Difference between revisions of "ThinkFinger"

From ArchWiki
Jump to: navigation, search
(wikify some external links, use https for archlinux.org)
(Major cleanup and conform to the styleguide)
 
(9 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
[[Category:Input devices]]
 +
[[Category:Lenovo]]
 
[[es:ThinkFinger]]
 
[[es:ThinkFinger]]
[[Category:Input devices]]
+
[[ja:ThinkFinger]]
[[Category:Laptops]]
+
{{Related articles start}}
 +
{{Related|Fingerprint-gui}}
 +
{{Related|Fprint}}
 +
{{Related articles end}}
  
 
ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in older IBM/Lenovo ThinkPads.
 
ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in older IBM/Lenovo ThinkPads.
Line 7: Line 12:
 
ThinkWiki has a [http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader list of various fingerprint readers] found in ThinkPads. Newer models using different readers might not work with ThinkFinger.
 
ThinkWiki has a [http://www.thinkwiki.org/wiki/Integrated_Fingerprint_Reader list of various fingerprint readers] found in ThinkPads. Newer models using different readers might not work with ThinkFinger.
  
 
+
{{Warning|ThinkFinger-svn revisions above rev 72 require you to load the module {{ic|uinput}}.}}
{{Warning|ThinkFinger-svn revisions above rev 72 require you to load the module <i>uinput</i>!}}
+
 
+
  
 
== Installation ==
 
== Installation ==
Get it from extra:
+
Install {{Pkg|thinkfinger}} from the [[official repositories]].
pacman -S thinkfinger
+
  
 
== Configuration ==
 
== Configuration ==
 +
 
=== TF-Tool ===
 
=== TF-Tool ===
  
Use <i>tf-tool</i> to test ThinkFinger. You'll have to run this as root because a direct access to the usb devices is needed.
+
Use {{ic|tf-tool}} to test ThinkFinger. You will have to run this as root because a direct access to the usb devices is needed.
Run <i>tf-tool --acquire</i> to generate a test.bir and <i>tf-tool --verify</i> to see if it identifies you correctly.
+
Run {{ic|tf-tool --acquire}} to generate a file at {{ic|/etc/pam_thinkfinger/test.bir}} and {{ic|tf-tool --verify}} to see if it identifies you correctly.
<i>tf-tool --add-user <username></i> acquires and stores your fingerprint in <i>/etc/pam_thinkfinger/username.bir</i>, which is needed for an authentication with pam.
+
{{ic|tf-tool --add-user <username>}} acquires and stores your fingerprint in {{ic|/etc/pam_thinkfinger/<username>.bir}}, which is needed for an authentication with pam.
  
 
== Pam ==
 
== Pam ==
PAM is the Pluggable Authentication Module, invented by Sun.  
+
 
 +
[[PAM]] is the Pluggable Authentication Module, invented by Sun.
  
 
=== /etc/pam.d/login ===
 
=== /etc/pam.d/login ===
Change the file <i>/etc/pam.d/login</i> to look like this if you want to use your fingerprint to authenticate yourself on logon:
 
#%PAM-1.0
 
auth sufficient pam_thinkfinger.so
 
auth required pam_unix.so use_first_pass nullok_secure
 
account required pam_unix.so
 
password required pam_unix.so
 
session required pam_unix.so
 
  
 +
Change the file {{ic|/etc/pam.d/login}} to look like this if you want to use your fingerprint to authenticate yourself on logon:
 +
 +
{{hc|/etc/pam.d/login|
 +
#%PAM-1.0
 +
auth sufficient pam_thinkfinger.so
 +
auth required pam_unix.so use_first_pass nullok_secure
 +
account required pam_unix.so
 +
password required pam_unix.so
 +
session required pam_unix.so}}
  
 
=== /etc/pam.d/su ===
 
=== /etc/pam.d/su ===
Change this file to confirm the <i>su</i> command with a finger-swipe!
 
