Difference between revisions of "Script for enabling the fingerprint reader with BioAPI"

From ThinkWiki
Jump to: navigation, search
(RHEL4 support)
 
(16 intermediate revisions by 7 users not shown)
Line 1: Line 1:
Using the [[Integrated Fingerprint Reader|integrated fingerprint reader]] under Linux is currently a fairly complicated [[How to enable the fingerprint reader|process]]. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.
+
Using the [[Integrated Fingerprint Reader|integrated fingerprint reader]] under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.
  
 
Usage: just copy into a file and run as root.
 
Usage: just copy into a file and run as root.
Line 10: Line 10:
 
* <tt>sudo</tt>
 
* <tt>sudo</tt>
  
Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only files affected outside {{path|/opt/bioapi}} are the ldconfig configuration, PAM configuration, {{path|/etc/rc.local}} and a few symlinks in {{path|/lib/security}}.
+
Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only effects outside {{path|/opt/bioapi}} are one-line changes to the ldconfig configuration, PAM configuration and {{path|/etc/rc.local}}, and a few symlinks in {{path|/lib/security}}.
 
 
For details, manual installation and hints for other distributions, see [[How to enable the fingerprint reader]].
 
  
 
===Distributions supported by this script===
 
===Distributions supported by this script===
* {{Fedora}} 4
+
* {{Fedora}} 4, 5, 6
 
* Red Hat Enterprise Linux 4
 
* Red Hat Enterprise Linux 4
  
Line 21: Line 19:
  
 
==The script==
 
==The script==
 +
{{CodeRef|enable-fingerprint-reader}}
  
<pre>
+
The patch has been moved to http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/Attic/bioapi-c++.patch?rev=1.3. However in CVS it has been marked as obsolete.
#!/bin/bash
 
# Install UPEK fingerprint reader driver and associated software on Linux systems.
 
# Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader
 
 
 
set -e -E -x -u  # verbose, abort if anything fails
 
 
 
WHERE=/opt/bioapi
 
PASSWD_ENROLLS=0  # should "passwd" do fingerprint enrollment (always)?
 
 
 
########################################
 
# Install bioapi:
 
 
 
mkdir -p $WHERE
 
wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2
 
sha1sum --check <<EOF
 
932425e847449e9612c6894dcbaf44630aecfc13  bioapi-latest.tar.bz2
 
EOF
 
tar xjf bioapi-latest.tar.bz2
 
pushd bioapi-1.2.2
 
./configure --with-Qt-dir=no --prefix=$WHERE
 
make
 
make install
 
install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
 
install -m644 include/installdefs.h $WHERE/include/installdefs.h
 
install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
 
chmod o-w $WHERE/var/bioapi
 
popd
 
 
 
########################################
 
# Tell ldconfig about bioapi libraries:
 
 
 
[ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
 
echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
 
ldconfig
 
ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }
 
 
 
########################################
 
# Install UPEK driver:
 
 
 
wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
 
sha1sum --check <<EOF
 
c73466b5c3b26415b300d5c5ffb76deaefadeb32  TFMESS_BSP_LIN_1.0.zip
 
EOF
 
mkdir -p driver
 
pushd driver
 
unzip ../TFMESS_BSP_LIN_1.0.zip
 
PATH="$PATH:$WHERE/bin" sh install.sh $WHERE/lib/
 
cd NonGUI_Sample
 
perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!'  main.c
 
gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
 
install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
 
popd
 
 
 
SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
 
 
 
########################################
 
# Install (patched) pam_bioapi:
 
 
 
wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2
 
wget -N http://badcode.de/downloads/fingerprint.patch  
 
sha1sum --check <<EOF
 
a0bdf3436e55f7dc8b4795243f08a4c9b399dec8  pam_bioapi-latest.tar.bz2
 
619254a5bcd3acb8bf1d72b15ea69bfe00f0f064  fingerprint.patch
 
EOF
 
tar xjvf pam_bioapi-latest.tar.bz2
 
pushd pam_bioapi-0.2.1
 
patch -p0 < ../fingerprint.patch
 
CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
 
make
 
make install
 
ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
 
popd
 
 
 
########################################
 
# Install pamtester:
 
 
 
wget http://mesh.dl.sourceforge.net/sourceforge/pamtester/pamtester-0.1.2.tar.gz
 
sha1sum --check <<EOF
 
33bcc610d7f208b50a0a23c144bdbd1e2cae4ac6  pamtester-0.1.2.tar.gz
 
EOF
 
tar xzvf pamtester-0.1.2.tar.gz
 
pushd pamtester-0.1.2
 
./configure --prefix=$WHERE
 
make
 
make install
 
popd
 
 
 
########################################
 
# Configure pam to use pam_bioapi:
 
 
 
grep -eq 'Fedora Core release 4|Red Hat Enterprise Linux AS release 4' \
 
  /etc/redhat-release || { echo \
 
  "I don't know how to configure PAM on this distribution.
 
