Difference between revisions of "ThinkFinger"

From ArchWiki
Jump to: navigation, search
(Add entry for xdm)
m (SLiM)
(27 intermediate revisions by 18 users not shown)
Line 1: Line 1:
[[Category:Input devices (English)]]
+
[[es:ThinkFinger]]
[[Category:Laptops (English)]]
+
[[Category:Input devices]]
[[Category:HOWTOs (English)]]
+
[[Category:Lenovo]]
ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in most IBM/Lenovo ThinkPads.
+
ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in older IBM/Lenovo ThinkPads.
  
 +
ThinkWiki has a [http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader list of various fingerprint readers] found in ThinkPads. Newer models using different readers might not work with ThinkFinger.
  
{{WarningBox|ThinkFinger-svn revisions above rev 72 require you to load the module <i>uinput</i>!}}
+
{{Warning|ThinkFinger-svn revisions above rev 72 require you to load the module <i>uinput</i>!}}
 
+
  
 
== Installation ==
 
== Installation ==
Get if from [http://aur.archlinux.org/packages.php?do_Details=1&ID=8250 here].
+
Get it from extra:
 +
pacman -S thinkfinger
 +
 
 
== Configuration ==
 
== Configuration ==
 
=== TF-Tool ===
 
=== TF-Tool ===
Line 21: Line 23:
  
 
=== /etc/pam.d/login ===
 
=== /etc/pam.d/login ===
Change the file <i>/etc/pam.d/other</i> to look like this if you want to use your fingerprint to authenticate yourself on logon:
+
Change the file <i>/etc/pam.d/login</i> to look like this if you want to use your fingerprint to authenticate yourself on logon:
 
  #%PAM-1.0
 
  #%PAM-1.0
 
  auth sufficient pam_thinkfinger.so
 
  auth sufficient pam_thinkfinger.so
Line 28: Line 30:
 
  password required pam_unix.so
 
  password required pam_unix.so
 
  session required pam_unix.so
 
  session required pam_unix.so
 
  
 
=== /etc/pam.d/su ===
 
=== /etc/pam.d/su ===
Line 35: Line 36:
 
  auth            sufficient      pam_rootok.so
 
  auth            sufficient      pam_rootok.so
 
  auth sufficient pam_thinkfinger.so
 
  auth sufficient pam_thinkfinger.so
  auth required pam_unix.so use_first_pass nullok_secure
+
  auth required pam_unix.so nullok_secure try_first_pass
 
  account required pam_unix.so
 
  account required pam_unix.so
 
  session required pam_unix.so
 
  session required pam_unix.so
  
{{HintBox|Don't forget to do a <i>tf-tool --add-user root to use this feature</i>!}}
+
{{Tip|Don't forget to do a <i>tf-tool --add-user root to use this feature</i>!}}
 +
 
 +
=== /etc/pam.d/sudo ===
 +
Change this file to confirm the <i>sudo</i> command with a finger-swipe!
 +
#%PAM-1.0
 +
auth sufficient pam_thinkfinger.so
 +
auth required pam_unix.so nullok_secure try_first_pass
 +
auth required pam_nologin.so
  
 
=== /etc/pam.d/xscreensaver ===
 
=== /etc/pam.d/xscreensaver ===
Line 50: Line 58:
 
First, create a new group. I suggest "fingerprint":
 
First, create a new group. I suggest "fingerprint":
 
  > sudo groupadd fingerprint
 
  > sudo groupadd fingerprint
Add the user you want to be able to unlock xscreensaver with the fingerprint reader to the group:
+
Add the user you want to be able to unlock xscreensaver with the fingerprint reader to the group:
 
  > sudo gpasswd -a <user> fingerprint
 
  > sudo gpasswd -a <user> fingerprint
 
Don't forget to logout and login again!
 
Don't forget to logout and login again!
Line 67: Line 75:
 
  SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"
 
  SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"
 
The difference between the rules in /etc/udev/rules.d/99my.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="fingerprint" or MODE="0660", GROUP="fingerprint" at the end of the lines.
 