#%PAM-1.0
 
auth            sufficient      pam_rootok.so
 
auth sufficient pam_thinkfinger.so
 
auth required pam_unix.so nullok_secure try_first_pass
 
account required pam_unix.so
 
session required pam_unix.so
 
  
{{Tip|Don't forget to do a <i>tf-tool --add-user root to use this feature</i>!}}
+
Change this file to confirm the {{ic|su}} command with a finger-swipe:
  
 +
{{hc|/etc/pam.d/su|
 +
#%PAM-1.0
 +
auth            sufficient      pam_rootok.so
 +
auth sufficient pam_thinkfinger.so
 +
auth required pam_unix.so nullok_secure try_first_pass
 +
account required pam_unix.so
 +
session required pam_unix.so}}
 +
 +
{{Tip|Do not forget to do a {{ic|tf-tool --add-user root}} to use this feature.}}
  
 
=== /etc/pam.d/sudo ===
 
=== /etc/pam.d/sudo ===
Change this file to confirm the <i>sudo</i> command with a finger-swipe!
 
#%PAM-1.0
 
auth sufficient pam_thinkfinger.so
 
auth required pam_unix.so nullok_secure try_first_pass
 
auth required pam_nologin.so
 
  
+
Change this file to confirm the {{ic|sudo}} command with a finger-swipe:
 +
 
 +
{{hc|/etc/pam.d/su|
 +
#%PAM-1.0
 +
auth sufficient pam_thinkfinger.so
 +
auth required pam_unix.so nullok_secure try_first_pass
 +
auth required pam_nologin.so}}
  
 
=== /etc/pam.d/xscreensaver ===
 
=== /etc/pam.d/xscreensaver ===
XScreensaver is a bit tricky. First, configure PAM with a file "/etc/pam.d/xscreensaver" containing :
+
 
 +
XScreensaver is a bit tricky. First, configure PAM with a file {{ic|/etc/pam.d/xscreensaver}} containing:
 +
 
 +
{{hc|/etc/pam.d/xscreensaver|
 
  auth            sufficient      pam_thinkfinger.so
 
  auth            sufficient      pam_thinkfinger.so
  auth            required        pam_unix_auth.so try_first_pass
+
  auth            required        pam_unix_auth.so try_first_pass}}
  
But it still wont work with only that because xscreensaver cannot read/write from /dev/misc/uinput and /dev/bus/usb*. A udev rule must be written to authorize a new group read/write access.
+
This still won't work because Xscreensaver cannot read/write from {{ic|/dev/misc/uinput}} and {{ic|/dev/bus/usb*}}. A [[udev]] rule must be written to authorize a new group read/write access.
  
First, create a new group. I suggest "fingerprint":
+
First, create a new group, let's say ''fingerprint'':
> sudo groupadd fingerprint
+
Add the user you want to be able to unlock xscreensaver with the fingerprint reader to the group:
+
> sudo gpasswd -a <user> fingerprint
+
Don't forget to logout and login again!
+
  
Search for "uinput" and "bus/usb" in your udev rules directory :
+
  # groupadd fingerprint
  > grep -in uinput /etc/udev/rules.d/*
+
/etc/udev/rules.d/udev.rules:222:KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k"
+
/etc/udev/rules.d/udev.rules:263:KERNEL=="uinput", NAME="input/%k"
+
> grep -in "bus/usb" /etc/udev/rules.d/*
+
/etc/udev/rules.d/udev.rules:318:SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
+
/etc/udev/rules.d/udev.rules:320:SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"
+
  
Now copy the previous lines (222, 318 and 320 from /etc/udev/rules.d/udev.rules) to a new udev rules file. I suggest /etc/udev/rules.d/99my.rules
+
Add the user you want to be able to unlock Xscreensaver with the fingerprint reader to the group:
KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="fingerprint"
+
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="fingerprint"
+
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"
+
The difference between the rules in /etc/udev/rules.d/99my.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="fingerprint" or MODE="0660", GROUP="fingerprint" at the end of the lines.
+
  
After this you must actually give your user permissions to access his own fingerprint file, this can be done as in the following:
+
# gpasswd -a <user> fingerprint
> chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
+
> chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
+
> chmod o+x /etc/pam_thinkfinger
+
Yes that last one is opening up a directory for execution to everyone so if you're super paranoid you might consider that a security flaw, just putting the warning out there.
+
  
