How to enable integrated fingerprint reader with BioAPI
Disclaimer: This is how I got the fingerprint reader on my T43 to work. It can _NOT_ yet be used to log me into the system. Working on that.
This is on Ubuntu Breezy.
Contents
Basic driver installation
Getting required libs and tools
Installing the bioapi source
- Get the bioapi source:
- I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:
$ tar xjf bioapi-1.2.2.tar.bz2
$ cd bioapi-1.2.2
$ ./configure --with-Qt-dir=no
$ make
- and then as root
# make install
- and if you want to compile pam_bioapi for auth later
# cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include
- Be aware that checkinstall will not work!
Installing the driver
- Download TFMESS_BSP_LIN_1.0beta2.zip from http://www.qrivy.net/~michael/blua/upek-bsp.html and unzip it into a seperate folder, as it will not create one.
- Change to that folder and do as root:
# sh install.sh
# chmod 777 -R /usr/local/var/bioapi/
- Actually this depends on where you installed, if you did as suggested, it should work. Otherwise you probably know what you're doing anyways. :)
# touch /var/log/BSP.log && chmod 666 /var/log/BSP.log
# chmod -R a+X /proc/bus/usb
# chmod 666 /proc/bus/usb/`lsusb | grep "0483:2016" | sed -e "s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/"`
- It might be nessecary to put the above line into a startup script somewhere.
Testing the driver
Go to the folder where you extracted TFMESS_BSP_LIN_1.0beta2.zip and do:
# cd NonGUI_Sample
# chmod +x Sample
# ./Sample
If it doesn't work, ask for help at: t43fingerprint (at) badcode.de
GDM Login via pam_bioapi
Getting required libs & tools
Installing pam_bioapi
- Get and compile the pam_bioapi module.
$ wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-0.2.1.tar.bz2
$ tar xjf pam_bioapi-0.2.1.tar.bz2
$ cd pam_bioapi-0.2.1
$ wget http://badcode.de/downloads/fingerprint.patch
$ patch -p0 < fingerprint.patch
- If you want to, review the patch. In general you should review all code you download and compile, if possible.
The patch comes from this thread.
$ ./configure && make
- and as root
# make install
# cp /usr/local/lib/security/* /lib/security/
- Use the sample tool from the fingerprint reader to create <username>.bir
<username> must be the username you want to login with, gdm will probably break for any login name that has no .bir file.
- As root do:
# BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-
- It should print something like
{5550454b2054464d2f45535320425350}
- If it does, do:
# mkdir /etc/bioapi1.10/pam`BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-`
# cp <username>.bir /etc/bioapi1.10/pam`BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-`
Configuring pam
The following part is distribution specific. On Ubuntu you can modify /etc/pam.d/common-auth (on Gentoo and Fedora it is file /etc/pam.d/system-auth) to look like this:
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth sufficient pam_bioapi.so {5550454b2054464d2f45535320425350} /etc/bioapi1.10/pam/ password sufficient pam_bioapi.so {5550454b2054464d2f45535320425350} /etc/bioapi1.10/pam/ auth required pam_unix.so nullok_secure
With this modification pam immediatelly starts to use the fingerprint reader to do local authorization (e.g. sudo/gdm use the fingerprint reader).
Now gdm should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
Make xscreensaver use the scanner
$ wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz
$ tar xzf xscreensaver-4.23.tar.gz
$ cd xscreensaver-4.23
$ wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff
After reviewing the patch (it's small and straightforward), do
$ patch -p1 < xscreensaver-4.22_alternativeAuth.diff
The patch should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
This patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case pam and pam_bioapi. Compile with
$ ./configure --with-pam && make
and then install as root with
# make install
.
Make sure that the newly compiled xscreensaver is used
$ which xscreensaver
should return/usr/local/bin/xscreensaver
.
In case it doesn't, try
$ export PATH=/usr/local/bin:$PATH
and retry.
$ xscreensaver-command -exit
kills your running instance of xscreensaver. Make sure you have the following line in your ~/.xscreensaver:
alternativeAuth: True
now look at /etc/pam.d/xscreensaver. If you're on Ubuntu Breezy and you have already changed /etc/pam.d/common-auth you should be good to go. Otherwise check that the following line is at the top of the file:
auth sufficient pam_bioapi.so {5550454b2054464d2f45535320425350} /etc/bioapi1.10/pam
start the new xscreensaver
$ xscreensaver
There should be a splash screen with version 4.23.
Now try with:
$ xscreensaver-command -lock
If you have questions or problems with this procedure, ask: t43fingerprint (at) badcode.de .