Talk:How to enable the integrated fingerprint reader with ThinkFinger

From ThinkWiki
Revision as of 13:47, 28 February 2010 by Mrelectronic (Talk | contribs)
Jump to: navigation, search

about fingerpring security or should we pay more for it?

GDM

Howdy.

With latest versions of GDM, PAM and ThinFinger you may experience a GDM segfault when using the Face Browser to select a user. This stops you from using the aforementioned software combination to log in to a pure tablet system. That is, you're going to need a keyboard to type the username. Please see this bug report and contribute if you can.

Problem

Hello! I have Lenovo R61i and Debian 4.0 (sid). I have done all what was in this article, but when I do:

pokorski@debian:~$ sudo tf-tool --acquire

the terminal is writing:

ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/) Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>

Initializing...USB device not found.

I read manuals and howtos but I can't install it on my R61i. On M$ Windows biometric reader worked correctly. Can anybody help me? Sorry for my English (I'm Polish)

- Hi, I have the same notebook, runnning ubuntu 8.04, and it seems this device isn't supported by thinkfinger, what worked for me is libfprint, the newest version. 
  regards


Intrepid Ibex

Has anyone got thinkfinger to work with pam in Ubuntu Intrepid Ibex? If so, how did you configure /etc/pam.d/common_auth?

Configuration of thinkfinger has been simplified, but the change was not not documented in the man page... This bug report will probably help. Install the modified packages mentioned in the HowTo. My /etc/pam.d/common-auth (note "-" not "_") looks like following. Best, Tec 02:20, 19 November 2008 (CET)

# here are the per-package modules (the "Primary" block)
auth    sufficient      pam_thinkfinger.so
auth    [success=1 default=ignore]      pam_unix.so try_first_pass nullok_secure
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Security issue

Hello, I think adding pam_thinkfinger.so to /etc/pam.d/common-auth is not that good idea. On my gentoo laptop after adding this, it is possible to login from ssh with the fingerprint reader, I think this is not good.

For example ( 169-44 is a remote host, Derex-PC is my laptop with thinkfinger ):

derex@169-44:~$ ssh root@192.168.168.168
Password or swipe finger:
derex@Derex-PC ~ $ su -
Password:

Then I swipe my finger on the laptop, and press enter (just it, no password) on the remote host, and I get this:

derex@169-44:~$ ssh root@192.168.168.168
Password or swipe finger:
Last login: Wed Jan 28 13:36:15 EET 2009 from 192.168.168.1 on pts/1
Last login: Wed Jan 28 13:48:17 2009 from 192.168.168.1
Derex-PC ~ #
derex@Derex-PC ~ $ su -
Password:
su: Authentication failure
derex@Derex-PC ~ $
NOTE!
"su" prompts for "Password" only, but ususally it asks "Password or swipe finger".

I added pam_thinkfinger.so only to gdm, gnome-screensaver, login and su in /etc/pam.d/ and now I dont have this issue.

Trouble entering password to unlock screensaver

On Ubuntu Jaunty, I've got the password reader working fine, but now once gnome-screensaver kicks in, I can only unlock it using the fingerprint reader. If I enter my password, it flips to "checking" and stays that way until I cancel it. Anyone else seeing anything like this?

Debian Squeeze - i386 issues with fingerprint reader

On Debian squeeze the SGS Thomson Fingerprint reader stopped working correctly with a recent update. I accidently stumbled across a gentoo bug stating the same strange behavior (although the console is working correctly, X does not). Appearently this is due to missing sync events that should be sent to evdev which got updated in debian squeeze recently. Though as thinkfinger was a dead upstream for a long time by now (package was removed from repositories) and there was no suitable replacement I could get my hands an I finally recompiled from scratch. For those that might be in the same situation - here is what I did:

You need the package: checkinstall for a proper package management (should be in repository) and any related dependency libraries usb, pam,.... (check what ./configure is complaining about).

Get the source code thinkfinger_0.3+r118.orig.tar.gz the necessary patch from Jon Oberheide (thinkfinger_0.3+r118-0ubuntu5~ppa1.diff.gz worked great for) and the gentoo patch of course (I named the file: patch_evdev_gentoo.diff). Then fire up your favorite console, unpack and apply the patches:

~ $ tar -xvzf thinkfinger_0.3+r118.orig.tar.gz
~ $ gzip -d thinkfinger_0.3+r118-0ubuntu5~ppa1.diff.gz
~ $ patch -p0 < thinkfinger_0.3+r118-0ubuntu5~ppa1.diff
~ $ cp patch_evdev_gentoo.diff thinkfinder-0.3+118/
~ $ cd thinkfinger-0.3+118
~ $ patch -p0 < patch_evdev_gentoo.diff

than configure (there might be packages missing - look what ./configure is complaining about) compile, pack and install the software

~ $ ./configure --prefix=/usr --with-securedir=/lib/security --sysconfdir=/etc
~ $ make
~ $ su
~ # checkinstall

Don't forget about package documentation - the packed package should be installed defaultly. As tf-tool is installed in /usr/sbin it is not in path for normal users. The workaround I choose was a symbolic link in /usr/local/bin (quick and dirty, sorry - but suitable in my case)

~ # cd /usr/local/bin
~ # ln -s /usr/sbin/tf-tool

In case you had a working fingerprint reader before everything should be working normally. If not you might want to go through the setup page and apply initial configuration (as debian squeeze has the recent udev package you need as well to adapt your udev rules according to the ubuntu karmic section)