How to enable the integrated fingerprint reader with ThinkFinger
How to enable the fingerprint reader has a good explanation for using the fingerprint reader with the closed-source binary driver. But there is also an opensource project called ThinkFinger which does the same, but open.
However: The fingerprint reader is an INSECURE device and gives a false sense of security! There has been quite a bit of research by a hacker named Starbug, a member of the Chaos Computer Club, Berlin, Germany. He outlined in two very good talks how to forge each and every available fingerprint sensor available at the cost of a few euros, using materials from your local hardware store, a digicam and a laser printer! Here's some links:
Contents
Installing
From source
Download thinkfinger-0.3.tar.gz from the homepage and unpack it somewhere, make sure you have the gcc compiler, libtool, pkg-config, libusb-dev and libpam0g-dev installed, then:
$ cd thinkfinger-0.3
$ ./configure --prefix=/usr --sysconfdir=/etc --with-securedir=/lib/security --with-birdir=/etc/pam_thinkfinger
$ make
# make install
"make install" doesn't create the birdir we specified (where thinkfinger will store users' biometric info), so create it:
# mkdir /etc/pam_thinkfinger
If everything went OK assert that you find pam_thinkfinger.so in /lib/security typing:
$ ls /lib/security
From package
Debian
Packages arrived in Debian experimental on Aug 2nd, 2007 (cf. bug #409563). To access the experimental packages via apt, add the following lines to your sources.list:
# experimental deb ftp://mirrors.kernel.org/debian/ experimental main contrib non-free deb-src ftp://mirrors.kernel.org/debian/ experimental main contrib non-free
where of course you may replace mirrors.kernel.org with your mirror of choice. Just make sure that it hosts the experimental repositories.
# aptitude update
# aptitude install libthinkfinger0 libpam-thinkfinger thinkfinger-tools
should then get you up and running.
To make everything work you'll have to have permission to work the device ($ sudo adduser myself plugdev
worked for me), and you'll also have to follow instructions below about adding the device to your PAM methods.
Ubuntu
Gutsy
From https://wiki.ubuntu.com/ThinkFinger
Add PPA repositories to your sources.list:
deb http://ppa.launchpad.net/jldugger/ubuntu gutsy main restricted universe multiverse deb-src http://ppa.launchpad.net/jldugger/ubuntu gutsy main restricted universe multiverse
Install necessary packages:
$ sudo apt-get install thinkfinger-tools libpam-thinkfinger
Hardy
Hardy includes the latest thinkfinger and it is up to date with subversion. Install packages:
$ sudo apt-get install thinkfinger-tools libpam-thinkfinger
Update the pam configuration files:
$ sudo /usr/lib/pam-thinkfinger/pam-thinkfinger-enable
Enroll your fingerprint (creates $HOME/.thinkfinger.bir). If this gives an error about claiming the USB device then a reboot was claimed to work, but in fact it may just be a permissions problem.
$ tf-tool --acquire
Check fingerprint enrollment
$ tf-tool --verify
You can expect everything to work correctly. Note that you still have to enter your username if prompted but will be able to swipe your finger instead of the password. The prompt will usually be "Password or swipe finger"
- Graphical login
- Text console login
- sudo
- screen lock/screen saver
- Administrative password prompt (eg for update or package managers). (Note no "or swipe finger" in prompt).
Intrepid
After installing from the normal repositories coming with Ubuntu 8.10, you would have to press enter after sweeping finger. (This bug: https://bugs.launchpad.net/ubuntu/+source/thinkfinger/+bug/256429) Therefore Jon Oberheide made an update that can be found here: https://launchpad.net/~jon-oberheide/+archive (As of 2/3/09, this no longer seems to be the case. Just proceed to the install step.)
Add the PPA repositories to your source.list (/etc/apt/source.list):
deb http://ppa.launchpad.net/jon-oberheide/ubuntu intrepid main deb-src http://ppa.launchpad.net/jon-oberheide/ubuntu intrepid main
Update installer:
$ sudo apt-get update
And install:
$ sudo apt-get install thinkfinger-tools
Jaunty
The same package by Jon Oberheide is necessary, as with Intrepid, though the package thinkfinger-tools is installed by default.
Add key:
$ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com F2A12FABE936A7BBDC4EA33351DB180D1323E149
Add the PPA repositories to your source.list (/etc/apt/source.list):
deb http://ppa.launchpad.net/jon-oberheide/ppa/ubuntu jaunty main deb-src http://ppa.launchpad.net/jon-oberheide/ppa/ubuntu jaunty main
Update installer:
$ sudo apt-get update
And install:
$ sudo apt-get install thinkfinger-tools libpam-thinkfinger
Fedora/Fedora Core
# yum install thinkfinger
Gentoo
# emerge sys-auth/thinkfinger
OpenSUSE
openSUSE 10.2 includes the package "libthinkfinger" (version 0.1-7) - you will find newer packages here.