The difference between the rules in /etc/udev/rules.d/99my.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="fingerprint" or MODE="0660", GROUP="fingerprint" at the end of the lines.
 +
 +
After this you must actually give your user permissions to access his own fingerprint file, this can be done as in the following:
 +
> chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
 +
> chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
 +
> chmod o+x /etc/pam_thinkfinger
 +
Yes that last one is opening up a directory for execution to everyone so if you're super paranoid you might consider that a security flaw, just putting the warning out there.
  
 
The last part is about xscreensaver. If you check xscreensaver file, you will see it is setuid to root :
 
The last part is about xscreensaver. If you check xscreensaver file, you will see it is setuid to root :
Line 83: Line 97:
 
Edit <i>/etc/pam.d/gdm</i> as done in sections 3.1 and 3.2
 
Edit <i>/etc/pam.d/gdm</i> as done in sections 3.1 and 3.2
  
  add:  
+
  add as the first line in the file:  
 
  auth sufficient pam_thinkfinger.so
 
  auth sufficient pam_thinkfinger.so
  
Line 103: Line 117:
 
  session        required        pam_limits.so
 
  session        required        pam_limits.so
  
== More reading ==
+
== SLiM ==
  
Please see those urls for more info.
+
To have thinkfinger support for the SLiM Login Manager you need to activate PAM support:
 +
 
 +
Get the package source of the slim package from ABS and change the "make" line in the PKGBUILD:
 +
make USE_PAM=1 || return 1
 +
Rebuild the package and install it.
 +
 
 +
Then create a file /etc/pam.d/slim:
 +
#%PAM-1.0
 +
auth            sufficient      pam_thinkfinger.so
 +
auth            requisite      pam_nologin.so
 +
auth            required        pam_env.so
 +
auth            required        pam_unix.so
 +
account        required        pam_unix.so
 +
session        required        pam_limits.so
 +
session        required        pam_unix.so
 +
password        required        pam_unix.so
  
http://www.thinkwiki.org/wiki/Talk:How_to_enable_the_fingerprint_reader
+
Now restart slim and swipe your finger.
  
http://thinkfinger.sourceforge.net/
+
== Alternative fingerprint reader software ==
  
http://bbs.archlinux.org/viewtopic.php?id=36134
+
[[Fprint]] is an alternative fingerprint reader software that works with some of the newer ThinkPad fingerprint readers.
  
http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger
+
== See also ==
  
http://www.thinkwiki.org/index.php?title=Installing_Ubuntu_6.06_on_a_ThinkPad_T43#Fingerprint_Reader
+
* http://www.thinkwiki.org/wiki/Talk:How_to_enable_the_fingerprint_reader
 +
* http://thinkfinger.sourceforge.net/
 +
* https://bbs.archlinux.org/viewtopic.php?id=36134
 +
* http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger
 +
* http://www.thinkwiki.org/index.php?title=Installing_Ubuntu_6.06_on_a_ThinkPad_T43#Fingerprint_Reader

Revision as of 03:55, 4 March 2013

ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in older IBM/Lenovo ThinkPads.

ThinkWiki has a list of various fingerprint readers found in ThinkPads. Newer models using different readers might not work with ThinkFinger.

Warning: ThinkFinger-svn revisions above rev 72 require you to load the module uinput!

Installation

Get it from extra: pacman -S thinkfinger

Configuration

TF-Tool

Use tf-tool to test ThinkFinger. You'll have to run this as root because a direct access to the usb devices is needed. Run tf-tool --acquire to generate a test.bir and tf-tool --verify to see if it identifies you correctly. tf-tool --add-user <username> acquires and stores your fingerprint in /etc/pam_thinkfinger/username.bir, which is needed for an authentication with pam.

Pam

PAM is the Pluggable Authentication Module, invented by Sun.

/etc/pam.d/login

Change the file /etc/pam.d/login to look like this if you want to use your fingerprint to authenticate yourself on logon:

#%PAM-1.0
auth		sufficient	pam_thinkfinger.so
auth		required	pam_unix.so use_first_pass nullok_secure
account		required	pam_unix.so
password	required	pam_unix.so
session		required	pam_unix.so

/etc/pam.d/su

Change this file to confirm the su command with a finger-swipe!

