Fprint

From ArchWiki
Revision as of 06:13, 28 March 2011 by Hunterthomson (Talk | contribs)

Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Background

From Pam fprint - fprint project:

pam_fprint is a simple PAM module which uses libfprint's fingerprint processing and verification functionality for authentication. In other words, instead of seeing a password prompt, you're asked to scan your fingerprint.

The idea is to use the built-in fingerprint reader in some notebooks for login using PAM. I will also explain how to use regular password for backup login method (solely fingerprint scanner is not recommended due to numerous reasons).

Prerequisites

First, make sure you have one of the supported finger scanners. You can check if your device is supported by checking this list of supported devices. To check which one you have, type

# lsusb

You need to install pam and libfprint.

# pacman -S pam libfprint

Installation

Once you made sure your reader is supported, you are good to go

# pacman -S pam_fprint

Configuration

Permissions

This is the tricky part. By defaut, only root has access to the device. You can create a signature from sudo, but then you can only use it for root user. After digging at the Ubuntu forums I found out the following solution which worked for me.

1. If the group plugdev doesn't exist (didn't for me), create it

2. Add yourself to the group

# gpasswd -a USER plugdev

3. Allow USB access

# chgrp -R plugdev /dev/bus/usb/

Login configuration

Modify the auth section of /etc/pam.d/login to this

auth       required pam_env.so
auth       sufficient   pam_fprint.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       required pam_deny.so

This tries to use fingerprint login first, and if if fails or if it finds no fingerprint signatures in the give user's home directory, it proceeds to password login.

Create fingeprint signature

Now you should be able to run the program under a normal user. To see the usage, run

$ pam_fprint_enroll --help

Chose one of the fingers and run

$ pam_fprint_enroll -f #

You will be asked to scan the given finger 3 times. After that, the signature is created in your home directory.

Setup fingerprint-gui

An aulternate fingerprint reader gui. This works with new Upeksonly readers such as the new Thinkpad W510 Upeksonly reader with USB ID 147e:2016

http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader http://www.n-view.net/Appliance/fingerprint/

Install fingerprint-gui from AUR

$ yaourt -S fingerprint-gui

Please make sure your user is a member of "plugdev" and "scanner" group if you use UPEK non-free library. You may also have to log out and back in for these changes to take effect.

# gpasswd -a USER plugdev
# gpasswd -a USER scanner

fingerprint-polkit-agent conflicts with files in /etc/xdg/autostart that must be removed:

"polkit-gnome-authentication-agent-1.desktop" and
"polkit-kde-authentication-agent-1.desktop".

Edit your PAM configuration (e.g., /etc/pam.d/{login,su,sudo,gdm}).

Change the auth section to read

auth       required pam_env.so
auth       sufficient   pam_fingerprint-gui.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       required pam_deny.so

Now run fingerprint-gui and register fingerprints for the current user. You will need to run fingerprint-gui and register fingerprints for all users you want to use the fingerprint reader.