The last part is about xscreensaver. If you check xscreensaver file, you will see it is setuid to root :
+
Logout and login again for the changes to take effect.
> ls -l /usr/bin/xscreensaver
+
-rwsr-sr-x 1 root root 217K aoû  2 20:47 /usr/bin/xscreensaver
+
Because of this, xscreensaver wont be able to unlock with the fingerprint reader. You need to remove the setuid root with :
+
> sudo chmod -s /usr/bin/xscreensaver
+
> ls -l /usr/bin/xscreensaver
+
-rwxr-xr-x 1 root root 217K aoû  2 20:47 /usr/bin/xscreensaver
+
  
That's it!
+
Next, search for ''uinput'' and ''bus/usb'' in your udev rules directory:
 +
 
 +
{{bc|1=
 +
$ grep -in uinput /etc/udev/rules.d/*
 +
 
 +
/etc/udev/rules.d/udev.rules:222:KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k"
 +
/etc/udev/rules.d/udev.rules:263:KERNEL=="uinput", NAME="input/%k"
 +
}}
 +
 
 +
{{bc|1=
 +
$ grep -in "bus/usb" /etc/udev/rules.d/*
 +
 
 +
/etc/udev/rules.d/udev.rules:318:SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
 +
/etc/udev/rules.d/udev.rules:320:SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"
 +
}}
 +
 
 +
Copy the lines you found with grep in the previous step to a new udev rules file:
 +
 
 +
{{hc|head=/etc/udev/rules.d/99fingerprint.rules|output=
 +
KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="fingerprint"
 +
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="fingerprint"
 +
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"}}
 +
 
 +
The difference between the rules in {{ic|/etc/udev/rules.d/99fingreprint.rules}} and those in {{ic|/etc/udev/rules.d/udev.rules}} should only be the addition of {{ic|1=MODE="0664", GROUP="fingerprint"}} or {{ic|1=MODE="0660", GROUP="fingerprint"}} at the end of the lines.
 +
 
 +
After adding the custom udev rules, you should give your user permissions to access their own fingerprint file:
 +
 
 +
{{bc|1=
 +
$ chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
 +
$ chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
 +
$ chmod o+x /etc/pam_thinkfinger
 +
}}
 +
 
 +
{{Note|The last command is opening up a directory for execution to everyone, beware of the security implications this might have.}}
 +
 
 +
As a last step, you need to remove the root setuid from {{ic|/usr/bin/xscreensaver}}, otherwise Xscreensaver wont be able to unlock with the fingerprint reader:
 +
 
 +
# chmod -s /usr/bin/xscreensaver
  
 
=== /etc/pam.d/gdm ===
 
=== /etc/pam.d/gdm ===
[I am not an expert in PAMs but this works, This section may need corrections]
 
  
Edit <i>/etc/pam.d/gdm</i> as done in sections 3.1 and 3.2
+
{{Accuracy|This section may need corrections.}}
  
add as the first line in the file:  
+
Edit {{ic|/etc/pam.d/gdm}} and add the following line to the top:
auth sufficient pam_thinkfinger.so
+
  
Modify:
+
{{hc|/etc/pam.d/gdm|
auth required pam_unix.so ==> auth required pam_unix.so use_first_pass nullok_secure
+
auth sufficient pam_thinkfinger.so
 +
}}
 +
 
 +
Then modify {{ic|auth required pam_unix.so}} to look like this:
 +
 
 +
{{hc|/etc/pam.d/gdm|
 +
auth required pam_unix.so use_first_pass nullok_secure
 +
}}
  
 
=== /etc/pam.d/xdm ===
 
=== /etc/pam.d/xdm ===
  
Change /etc/pam.d/xdm to look like this:
+
Edit {{ic|/etc/pam.d/xdm}} to look like this:
  
#%PAM-1.0
+
{{hc|/etc/pam.d/xdm|
auth            sufficient      pam_thinkfinger.so
+
#%PAM-1.0
auth            required        pam_unix.so use_first_pass nullok_secure
+
auth            sufficient      pam_thinkfinger.so
auth            required        pam_nologin.so
+
auth            required        pam_unix.so use_first_pass nullok_secure
auth            required        pam_env.so
+
auth            required        pam_nologin.so
account        required        pam_unix.so
+
auth            required        pam_env.so
password        required        pam_unix.so
+
account        required        pam_unix.so
session        required        pam_unix.so
+
password        required        pam_unix.so
session        required        pam_limits.so
+
session        required        pam_unix.so
 +
session        required        pam_limits.so
 +
}}
  