  See: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam";
 
  exit 1; }
 
 
 
PAMFILE=/etc/pam.d/system-auth
 
if ! grep -q 'pam_bioapi\.so' $PAMFILE; then
 
  perl -i -pe '
 
    if (!$a && m/^auth.*pam_unix\.so/) {$a=1; print
 
      "auth        sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
 
    ' $PAMFILE
 
  if [ $PASSWD_ENROLLS == 1 ]; then
 
    perl -i -pe '
 
      if (!$p && m/^password/) {$p=1; print
 
        "password    required      pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
 
      ' $PAMFILE
 
  fi
 
fi
 
 
 
########################################
 
# USB permissions (set now and add to startup):
 
 
 
RC_FILE=/etc/rc.local
 
SET_PERMS=$WHERE/bin/set_fingerprint_perms
 
 
 
cat > $SET_PERMS <<'EOF'
 
#!/bin/bash
 
# Make fingerprint reader USB device world-writable:
 
chmod -R a+X /proc/bus/usb
 
chmod 666 /proc/bus/usb/`/sbin/lsusb | sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`
 
EOF
 
chmod 755 $SET_PERMS
 
 
 
$SET_PERMS
 
 
 
[ -e $RC_FILE ] || { echo "No $RC_FILE, can't handle this distribution."; exit 1; }
 
if ! grep -q 0483:2016 $SET_PERMS; then
 
  echo $SET_PERMS >> $RC_FILE
 
fi
 
 
 
########################################
 
# Enroll:
 
 
 
mkdir -p /etc/bioapi/pam/$SERIAL
 
pushd /etc/bioapi/pam/$SERIAL
 
read -p "Now enroll all relevant Unix accounts (press Enter to start)."
 
$WHERE/bin/upek-NonGUI_Sample
 
popd
 
 
 
########################################
 
# Done:
 
 
 
set +x
 
cat<<EOF
 
 
 
Success.
 
* To test the fingerprint-enabled PAM login, run:
 
  $WHERE/bin/pamtester -v login USERNAME authenticate
 
* Add the following command to your resume-from-suspend script:
 
  $WHERE/bin/set_fingerprint_perms
 
 
 
EOF
 
</pre>
 
  
 
==Ideas for improvement==
 
==Ideas for improvement==
Line 184: Line 29:
 
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
 
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
 
* Add "<tt>OnResume 10 /opt/bioapi/bin/set_fingerprint_perms</tt>" to [[Software Suspend 2|suspend2]]'s {{path|/etc/hibernate/hibernate.conf}}?
 
* Add "<tt>OnResume 10 /opt/bioapi/bin/set_fingerprint_perms</tt>" to [[Software Suspend 2|suspend2]]'s {{path|/etc/hibernate/hibernate.conf}}?
 +
 +
* The script ends with:
 +
+ wget -N http://badcode.de/downloads/fingerprint.patch
 +
--13:03:23--  http://badcode.de/downloads/fingerprint.patch
 +
          => `fingerprint.patch'
 +
Connecting to XXX.XXX.XXX.XXX:80... connected.
 +
Proxy request sent, awaiting response... 401 Authorization Required
 +
Authorization failed.
 +
 +
(proxy don't need authorization)
 +
the file is under authorization
  
 
[[Category:Scripts]]
 
[[Category:Scripts]]

Latest revision as of 17:25, 5 August 2011

Using the integrated fingerprint reader under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.

Usage: just copy into a file and run as root.

After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:

  • KDE's KDM login (enter an empty password, then swipe finger)
  • KDE's screensaver (enter an empty password, then swipe finger)
  • Gnome's GDM login
  • su
  • sudo

Everything is intalled into /opt/bioapi, so it doesn't pollute your filesystem. The only effects outside /opt/bioapi are one-line changes to the ldconfig configuration, PAM configuration and /etc/rc.local, and a few symlinks in /lib/security.

Distributions supported by this script

  • Fedora 4, 5, 6
  • Red Hat Enterprise Linux 4

If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.

The script

enable-fingerprint-reader (download)

The patch has been moved to http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/Attic/bioapi-c++.patch?rev=1.3. However in CVS it has been marked as obsolete.

Ideas for improvement

  • Support more distributions
  • Minimize changes to /etc/pam.d/system-auth by creating a separate file (e.g., /etc/pam.d/bioapi-auth) and @include-ing it.
  • Do something about /etc/pam.d/sshd - it invokes /etc/pam.d/system-auth by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in How_to_enable_the_fingerprint_reader.
  • Install and configure a patched xscreensaver (as explained in How_to_enable_the_fingerprint_reader).
  • Add "OnResume 10 /opt/bioapi/bin/set_fingerprint_perms" to suspend2's /etc/hibernate/hibernate.conf?
  • The script ends with:

+ wget -N http://badcode.de/downloads/fingerprint.patch --13:03:23-- http://badcode.de/downloads/fingerprint.patch

          => `fingerprint.patch'

Connecting to XXX.XXX.XXX.XXX:80... connected. Proxy request sent, awaiting response... 401 Authorization Required Authorization failed.

(proxy don't need authorization) the file is under authorization