How to enable the integrated fingerprint reader with ThinkFinger
How to enable the fingerprint reader has a good explanation for using the fingerprint reader with the closed-source binary driver. But there is also an opensource project called ThinkFinger which does the same, but open.
Installing from source
Speaking for Debian, there are no packages of ThinkFinger in the repositories yet (cf. bug #409563), so I describe the installation from source. If you're on Gentoo, you can find an ebuild at bug 162297.
Download thinkfinger-0.3.tar.gz from the homepage and unpack it somewhere, make sure you have the gcc compiler, libtool, pkgconfig, libusb-dev and libpam0g-dev installed, then:
$ cd thinkfinger-0.3
$ ./configure --with-securedir=/lib/security --with-birdir=/etc/pam_thinkfinger
$ make
# make install
$ ./configure --prefix=/usr --with-securedir=/lib/security --with-birdir=/etc/pam_thinkfinger
If everything went ok assert that you find pam_thinkfinger.so in /lib/security typing:
$ ls /lib/security
Testing the driver
Now the driver is installed and should be working. You can try it (as root) with
# tf-tool --acquire
and
# tf-tool --verify
This will ask you to swipe your finger three times, save the fingerprint to /tmp/test.bir and then verify your fingerprint with the bir-file.
Configuring PAM to use ThinkFinger
Now you can configure pam to use ThinkFinger:
Open /etc/pam.d/common-auth:
# nano -w /etc/pam.d/common-auth
Add this line before any pam_unix or pam_unix2 directives:
auth sufficient pam_thinkfinger.so
If your PAM uses the pam_unix and not the pam_unix2 module, you need to pass a specific argument in the /etc/pam.d/common-auth directive to make it consider the password entered at the pam_thinkfinger prompt.
auth required pam_unix.so try_first_pass
For instance my /etc/pam.d/common-auth looks like this:
auth sufficient pam_thinkfinger.so auth required pam_unix.so nullok_secure try_first_pass
Now we are ready to add users to thinkfinger. As make install did not create /etc/pam_thinkfinger, we need to create it now:
# mkdir /etc/pam_thinkfinger
And now we can add a fingerprint for a user with:
# tf-tool --add-user $USERNAME
Now the user should be able to login with his finger, instead of the password.
This Howto was copied from Installing Ubuntu 6.06 on a ThinkPad T43#Fingerprint_Reader and then slightly modified by me.