|
|
Line 22: |
Line 22: |
| | | |
| ==The script== | | ==The script== |
− | | + | {{CodeRef|enable-fingerprint-reader}} |
− | <pre>
| |
− | #!/bin/bash
| |
− | # Install UPEK fingerprint reader driver and associated software on Linux systems.
| |
− | # Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader
| |
− | | |
− | set -e -E -x -u # verbose, abort if anything fails
| |
− | | |
− | WHERE=/opt/bioapi
| |
− | PASSWD_ENROLLS=0 # should "passwd" do fingerprint enrollment (always)?
| |
− | | |
− | ########################################
| |
− | # Install (patched) bioapi:
| |
− | | |
− | mkdir -p $WHERE
| |
− | wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2
| |
− | wget -N -O bioapi-c++.patch 'http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/bioapi-c++.patch?rev=1.3'
| |
− | sha1sum --check <<EOF
| |
− | 932425e847449e9612c6894dcbaf44630aecfc13 bioapi-latest.tar.bz2
| |
− | a838e9ab9bcad9c146856d41135460e7ac29a4ec bioapi-c++.patch
| |
− | EOF
| |
− | tar xjf bioapi-latest.tar.bz2
| |
− | pushd bioapi-1.2.2
| |
− | patch -i ../bioapi-c++.patch -p1
| |
− | ./configure --with-Qt-dir=no --prefix=$WHERE
| |
− | make
| |
− | make install
| |
− | install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
| |
− | install -m644 include/installdefs.h $WHERE/include/installdefs.h
| |
− | install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
| |
− | chmod o-w $WHERE/var/bioapi
| |
− | popd
| |
− | | |
− | ########################################
| |
− | # Tell ldconfig about bioapi libraries:
| |
− | | |
− | [ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
| |
− | echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
| |
− | ldconfig
| |
− | ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }
| |
− | | |
− | ########################################
| |
− | # Install UPEK driver:
| |
− | | |
− | wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
| |
− | sha1sum --check <<EOF
| |
− | c73466b5c3b26415b300d5c5ffb76deaefadeb32 TFMESS_BSP_LIN_1.0.zip
| |
− | EOF
| |
− | mkdir -p driver
| |
− | pushd driver
| |
− | unzip ../TFMESS_BSP_LIN_1.0.zip
| |
− | PATH="$PATH:$WHERE/bin" sh install.sh $WHERE/lib/
| |
− | cd NonGUI_Sample
| |
− | perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!' main.c
| |
− | gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
| |
− | install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
| |
− | popd
| |
− | | |
− | SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
| |
− | | |
− | ########################################
| |
− | # Install (patched) pam_bioapi:
| |
− | | |
− | wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2
| |
− | wget -N http://badcode.de/downloads/fingerprint.patch
| |
− | sha1sum --check <<EOF
| |
− | a0bdf3436e55f7dc8b4795243f08a4c9b399dec8 pam_bioapi-latest.tar.bz2
| |
− | 619254a5bcd3acb8bf1d72b15ea69bfe00f0f064 fingerprint.patch
| |
− | EOF
| |
− | tar xjvf pam_bioapi-latest.tar.bz2
| |
− | pushd pam_bioapi-0.2.1
| |
− | patch -p0 < ../fingerprint.patch
| |
− | CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
| |
− | make
| |
− | make install
| |
− | ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
| |
− | popd
| |
− | | |
− | ########################################
| |
− | # Install pamtester:
| |
− | | |
− | wget http://mesh.dl.sourceforge.net/sourceforge/pamtester/pamtester-0.1.2.tar.gz
| |
− | sha1sum --check <<EOF
| |
− | 33bcc610d7f208b50a0a23c144bdbd1e2cae4ac6 pamtester-0.1.2.tar.gz
| |
− | EOF
| |
− | tar xzvf pamtester-0.1.2.tar.gz
| |
− | pushd pamtester-0.1.2
| |
− | ./configure --prefix=$WHERE
| |
− | make
| |
− | make install
| |
− | popd
| |
− | | |
− | ########################################
| |
− | # Configure pam to use pam_bioapi:
| |
− | | |
− | grep -Eq 'Fedora Core release [45]|Red Hat Enterprise Linux AS release 4' \
| |
− | /etc/redhat-release || { echo \
| |
− | "I don't know how to configure PAM on this distribution.
