How to enable the integrated fingerprint reader with ThinkFinger

From ThinkWiki
Revision as of 21:20, 28 August 2007 by Tony2001 (Talk | contribs)
Jump to: navigation, search

How to enable the fingerprint reader has a good explanation for using the fingerprint reader with the closed-source binary driver. But there is also an opensource project called ThinkFinger which does the same, but open.

Installing from source

Speaking for Debian, there are no packages of ThinkFinger in the repositories yet (cf. bug #409563), so I describe the installation from source. If you are using Gentoo, you can just emerge sys-auth/thinkfinger.

NOTE!
packages for Debian (testing) are available here: [1]
NOTE!
packages for Fedora Core 6 are available in "extras" repository (#yum install thinkfinger)
NOTE!
openSUSE 10.2 includes the package "libthinkfinger" (version 0.1-7) - you will find newer packages here: [2]


Download thinkfinger-0.3.tar.gz from the homepage and unpack it somewhere, make sure you have the gcc compiler, libtool, pkgconfig, libusb-dev and libpam0g-dev installed, then:

$ cd thinkfinger-0.3

$ ./configure --with-securedir=/lib/security --with-birdir=/etc/pam_thinkfinger

$ make

# make install

NOTE!
/lib/security is the dir, where pam assumes its modules on Debian and openSUSE, it may vary for your distro!
NOTE!
for openSUSE use this configure-command:

$ ./configure --prefix=/usr --with-securedir=/lib/security --with-birdir=/etc/pam_thinkfinger


If everything went ok assert that you find pam_thinkfinger.so in /lib/security typing:

$ ls /lib/security

Testing the driver

Now the driver is installed and should be working. You can try it (as root) with

# tf-tool --acquire

and

# tf-tool --verify

This will ask you to swipe your finger three times, save the fingerprint to /tmp/test.bir and then verify your fingerprint with the bir-file.

Configuring PAM to use ThinkFinger

Now you can configure pam to use ThinkFinger:

Open /etc/pam.d/common-auth:

NOTE!
In FC6 this file is "/etc/pam.d/system-auth"

# nano -w /etc/pam.d/common-auth

Add this line before any pam_unix or pam_unix2 directives:

auth     sufficient     pam_thinkfinger.so

If your PAM uses the pam_unix and not the pam_unix2 module, you need to pass a specific argument in the /etc/pam.d/common-auth directive to make it consider the password entered at the pam_thinkfinger prompt.

auth     required     pam_unix.so try_first_pass

For instance my /etc/pam.d/common-auth looks like this:

auth    sufficient      pam_thinkfinger.so
auth    required        pam_unix.so nullok_secure try_first_pass

On openSUSE 10.2 it looks like this now:

auth    required        pam_env.so
auth    sufficient      pam_thinkfinger.so
auth    required        pam_unix2.so

Now we are ready to add users to thinkfinger. As make install did not create /etc/pam_thinkfinger, we need to create it now:

# mkdir /etc/pam_thinkfinger

And now we can add a fingerprint for a user with:

# tf-tool --add-user $USERNAME

Now the user should be able to login with his finger, instead of the password.

NOTE!
You should see the "Password or swipe finger:" prompt when trying to sudo or su. If you don't, you probably do not have the "User level driver support" compiled into your kernel or the "uinput" module loaded!
NOTE!
If you would like to use thinkfinger for su, you have to enroll fingerprint for root user! (tf-tool --add-user root)
NOTE!
gksu/gksudo seems to break. However, it just stays invisible. When starting a su privileged application such as synaptics you will not get prompted for the password. Nevertheless you can swipe your finger and it should authenticate you. Starting synaptics twice makes gksudo visible.
NOTE!
Using gksu/gksudo in ubuntu Feist Fawn (7.04) with thinkfinger enabled, crashed gksu/gksudo everytime I tried to authenticate. Changing the string "Password or swipe finger:" to a plain "Password:" (like sudo normally would do) in the file pam/pam_thinkfinger.c of the thinkfinger source directory, fixed this behavior ( I'm using thinkfinger 0.3 ). Of course in the Console you will then only see a "Password:" instead of "Password or swipe finger:" but this is still more usefull than having gksu/gksudo crashing everytime :).

Integration in KDE and kdm seems not to be easily possible now. There is a filed bug at kde.org where you can vote for this: [3].

Moreover, kdm in openSUSE 10.3 crashes for me when pam_thinkfinger enabled. I was able to "workaround" this by downgrading thinkfinger to 0.22 instead of 0.3 (the latest at the moment). So atm kdm does not crash anymore, but pam_thinkfinger is only used in shell.

This Howto was copied from Installing Ubuntu 6.06 on a ThinkPad T43#Fingerprint_Reader and then slightly modified by me.