Difference between revisions of "Script for enabling the fingerprint reader with BioAPI"

From ThinkWiki
Jump to: navigation, search
(The script)
 
(26 intermediate revisions by 10 users not shown)
Line 1: Line 1:
Using the [[Integrated Fingerprint Reader|integrated fingerprint reader]] under Linux is currently a fairly complicated [[How to enable the fingerprint reader|process]]. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.
+
Using the [[Integrated Fingerprint Reader|integrated fingerprint reader]] under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.
  
 
Usage: just copy into a file and run as root.
 
Usage: just copy into a file and run as root.
Line 10: Line 10:
 
* <tt>sudo</tt>
 
* <tt>sudo</tt>
  
Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only files affected outside {{path|/opt/bioapi}} are the ldconfig configuration, PAM configuration, {{path|/etc/rc.local}} and a few symlinks in {{path|/lib/security}}.
+
Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only effects outside {{path|/opt/bioapi}} are one-line changes to the ldconfig configuration, PAM configuration and {{path|/etc/rc.local}}, and a few symlinks in {{path|/lib/security}}.
 
 
For details, manual installation and hints for other distributions, see [[How to enable the fingerprint reader]].
 
  
 
===Distributions supported by this script===
 
===Distributions supported by this script===
* {{Fedora}} 4
+
* {{Fedora}} 4, 5, 6
 +
* Red Hat Enterprise Linux 4
  
 
If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.
 
If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.
  
 
==The script==
 
==The script==
 +
{{CodeRef|enable-fingerprint-reader}}
  
<pre>
+
The patch has been moved to http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/Attic/bioapi-c++.patch?rev=1.3. However in CVS it has been marked as obsolete.
#!/bin/bash
 
# Install UPEK fingerprint reader driver and associated software on Linux systems.
 
# Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader
 
 
 
set -e -E -x -u  # verbose, abort if anything fails
 
 
 
WHERE=/opt/bioapi
 
PASSWD_ENROLLS=0  # should "passwd" do fingerprint enrollment (always)?
 
 
 
########################################
 
# Install bioapi:
 
 
 
mkdir -p $WHERE
 
wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2
 
sha1sum --check <<EOF
 
932425e847449e9612c6894dcbaf44630aecfc13  bioapi-latest.tar.bz2
 
EOF
 
tar xjf bioapi-latest.tar.bz2
 
pushd bioapi-1.2.2
 
./configure --with-Qt-dir=no --prefix=$WHERE
 
make
 
make install
 
install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
 
install -m644 include/installdefs.h $WHERE/include/installdefs.h
 
install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
 
chmod o-w $WHERE/var/bioapi
 
popd
 
 
 
########################################
 
# Tell ldconfig about bioapi libraries:
 
 
 
[ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
 
echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
 
ldconfig
 
ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }
 
 
 
########################################
 
# Install UPEK driver:
 
 
 
wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
 
sha1sum --check <<EOF
 
c73466b5c3b26415b300d5c5ffb76deaefadeb32  TFMESS_BSP_LIN_1.0.zip
 
EOF
 
mkdir -p driver
 
pushd driver
 
unzip ../TFMESS_BSP_LIN_1.0.zip
 
PATH="$PATH:$WHERE/bin" sh install.sh $WHERE/lib/
 
cd NonGUI_Sample
 
perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!'  main.c
 
gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
 
install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
 
popd
 
 
 
SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
 
 
 
########################################
 
# Install (patched) pam_bioapi:
 
 
 
wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2
 
wget -N http://badcode.de/downloads/fingerprint.patch  
 
sha1sum --check <<EOF
 
a0bdf3436e55f7dc8b4795243f08a4c9b399dec8  pam_bioapi-latest.tar.bz2
 
619254a5bcd3acb8bf1d72b15ea69bfe00f0f064  fingerprint.patch
 
EOF
 
tar xjvf pam_bioapi-latest.tar.bz2
 
pushd pam_bioapi-0.2.1
 
patch -p0 < ../fingerprint.patch
 
CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
 
make
 
make install
 
ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
 
popd
 
 
 
########################################
 
# Install pamtester:
 
 
 
wget http://mesh.dl.sourceforge.net/sourceforge/pamtester/pamtester-0.1.2.tar.gz
 
sha1sum --check <<EOF
 
33bcc610d7f208b50a0a23c144bdbd1e2cae4ac6  pamtester-0.1.2.tar.gz
 
EOF
 
tar xzvf pamtester-0.1.2.tar.gz
 
pushd pamtester-0.1.2
 
./configure --prefix=$WHERE
 
make
 
make install
 
popd
 
 
 
########################################
 
# Configure pam to use pam_bioapi:
 
 
 
grep -q 'Fedora Core release 4' /etc/redhat-release || { echo \
 
  "I don't know how to configure PAM on this distribution.
 
