ThinkFinger

From ArchWiki

ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in older IBM/Lenovo ThinkPads.

ThinkWiki has a list of various fingerprint readers found in ThinkPads. Newer models using different readers might not work with ThinkFinger.

Installation

Install the thinkfingerAUR package.

Configuration

The uinput module needs to be loaded.

TF-Tool

Use tf-tool to test ThinkFinger. You will have to run this as root because a direct access to the USB devices is needed. Run tf-tool --acquire to generate a file at /etc/pam_thinkfinger/test.bir and tf-tool --verify to see if it identifies you correctly. tf-tool --add-user <username> acquires and stores your fingerprint in /etc/pam_thinkfinger/<username>.bir, which is needed for an authentication with PAM.

PAM

See PAM.

/etc/pam.d/login

Change the file /etc/pam.d/login to look like this if you want to use your fingerprint to authenticate yourself on logon:

/etc/pam.d/login
#%PAM-1.0
auth		sufficient	pam_thinkfinger.so
auth		required	pam_unix.so use_first_pass nullok_secure
account		required	pam_unix.so
password	required	pam_unix.so
session		required	pam_unix.so

/etc/pam.d/su

Change this file to confirm the su command with a finger-swipe:

/etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so nullok_secure try_first_pass
account		required	pam_unix.so
session		required	pam_unix.so
Tip: Do not forget to do a tf-tool --add-user root to use this feature.

/etc/pam.d/sudo

Change this file to confirm the sudo command with a finger-swipe:

/etc/pam.d/su
#%PAM-1.0
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so nullok_secure try_first_pass
auth		required	pam_nologin.so

/etc/pam.d/xscreensaver

The factual accuracy of this article or section is disputed.

Reason: Tampering with files in /usr/bin/ is a bad idea since these changes will get overwritten on an update (Discuss in Talk:ThinkFinger)

XScreensaver is a bit tricky. First, configure PAM with a file /etc/pam.d/xscreensaver containing:

/etc/pam.d/xscreensaver
 auth            sufficient      pam_thinkfinger.so
 auth            required        pam_unix_auth.so try_first_pass

This still will not work because Xscreensaver cannot read/write from /dev/misc/uinput and /dev/bus/usb*. A udev rule must be written to authorize a new group read/write access.

First, create a new group, let us say fingerprint:

# groupadd fingerprint

Add the user you want to be able to unlock Xscreensaver with the fingerprint reader to the group:

# gpasswd -a <user> fingerprint

Logout and login again for the changes to take effect.

Next, search for uinput and bus/usb in your udev rules directory:

$ grep -in uinput /etc/udev/rules.d/*

/etc/udev/rules.d/udev.rules:222:KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k"
/etc/udev/rules.d/udev.rules:263:KERNEL=="uinput", NAME="input/%k"
$ grep -in "bus/usb" /etc/udev/rules.d/*

/etc/udev/rules.d/udev.rules:318:SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
/etc/udev/rules.d/udev.rules:320:SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"

Copy the lines you found with grep in the previous step to a new udev rules file:

/etc/udev/rules.d/99fingerprint.rules
KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="fingerprint"
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="fingerprint"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"

The difference between the rules in /etc/udev/rules.d/99fingreprint.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="fingerprint" or MODE="0660", GROUP="fingerprint" at the end of the lines.

After adding the custom udev rules, you should give your user permissions to access their own fingerprint file:

$ chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
$ chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
$ chmod o+x /etc/pam_thinkfinger
Note: The last command is opening up a directory for execution to everyone, beware of the security implications this might have.

As a last step, you need to remove the root setuid from /usr/bin/xscreensaver, otherwise Xscreensaver will not be able to unlock with the fingerprint reader:

# chmod -s /usr/bin/xscreensaver

/etc/pam.d/gdm

Edit /etc/pam.d/gdm and add the following line to the top:

/etc/pam.d/gdm
auth		sufficient 	pam_thinkfinger.so

Then modify auth required pam_unix.so to look like this:

/etc/pam.d/gdm
auth		required	pam_unix.so use_first_pass nullok_secure

/etc/pam.d/xdm

Edit /etc/pam.d/xdm to look like this:

/etc/pam.d/xdm
#%PAM-1.0
auth            sufficient      pam_thinkfinger.so
auth            required        pam_unix.so use_first_pass nullok_secure
auth            required        pam_nologin.so
auth            required        pam_env.so
account         required        pam_unix.so
password        required        pam_unix.so
session         required        pam_unix.so
session         required        pam_limits.so

/etc/pam.d/slim

Append the following to /etc/pam.d/slim:

/etc/pam.d/slim
#%PAM-1.0
...
auth            sufficient      pam_thinkfinger.so
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_limits.so
session         required        pam_unix.so
password        required        pam_unix.so

Now restart SLiM and you may use the fingerprinter to login.

Alternative fingerprint reader software

Fprint is an alternative fingerprint reader software that works with some of the newer ThinkPad fingerprint readers.

See also