| |
− | See: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam";
| |
− | exit 1; }
| |
− | | |
− | PAMFILE=/etc/pam.d/system-auth
| |
− | if ! grep -q 'pam_bioapi\.so' $PAMFILE; then
| |
− | perl -i -pe '
| |
− | if (!$a && m/^auth.*pam_unix\.so/) {$a=1; print
| |
− | "auth sufficient pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
| |
− | ' $PAMFILE
| |
− | if [ $PASSWD_ENROLLS == 1 ]; then
| |
− | perl -i -pe '
| |
− | if (!$p && m/^password/) {$p=1; print
| |
− | "password required pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
| |
− | ' $PAMFILE
| |
− | fi
| |
− | fi
| |
− | | |
− | ########################################
| |
− | # USB permissions (set now and add to startup):
| |
− | | |
− | RC_FILE=/etc/rc.local
| |
− | SET_PERMS=$WHERE/bin/set_fingerprint_perms
| |
− | | |
− | cat > $SET_PERMS <<'EOF'
| |
− | #!/bin/bash
| |
− | # Make fingerprint reader USB device world-writable:
| |
− | chmod -R a+X /proc/bus/usb
| |
− | chmod 666 /proc/bus/usb/`/sbin/lsusb | sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`
| |
− | EOF
| |
− | chmod 755 $SET_PERMS
| |
− | | |
− | $SET_PERMS
| |
− | | |
− | [ -e $RC_FILE ] || { echo "No $RC_FILE, can't handle this distribution."; exit 1; }
| |
− | if ! grep -q 0483:2016 $SET_PERMS; then
| |
− | echo $SET_PERMS >> $RC_FILE
| |
− | fi
| |
− | | |
− | ########################################
| |
− | # Enroll:
| |
− | | |
− | mkdir -p /etc/bioapi/pam/$SERIAL
| |
− | pushd /etc/bioapi/pam/$SERIAL
| |
− | read -p "Now enroll your Unix accounts, including root (press Enter to start, then 'e' to enroll)."
| |
− | $WHERE/bin/upek-NonGUI_Sample
| |
− | popd
| |
− | | |
− | ########################################
| |
− | # Done:
| |
− | | |
− | set +x
| |
− | cat<<EOF
| |
− | | |
− | Success.
| |
− | * To test the fingerprint-enabled PAM login, run this as root:
| |
− | $WHERE/bin/pamtester -v login USERNAME authenticate
| |
− | * Add the following command to your resume-from-suspend script:
| |
− | $SET_PERMS
| |
− | | |
− | EOF
| |
− | </pre>
| |
| | | |
| ==Ideas for improvement== | | ==Ideas for improvement== |
Using the integrated fingerprint reader under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.
Usage: just copy into a file and run as root.
After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:
- KDE's KDM login (enter an empty password, then swipe finger)
- KDE's screensaver (enter an empty password, then swipe finger)
- Gnome's GDM login
- su
- sudo
Everything is intalled into /opt/bioapi, so it doesn't pollute your filesystem. The only effects outside /opt/bioapi are one-line changes to the ldconfig configuration, PAM configuration and /etc/rc.local, and a few symlinks in /lib/security.
For details, manual installation and hints for other distributions, see How to enable the fingerprint reader.
Distributions supported by this script
If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.
The script
enable-fingerprint-reader (download)
Ideas for improvement
- Support more distributions
- Minimize changes to /etc/pam.d/system-auth by creating a separate file (e.g., /etc/pam.d/bioapi-auth) and @include-ing it.
- Do something about /etc/pam.d/sshd - it invokes /etc/pam.d/system-auth by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in How_to_enable_the_fingerprint_reader.
- Install and configure a patched xscreensaver (as explained in How_to_enable_the_fingerprint_reader).
- Add "OnResume 10 /opt/bioapi/bin/set_fingerprint_perms" to suspend2's /etc/hibernate/hibernate.conf?