Script for enabling the fingerprint reader with BioAPI

From ThinkWiki
Revision as of 21:29, 24 December 2005 by Thinker (Talk | contribs) (typo)
Jump to: navigation, search

The following script automates the installation of the fingerprint software for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, pamtester and enrolling), and handles all the downloading, patching and installation.

Usage: just copy into a file and run.

After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:

  • KDE's KDM login
  • Gnome's GDM login
  • su
  • sudo

Everything is intalled into /opt/bioapi, so it doesn't pollute your filesystem. The only files affected outside /opt/bioapi are the ldconfig configuration, PAM configuration and a few symlinks in /lib/security.

For details, manual installation and hints for other distributions, see How to enable the fingerprint reader

Distributions supported by this script

If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.

The script

#!/bin/bash
# Install UPEK fingerprint reader driver and associated software on Linux systems.
# Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader

set -e -E -x -u   # verbose, abort if anything fails

WHERE=/opt/bioapi
mkdir -p $WHERE

########################################
# Install bioapi:

wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.tar.bz2
sha1sum --check <<EOF
932425e847449e9612c6894dcbaf44630aecfc13  bioapi-1.2.2.tar.bz2
EOF
tar xjf bioapi-1.2.2.tar.bz2
pushd bioapi-1.2.2
./configure --with-Qt-dir=no --prefix=$WHERE
make
make install
install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
install -m644 include/installdefs.h $WHERE/include/installdefs.h
install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
chmod o-w $WHERE/var/bioapi
popd

########################################
# Tell ldconfig about bioapi libraries:

[ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
ldconfig
ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }

########################################
# Install UPEK driver:

wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
sha1sum --check <<EOF
c73466b5c3b26415b300d5c5ffb76deaefadeb32  TFMESS_BSP_LIN_1.0.zip
EOF
mkdir -p driver
pushd driver
unzip ../TFMESS_BSP_LIN_1.0.zip
PATH="$PATH:$WHERE/bin" sh install.sh $WHERE/lib/
cd NonGUI_Sample
perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!'  main.c
gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
popd

SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`

########################################
# Install (patched) pam_bioapi:

wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-0.2.1.tar.bz2 
wget -N http://badcode.de/downloads/fingerprint.patch 
sha1sum --check <<EOF
a0bdf3436e55f7dc8b4795243f08a4c9b399dec8  pam_bioapi-0.2.1.tar.bz2
619254a5bcd3acb8bf1d72b15ea69bfe00f0f064  fingerprint.patch
EOF
tar xjvf pam_bioapi-0.2.1.tar.bz2 
pushd pam_bioapi-0.2.1 
patch -p0 < ../fingerprint.patch 
CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
make 
make install 
ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
popd

########################################
# Install pamtester:

wget http://mesh.dl.sourceforge.net/sourceforge/pamtester/pamtester-0.1.2.tar.gz
sha1sum --check <<EOF
33bcc610d7f208b50a0a23c144bdbd1e2cae4ac6  pamtester-0.1.2.tar.gz
EOF
tar xzvf pamtester-0.1.2.tar.gz
pushd pamtester-0.1.2
./configure --prefix=$WHERE
make
make install
popd

########################################
# Configure pam to use pam_bioapi:

grep -q 'Fedora Core release 4' /etc/redhat-release || { echo \
  "I don't know how to configure PAM on this distribution.
   See: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam";
   exit 1; }

PAMFILE=/etc/pam.d/system-auth
if ! grep -q pam_bioapi.so $PAMFILE; then
  perl -i -pe '
    if (!$a && m/^auth/) {$a=1; print 
      "auth        sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
    if (!$p && m/^password/) {$p=1; print
      "password    sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
    ' $PAMFILE
fi

########################################
# USB permissions:

USBDEV=`/sbin/lsusb | sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`

chmod -R a+X /proc/bus/usb
chmod 666 chmod 666 /proc/bus/usb/$USBDEV

########################################
# Enroll:

mkdir -p /etc/bioapi/pam/$SERIAL
pushd /etc/bioapi/pam/$SERIAL
read -p "Now enroll all relevant Unix accounts (press Enter to start)."
$WHERE/bin/upek-NonGUI_Sample
popd

########################################
# Done:

set +x
echo -e "\n\nSuccess.\n"
echo "To test the fingerprint-enabled PAM login, run:"
echo "$WHERE/bin/pamtester -v login USERNAME authenticate"

Ideas for improvement

  • Support more distributions
  • Minimize changes to /etc/pam.d/system-auth by creating a separate file (e.g., /etc/pam.d/bioapi-auth) and @include-ing it.
  • Do something about /etc/pam.d/sshd - it invokes /etc/pam.d/system-auth by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in How_to_enable_the_fingerprint_reader.
  • Install and configure a patched xscreensaver (as explained in How_to_enable_the_fingerprint_reader).
Retrieved from "https://www.thinkwiki.org/w/index.php?title=Script_for_enabling_the_fingerprint_reader_with_BioAPI&oldid=13715"