  See: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam";
 
  exit 1; }
 
 
 
PAMFILE=/etc/pam.d/system-auth
 
if ! grep -q 'pam_bioapi\.so' $PAMFILE; then
 
  perl -i -pe '
 
    if (!$a && m/^auth.*pam_unix\.so/) {$a=1; print
 
      "auth        sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
 
    ' $PAMFILE
 
  if [ $PASSWD_ENROLLS == 1 ]; then
 
    perl -i -pe '
 
      if (!$p && m/^password/) {$p=1; print
 
        "password    required      pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
 
      ' $PAMFILE
 
  fi
 
fi
 
 
 
########################################
 
# USB permissions (set now and add to startup):
 
 
 
RC_FILE=/etc/rc.local
 
SET_PERMS=$WHERE/bin/set_fingerprint_perms
 
 
 
cat > $SET_PERMS <<'EOF'
 
#!/bin/bash
 
# Make fingerprint reader USB device world-writable:
 
chmod -R a+X /proc/bus/usb
 
chmod 666 /proc/bus/usb/`/sbin/lsusb | sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`
 
EOF
 
chmod 755 $SET_PERMS
 
 
 
$SET_PERMS
 
 
 
[ -e $RC_FILE ] || { echo "No $RC_FILE, can't handle this distribution."; exit 1; }
 
if ! grep -q 0483:2016 $SET_PERMS; then
 
  echo $SET_PERMS >> $RC_FILE
 
fi
 
 
 
########################################
 
# Enroll:
 
 
 
mkdir -p /etc/bioapi/pam/$SERIAL
 
pushd /etc/bioapi/pam/$SERIAL
 
read -p "Now enroll all relevant Unix accounts (press Enter to start)."
 
$WHERE/bin/upek-NonGUI_Sample
 
popd
 
 
 
########################################
 
# Done:
 
 
 
set +x
 
cat<<EOF
 
 
 
Success.
 
* To test the fingerprint-enabled PAM login, run:
 
  $WHERE/bin/pamtester -v login USERNAME authenticate
 
* Add the following command to your resume-from-suspend script:
 
  $WHERE/bin/set_fingerprint_perms
 
 
 
EOF
 
</pre>
 
  
 
==Ideas for improvement==
 
==Ideas for improvement==
Line 182: Line 29:
 
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
 
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
 
* Add "<tt>OnResume 10 /opt/bioapi/bin/set_fingerprint_perms</tt>" to [[Software Suspend 2|suspend2]]'s {{path|/etc/hibernate/hibernate.conf}}?
 
* Add "<tt>OnResume 10 /opt/bioapi/bin/set_fingerprint_perms</tt>" to [[Software Suspend 2|suspend2]]'s {{path|/etc/hibernate/hibernate.conf}}?
 +
 +
* The script ends with:
 +
+ wget -N http://badcode.de/downloads/fingerprint.patch
 +
--13:03:23--  http://badcode.de/downloads/fingerprint.patch
 +
          => `fingerprint.patch'
 +
Connecting to XXX.XXX.XXX.XXX:80... connected.
 +
Proxy request sent, awaiting response... 401 Authorization Required
 +
Authorization failed.
 +
 +
(proxy don't need authorization)
 +
the file is under authorization
  
 
[[Category:Scripts]]
 
[[Category:Scripts]]

Latest revision as of 18:25, 5 August 2011

Using the integrated fingerprint reader under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.

Usage: just copy into a file and run as root.

After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:

  • KDE's KDM login (enter an empty password, then swipe finger)
  • KDE's screensaver (enter an empty password, then swipe finger)
  • Gnome's GDM login
  • su
  • sudo

Everything is intalled into /opt/bioapi, so it doesn't pollute your filesystem. The only effects outside /opt/bioapi are one-line changes to the ldconfig configuration, PAM configuration and /etc/rc.local, and a few symlinks in /lib/security.

Distributions supported by this script

  • Fedora 4, 5, 6
  • Red Hat Enterprise Linux 4

If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.

The script

enable-fingerprint-reader (download)

The patch has been moved to http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/Attic/bioapi-c++.patch?rev=1.3. However in CVS it has been marked as obsolete.

Ideas for improvement

  • Support more distributions
  • Minimize changes to /etc/pam.d/system-auth by creating a separate file (e.g., /etc/pam.d/bioapi-auth) and @include-ing it.
  • Do something about /etc/pam.d/sshd - it invokes /etc/pam.d/system-auth by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in How_to_enable_the_fingerprint_reader.
  • Install and configure a patched xscreensaver (as explained in How_to_enable_the_fingerprint_reader).
  • Add "OnResume 10 /opt/bioapi/bin/set_fingerprint_perms" to suspend2's /etc/hibernate/hibernate.conf?
  • The script ends with:

+ wget -N http://badcode.de/downloads/fingerprint.patch --13:03:23-- http://badcode.de/downloads/fingerprint.patch 

          => `fingerprint.patch'

Connecting to XXX.XXX.XXX.XXX:80... connected. Proxy request sent, awaiting response... 401 Authorization Required Authorization failed.

(proxy don't need authorization) the file is under authorization

Retrieved from "https://www.thinkwiki.org/w/index.php?title=Script_for_enabling_the_fingerprint_reader_with_BioAPI&oldid=52720"