Testing the driver
Now the driver is installed and should be working. You can try it (as root) with
# tf-tool --acquire
and
# tf-tool --verify
This will ask you to swipe your finger three times, save the fingerprint to /tmp/test.bir and then verify your fingerprint with the bir-file.
Configuring PAM to use ThinkFinger
Now you can configure PAM to use ThinkFinger:
Open /etc/pam.d/common-auth (In FC6, F7, and Gentoo, this file is /etc/pam.d/system-auth):
# nano -w /etc/pam.d/common-auth
Add this line before any pam_unix or pam_unix2 directives:
auth sufficient pam_thinkfinger.so
If your PAM uses the pam_unix and not the pam_unix2 module, you need to pass a specific argument in the /etc/pam.d/common-auth directive to make it consider the password entered at the pam_thinkfinger prompt.
auth required pam_unix.so try_first_pass
For instance, /etc/pam.d/common-auth looks like this:
auth sufficient pam_thinkfinger.so auth required pam_unix.so nullok_secure try_first_pass
On openSUSE 10.2, it looks like this now:
auth required pam_env.so auth sufficient pam_thinkfinger.so auth required pam_unix2.so
On Ubuntu 8.10 - Intrepid Ibex you should just add the following line the the /etc/pam.d/common-auth file so it looks like this:
.... # here are the per-package modules (the "Primary" block) auth sufficient pam_thinkfinger.so auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure # here's the fallback if no module succeeds ....
On Ubuntu 9.04, you don't need to edit manually, just type:
# sudo /usr/lib/pam-thinkfinger/pam-thinkfinger-enable
Now we are ready to add users to thinkfinger. You can add a fingerprint for a user with:
# tf-tool --acquire $USERNAME
Now the user should be able to login with his finger instead of the password.
If you would like to use thinkfinger for su, you have to enroll the fingerprint for root user with:
# tf-tool --acquire root
xscreensaver/gnome-screensaver
If you'd like to be able to unlock your screen using the fingerprint reader, you must have current versions of xscreesaver (>~5.03) or gnome-screensaver (>~2.18.2). Then you must give yourself access to the fingerprint reader and your bir-file, because unlike login/gdm/su/sudo, both gnome-screensaver and xscreensaver do not run as root. The following procedure will make the fingerprint reader accessible to members of the "fingerprint" group.
Make the group: # groupadd fingerprint
Save the following as /etc/udev/rules.d/60-thinkfinger.rules and run # sudo /sbin/udevtrigger
. If you are using a Debian-based distribution, it is likely you are affected by the following bug where you need to replace udevtrigger with udevadm trigger (with the space!) in order for the following to work. You may need to reboot for this to take effect.
# # udev rules file for the thinkfinger fingerprint scanner # # gives access to the fingerprint reader to those in the "fingerprint" group # # Taken from: # http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger # which was taken and modified from: # http://article.gmane.org/gmane.linux.drivers.thinkfinger/329 # # SGS Thomson Microelectronics Fingerprint Reader SYSFS{idVendor}=="0483", SYSFS{idProduct}=="2016", SYMLINK+="input/thinkfinger-%k", MODE="0660", GROUP="fingerprint" # the also-needed uinput device KERNEL=="uinput", MODE="0660", GROUP="fingerprint"
Finally, edit /etc/pam.d/gnome-screensaver so that it looks like this:
auth sufficient pam_thinkfinger.so auth required pam_unix.so try_first_pass nullok_secure
Per user:
- Add him to the group:
# gpasswd -a $USERNAME fingerprint
- Make him owner of his bir-file:
# chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
- Give him read-only access to his bir-file:
# chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
- Give "execute only" access to everyone for the /etc/pam_thinkfinger/ directory:
# chmod o+x /etc/pam_thinkfinger
(WARNING: this opens up security a little).
GNOME
gksu/gksudo doesn't work correctly. It just stays invisible. When starting a su privileged application such as synaptics you will not get prompted for the password. Nevertheless you can swipe your finger and it should authenticate you. Starting synaptics twice makes gksudo visible.
There are two possibilities to solve it:
- Changing the string "Password or swipe finger:" to a plain "Password:" (like sudo normally would do) in the file pam/pam_thinkfinger.c of the thinkfinger source directory. Of course, in the console you will then only see a "Password:" instead of "Password or swipe finger:" but this is still more usefull than having gksu/gksudo crashing everytime.
- Patching libgksu with the following patch. This is also a nasty hack until a better solution is implemented.