#%PAM-1.0
auth            sufficient      pam_rootok.so
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so nullok_secure try_first_pass
account		required	pam_unix.so
session		required	pam_unix.so
Tip: Don't forget to do a tf-tool --add-user root to use this feature!

/etc/pam.d/sudo

Change this file to confirm the sudo command with a finger-swipe!

#%PAM-1.0
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so nullok_secure try_first_pass
auth		required	pam_nologin.so

/etc/pam.d/xscreensaver

XScreensaver is a bit tricky. First, configure PAM with a file "/etc/pam.d/xscreensaver" containing :

auth            sufficient      pam_thinkfinger.so
auth            required        pam_unix_auth.so try_first_pass

But it still wont work with only that because xscreensaver cannot read/write from /dev/misc/uinput and /dev/bus/usb*. A udev rule must be written to authorize a new group read/write access.

First, create a new group. I suggest "fingerprint":

> sudo groupadd fingerprint
Add the user you want to be able to unlock xscreensaver with the fingerprint reader to the group:
> sudo gpasswd -a <user> fingerprint

Don't forget to logout and login again!

Search for "uinput" and "bus/usb" in your udev rules directory :

> grep -in uinput /etc/udev/rules.d/*
/etc/udev/rules.d/udev.rules:222:KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k"
/etc/udev/rules.d/udev.rules:263:KERNEL=="uinput", NAME="input/%k"
> grep -in "bus/usb" /etc/udev/rules.d/*
/etc/udev/rules.d/udev.rules:318:SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
/etc/udev/rules.d/udev.rules:320:SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"

Now copy the previous lines (222, 318 and 320 from /etc/udev/rules.d/udev.rules) to a new udev rules file. I suggest /etc/udev/rules.d/99my.rules

KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="fingerprint"
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="fingerprint"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"

The difference between the rules in /etc/udev/rules.d/99my.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="fingerprint" or MODE="0660", GROUP="fingerprint" at the end of the lines.

After this you must actually give your user permissions to access his own fingerprint file, this can be done as in the following:

> chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
> chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
> chmod o+x /etc/pam_thinkfinger

Yes that last one is opening up a directory for execution to everyone so if you're super paranoid you might consider that a security flaw, just putting the warning out there.

The last part is about xscreensaver. If you check xscreensaver file, you will see it is setuid to root :

> ls -l /usr/bin/xscreensaver
-rwsr-sr-x 1 root root 217K aoû  2 20:47 /usr/bin/xscreensaver

Because of this, xscreensaver wont be able to unlock with the fingerprint reader. You need to remove the setuid root with :

> sudo chmod -s /usr/bin/xscreensaver
> ls -l /usr/bin/xscreensaver
-rwxr-xr-x 1 root root 217K aoû  2 20:47 /usr/bin/xscreensaver

That's it!

/etc/pam.d/gdm

[I am not an expert in PAMs but this works, This section may need corrections]

Edit /etc/pam.d/gdm as done in sections 3.1 and 3.2

add as the first line in the file: 
auth		sufficient 	pam_thinkfinger.so
Modify:
auth		required	pam_unix.so ==> auth		required	pam_unix.so use_first_pass nullok_secure

/etc/pam.d/xdm

Change /etc/pam.d/xdm to look like this:

#%PAM-1.0
auth            sufficient      pam_thinkfinger.so
auth            required        pam_unix.so use_first_pass nullok_secure
auth            required        pam_nologin.so
auth            required        pam_env.so
account         required        pam_unix.so
password        required        pam_unix.so
session         required        pam_unix.so
session         required        pam_limits.so

SLiM

To have thinkfinger support for the SLiM Login Manager you need to activate PAM support:

Get the package source of the slim package from ABS and change the "make" line in the PKGBUILD:

make USE_PAM=1 || return 1

Rebuild the package and install it.

Then create a file /etc/pam.d/slim:

#%PAM-1.0
auth            sufficient      pam_thinkfinger.so
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_limits.so
session         required        pam_unix.so
password        required        pam_unix.so

Now restart slim and swipe your finger.

Alternative fingerprint reader software

Fprint is an alternative fingerprint reader software that works with some of the newer ThinkPad fingerprint readers.

See also