Difference between revisions of "ThinkFinger"

From ArchWiki
Jump to: navigation, search
(Pam)
Line 77: Line 77:
  
 
That's it!
 
That's it!
 +
 +
== More reading ==
 +
 +
Please see those urls for more info.
 +
 +
http://www.thinkwiki.org/wiki/Talk:How_to_enable_the_fingerprint_reader
 +
 +
http://thinkfinger.sourceforge.net/
 +
 +
http://bbs.archlinux.org/viewtopic.php?id=36134

Revision as of 18:46, 11 August 2007

ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in most IBM/Lenovo ThinkPads.


Template:WarningBox


Installation

Get if from here.

Configuration

TF-Tool

Use tf-tool to test ThinkFinger. You'll have to run this as root because a direct access to the usb devices is needed. Run tf-tool --acquire to generate a test.bir and tf-tool --verify to see if it identifies you correctly. tf-tool --add-user <username> acquires and stores your fingerprint in /etc/pam_thinkfinger/username.bir, which is needed for an authentification with pam.

Pam

PAM is the Pluggable Authentication Module, invented by Sun.

/etc/pam.d/login

Change the file /etc/pam.d/other to look like this if you want to use your fingerprint to authenticate yourself on logon:

#%PAM-1.0
auth		sufficient	pam_thinkfinger.so
auth		required	pam_unix.so use_first_pass nullok_secure
account		required	pam_unix.so
password	required	pam_unix.so
session		required	pam_unix.so


/etc/pam.d/su

Change this file to confirm the su command with a finger-swipe!

#%PAM-1.0
auth            sufficient      pam_rootok.so
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so use_first_pass nullok_secure
account		required	pam_unix.so
session		required	pam_unix.so

Template:HintBox

/etc/pam.d/xscreensaver

XScreensaver is a bit tricky. First, configure PAM with a file "/etc/pam.d/xscreensaver" containing :

auth            sufficient      pam_thinkfinger.so
auth            required        pam_unix_auth.so try_first_pass

But it still wont work with only that because xscreensaver cannot read/write from /dev/misc/uinput and /dev/bus/usb*. A udev rule must be written to autorize a new group read/write acces.

First, create a new group. I suggest "fingerprint":

> sudo groupadd fingerprint

Add the user you want to be able to unlock xscreensaver with the fingerprint reader to the group:

> sudo gpasswd -a <user> fingerprint

Don't forget to logout and login again!

Search for "uinput" and "bus/usb" in your udev rules directory :

> grep -in uinput /etc/udev/rules.d/*
/etc/udev/rules.d/udev.rules:222:KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k"
/etc/udev/rules.d/udev.rules:263:KERNEL=="uinput", NAME="input/%k"
> grep -in "bus/usb" /etc/udev/rules.d/*
/etc/udev/rules.d/udev.rules:318:SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
/etc/udev/rules.d/udev.rules:320:SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"

Now copy the previous lines (222, 318 and 320 from /etc/udev/rules.d/udev.rules) to a new udev rules file. I suggest /etc/udev/rules.d/99my.rules

KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="wheel"
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="wheel"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="wheel"

The difference between the rules in /etc/udev/rules.d/99my.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="wheel" or MODE="0660", GROUP="wheel" at the end of the lines.

The last part is about xscreensaver. If you check xscreensaver file, you will see it is setuid to root :

> ls -l /usr/bin/xscreensaver
-rwsr-sr-x 1 root root 217K aoû  2 20:47 /usr/bin/xscreensaver

Because of this, xscreensaver wont be able to unlock with the fingerprint reader. You need to remove the setuid root with :

> sudo chmod -s /usr/bin/xscreensaver
> ls -l /usr/bin/xscreensaver
-rwxr-xr-x 1 root root 217K aoû  2 20:47 /usr/bin/xscreensaver

That's it!

More reading

Please see those urls for more info.

http://www.thinkwiki.org/wiki/Talk:How_to_enable_the_fingerprint_reader

http://thinkfinger.sourceforge.net/

http://bbs.archlinux.org/viewtopic.php?id=36134