--- libgksu-2.0.3/libgksu/libgksu.c.orig 2007-06-17 16:00:24.000000000 +0200 +++ libgksu-2.0.3/libgksu/libgksu.c 2007-06-17 16:00:47.000000000 +0200 @@ -2663,7 +2663,7 @@ */ for (counter = 0; counter < 50; counter++) { - if (strncmp (buffer, "GNOME_SUDO_PASS", 15) == 0) + if (strncmp (buffer, "GNOME_SUDO_PASS", 15) == 0 || strncmp (buffer, "Password or swi", 15) == 0) break; read_line (parent_pipe[0], buffer, 256); @@ -2675,7 +2675,7 @@ if (context->debug) fprintf (stderr, "brute force GNOME_SUDO_PASS ended...\n"); - if (strncmp(buffer, "GNOME_SUDO_PASS", 15) == 0) + if (strncmp(buffer, "GNOME_SUDO_PASS", 15) == 0 || strncmp(buffer, "Password or swi", 15) == 0) { gchar *password = NULL; gboolean prompt_grab;
KDE
Integration in KDE and kdm seems not to be easily possible now. There is a filed bug at kde.org where you can vote for this.
Moreover, kdm in openSUSE 10.3 and in Kubuntu 8.10 crashes when pam_thinkfinger is enabled. A possible "workaround" is downgrading to thinkfinger 0.2.2.
Another workaround is to use Fprint from [4] which works quite nicely on my X61s and Kubuntu Hardy.
This Howto was copied from Installing Ubuntu 6.06 on a ThinkPad T43#Fingerprint_Reader and then slightly modified.
Fix for the fingerprint reader getting too hot
If you notice that your fingerprint reader occasionally gets very hot then you might be interested in this section. Thanks to Tino Keitel, he actually gave me this solution through the linux-thinkpad mailing list.
First we need to determine if the reader is not on autosuspend mode. Open a terminal and run:
for i in `find /sys/devices/*/*/usb* -name level` ; do echo -n "$i: " ; cat $i ; done
We care about the devices that are with "on" state and we need to determine if one of those is the reader. So for each of those run something like:
cat /sys/devices/pci0000\:00/0000\:00\:1a.0/usb1/1-2/idVendor 0483 cat /sys/devices/pci0000\:00/0000\:00\:1a.0/usb1/1-2/idProduct 2016
Use the corresponding path of the devices that you got with "on" state and then compare the output with the output of the lsusb command. An example:
lsusb output: Bus 001 Device 004: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
Which matches the output above (0483:2016). Once you have determined the path of your reader then become root with su - and:
echo "auto" > /sys/<path-to-device>/power/level
After this, the fingerprint reader should be in "autosuspend" and will not get hot anymore. And it will still work as normal.
This will only work for the current session. If you want to make this change persistent and have sysfsutils installed, edit the file /etc/sysfs.conf and add the line
<path-to-device>/power/level = auto
Following the above example, that would be
devices/pci0000\:00/0000\:00\:1a.0/usb1/1-2/power/level = auto
Alternatively, you can install an init script:
sudo gedit /etc/init.d/ReaderNoMoreHot
Paste the following into it:
#!/bin/bash # echo "auto" > /sys/<path-to-device>/power/level
Save and close. Then:
sudo chmod 755 /etc/init.d/ReaderNoMoreHot sudo update-rc.d ReaderNoMoreHot defaults 90
--Lunatico 19:19, 1 August 2008 (CEST), extended by --Michaelthomas h 23:36, 9 August 2008 (CEST)
For the init script above, you can use the following more elaborate script, which does all the work for you of identifying the <path-to-device>. This can be useful since the USB device id can change under various circumstances (kernel upgrade etc).
#!/bin/bash # find the fingerprint reader and change its power level to autosuspend usbname="SGS Thomson Microelectronics Fingerprint Reader" usbid=$(lsusb |grep "$usbname" |cut -d' ' -f6); [[ -z $usbid ]] && echo "USB Device \"$usbname\" not found" && exit 1 unset failed_bool find /sys/devices/*/*/usb* -name idVendor -print | ( while read vfile; do dir=$(dirname $vfile); vendor=$(<$vfile); product=$(<$dir/idProduct); if [[ $vendor:$product = $usbid ]]; then plevel_file=$dir/power/level old_level=$(<$plevel_file); [[ $old_level = auto ]] || echo auto >$plevel_file || failed_bool=1 break; fi; done if [[ $failed_bool ]]; then echo "Failed to set the fingerprint reader's power level to 'auto'." exit 1 fi )
Here is an alternate script. The code is cleaner and it's about 20x faster:
#!/bin/bash # find the fingerprint reader and change its power level to autosuspend find_manuf=STMicroelectronics find_prod="Biometric Coprocessor" for devdir in /sys/class/usb_device/*/device; do manuf=$(<$devdir/manufacturer) [[ $manuf = $find_manuf ]] || continue; prod=$(<$devdir/product) [[ $prod = $find_prod ]] || continue; # if we get here then we have the right device! plevel_file=$devdir/power/level old_level=$(<$plevel_file); # if it is already set properly then exit silently: [[ $old_level = auto ]] && exit 0 # if we successfully change it then exit silently: echo auto >$plevel_file && exit 0 echo "Failed to set the fingerprint reader's power level to 'auto'." exit 1 done # if we make it through the for loop without exiting, the search failed echo "Could not find the $find_manuf $find_prod (fingerprint reader)" exit 1