax.hn.org/pub/bioapi/) is down. Does anybody have it?
Update: The patch can be found here: http://www.qrivy.net/~michael/blua/xdm_bio.patch
--Whoopie 17:43, 1 March 2006 (CET)
Tried the newest pam-bioapi from CVS (http://savannah.nongnu.org/cvs/?group=pam-bioapi) on FC3. Failed on enrolling fingerprints: (/var/log/secure)
Mar 9 15:30:40 localhost pam_bioapi[32407]: Can't open database: library routine called out of
sequence
Could anyone help?
--Ychao 00:38, 10 March 2006 (CET)
I don't know how to solve it. It seems to be a problem with sqlite3. Which version do you use? Under Ubuntu Breezy, it's 3.2.1.
--Whoopie 12:27, 10 March 2006 (CET)
Did anybody tried multifinger with BioAPI? I am interested in multifinger at all, not only PAM.
Updated:
succesfully installed pam_bioapi with multifinger support, some info:
use: auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/bioshadow.db :0
in pam.d, the bioshadow column is path to bioapi sqlite database.
if authentication doesn't work, edit /etc/syslog.conf and write line *.alert /var/log/syslog, so you see pam_bioapi messages in /var/log/syslog
most common error is missing biodata table, newest pam_bioapi version should create it automatically, but if it doesn't, go to /etc/bioapi/pam/ and run command sqlite3 bioshadow.db
, then insert this:
CREATE TABLE biodata (id INTEGER PRIMARY KEY,uid INTEGER,uuid TEXT,header BLOB,data BLOB,signature BLOB,type INTEGER,other BLOB);
you must then enroll at least one fingerprint to the database, do it using test_enroll-pam_bioapi from pam_bioapi distribution. note that you must have root user enrolled in order to use su
command.
--MeBa 16:58, 22 March 2006 (CET)
GNOME Screensaver support
Did anybody try to port the xscreensaver patch to gnome-screensaver? Since Ubuntu Dapper will be shiped with it, it would be nice to have it working then with the fingerprint reader.
Update: Initial support can be found in gnome-screensaver CVS. See bugreport.
--Whoopie 12:36, 16 March 2006 (CET)
I'm just working on changes in pam_bioapi which makes gui callbacks from gnome-screensaver possible. But first I have to debug BioAPI error #194d after hibernation because gnome-screensaver is one of the applications returning this error.
--nax 23:59, 9 July 2006 (CEST)
No sources for bioapi 1.2.3
There doesn't seem to be any sources available for the recommended Debian package bioapi-1.2.3. That's rather distressing since this is security-related software. A google search doesn't seem to be turning up anything, either. Anybody have a lead on where to find sources?
--TedTso 7:47, 29 Apri 2006 (EDT)
Strange issue on GDM login
I successfully have the fingerprint reader running. Everything is working nicely, except when I try to login with GDM for the first time. The login seems to work fine (the PAM_BIOAPI seems to return true) but GDM hangs then. This issue does not occur when I already logged in using password and logged out again or if I kill GDM when it hangs after the first attempt. Anyone an idea on this?
--dotxp 22:54, 2 May 2006 (CEST)
Don't ask for finger scan when lid closed
When using an external CRT+keyboard+mouse with the LD lid closed, it's quiet annoying to have to reach over and open the lid in order to do a finger scan. Any idea how to make PAM use the fingerprint reader when the lid is open, but skip it when the lid is closed?
--Thinker 13:30, 7 May 2006 (CEST)
I edited my /etc/gdm/Init/Default script in a way, that it changes /etc/pam.d/common-auth depending on the lid state: When the lid is closed, the file is replaced by a version without the lines for the finterprint reader, and of course the opposite action when the lid is open.
--Aerials 15:52, 9 July 2006 (CEST)
Unable to initialize Bioapi framework, BioAPI error #:3
I see some other discussion on this page about the dreaded "Unable to initialize Bioapi framework, BioAPI error #:3" error, but the only solution i can see seems really complicated -- adding users to groups when they log in, etc. Is that really the simplest way to make xscreensaver work? I'm the only user of my laptop -- the only account who will ever log in, the only fingerprint in the database, the only person who will ever run xscreensaver. Is there some quick easy way to make xscreensaver unlock when i swipe my finger?
-- Mike Schiraldi 19:52, 16 May 2006 (CEST)
Security level
UPEK PerfectMatch Algorithm According to this link, highest security level is 0 which is opposite to 5 mentioned in the article. What is correct?
Update: Well,TFMESS_BSP_LIN.pdf, i downloaded somewhere stated 5 as highest security level. So, ?
How good is it?
How strong is the security that results? Is it actually as good as, say, a 10-character password, or is it the sort of thing you can fool with some gelatin and a used glass? My inclination is not to trust it - but perhaps someone more knowledgeable would care to comment? -- RichardNeill 16:58, 25 July 2006 (CEST)
Patch for new versions of xdm
I was having some trouble getting the xdm patch to work using the version of xdm in Debian unstable (1.0.5). Turns out that xdm now checks for blank username and doesn't even bother to call pam. Here's an updated version of the patch that works for me: [1]
Virtualphtn 02:40, 16 September 2006 (CEST)
Using instructions with OpenSuSE 10.1
Now, as OpenSuSE has the problem with the gcc4 I followed the (by the way not very detailed) instructions about patching it. I've done the first patch before installing the BioApi($ wget http://upir.cz/linux/patches/bioapi-1.2.2-gcc4.patch $ patch -p1 < bioapi-1.2.2-gcc4.patch) but it didn't work(dal_classes.h:460: error: extra qualification 'DAL_DATABASE_INFO_LIST::' on member 'GetDBNamesAndParameters') Can somebody help me? --SQLMosquito 19:53, 29 September 2006 (CEST)
I've been having the same problem for quite a while. Though when using the script found here http://www.cryptosecurity.net/Suse_T60_DRAFT.htm (based on the thinkwikiscript) things worked just fine. Don't ask me why, I really tried everything I know to be able to build it by myself. Anyway, it works good now. --Stooofer 00:12, 8 January 2007 (CET)
64-bit architecture/OSS release
Hi,
To all ThinkWiki contributors: Thanks for all the help so far! I've made a lot of progress, but I have a show-stopper for the fingerprint reader. I'm not using x86 architecture! I am using the (new) Thinkpad X60, which just got upgraded to the Core 2 Duo with EM64T support a couple of weeks ago (along with a ton of other upgrades to the product, without changing its name...........!) So consequently I have Fedora Core 6 x86_64 installed. Works great, in general - standby, trackpoint, special buttons, nvram, and wifi supported (although not all out of the box; the ipw3945 driver had to be downloaded from atrpms.)
The distributed shared library provided by the vendor doesn't link against any 64-bit programs, because it's a 32-bit library. Of course, my desktop manager, PAM, etc. are all 64-bit. Without "downgrading" to a 32-bit distro, is there any way to either hack around this, or to bring up Pavel Machek's open-source enrollment program (thinkfinger) up to the vendor's driver's level of integration with BioAPI? Sounds like some development work, but I'm willing to help any way I can!
There should be a way to get this moving - either using a wrapper a la nspluginwrapper to enable an interface to the 32-bit driver on another architecture, or building upwards from Pavel's small test program.
Thanks!
Sean
Alternative ThinkFinger "Driver"
The thinkfinger Project http://thinkfinger.sf.net is a GPL library with a own pam module.
It works... It works with all pam application. (dont try to display a own gui window). It works without the bioapi. wow! this is so easy to set up and just works!