 
== SLiM ==
 
== SLiM ==
  
To have thinkfinger support for the SLiM Login Manager you need to activate PAM support. To achieve this, you have two options:
+
To have thinkfinger support for the [SLiM|SLiM Login Manager], you need to activate PAM support.
 +
 
 +
Get the package source of the slim package from [[ABS]], and edit the [[PKGBUILD]] so that the {{ic|make}} command builds SLiM with PAM support:
 +
 
 +
{{hc|head=SLiM PKGBUILD|output=
 +
make USE_PAM=1
 +
}}
  
'''1. Get the package source''' of the slim package from ABS and change the "make" line in the PKGBUILD:
 
make USE_PAM=1 || return 1
 
 
Rebuild the package and install it.
 
Rebuild the package and install it.
  
'''2. Or use''' [https://aur.archlinux.org/packages.php?ID=17223 the slim-pam package from AUR].
+
Then create {{ic|/etc/pam.d/slim}}:
  
Then create a file /etc/pam.d/slim:
+
{{hc|/etc/pam.d/slim|
#%PAM-1.0
+
#%PAM-1.0
auth            sufficient      pam_thinkfinger.so
+
auth            sufficient      pam_thinkfinger.so
auth            requisite      pam_nologin.so
+
auth            requisite      pam_nologin.so
auth            required        pam_env.so
+
auth            required        pam_env.so
auth            required        pam_unix.so
+
auth            required        pam_unix.so
account        required        pam_unix.so
+
account        required        pam_unix.so
session        required        pam_limits.so
+
session        required        pam_limits.so
session        required        pam_unix.so
+
session        required        pam_unix.so
password        required        pam_unix.so
+
password        required        pam_unix.so
 +
}}
  
Now restart slim and swipe your finger.
+
Now restart SLiM and you may use the fingerprinter to login.
  
 
== Alternative fingerprint reader software ==
 
== Alternative fingerprint reader software ==
Line 151: Line 188:
 
[[Fprint]] is an alternative fingerprint reader software that works with some of the newer ThinkPad fingerprint readers.
 
[[Fprint]] is an alternative fingerprint reader software that works with some of the newer ThinkPad fingerprint readers.
  
== More reading ==
+
== See also ==
 
+
Please see those urls for more info.
+
 
+
http://www.thinkwiki.org/wiki/Talk:How_to_enable_the_fingerprint_reader
+
 
+
http://thinkfinger.sourceforge.net/
+
 
+
https://bbs.archlinux.org/viewtopic.php?id=36134
+
 
+
http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger
+
  
http://www.thinkwiki.org/index.php?title=Installing_Ubuntu_6.06_on_a_ThinkPad_T43#Fingerprint_Reader
+
* http://www.thinkwiki.org/wiki/Talk:How_to_enable_the_fingerprint_reader
 +
* http://thinkfinger.sourceforge.net/
 +
* https://bbs.archlinux.org/viewtopic.php?id=36134
 +
* http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger
 +
* http://www.thinkwiki.org/index.php?title=Installing_Ubuntu_6.06_on_a_ThinkPad_T43#Fingerprint_Reader

Latest revision as of 09:35, 8 June 2016

Related articles

ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in older IBM/Lenovo ThinkPads.

ThinkWiki has a list of various fingerprint readers found in ThinkPads. Newer models using different readers might not work with ThinkFinger.

Warning: ThinkFinger-svn revisions above rev 72 require you to load the module uinput.

Installation

Install thinkfinger from the official repositories.

Configuration

TF-Tool

Use tf-tool to test ThinkFinger. You will have to run this as root because a direct access to the usb devices is needed. Run tf-tool --acquire to generate a file at /etc/pam_thinkfinger/test.bir and tf-tool --verify to see if it identifies you correctly. tf-tool --add-user <username> acquires and stores your fingerprint in /etc/pam_thinkfinger/<username>.bir, which is needed for an authentication with pam.

Pam

PAM is the Pluggable Authentication Module, invented by Sun.

/etc/pam.d/login

Change the file /etc/pam.d/login to look like this if you want to use your fingerprint to authenticate yourself on logon:

/etc/pam.d/login
#%PAM-1.0
auth		sufficient	pam_thinkfinger.so
auth		required	pam_unix.so use_first_pass nullok_secure
account		required	pam_unix.so
password	required	pam_unix.so
session		required	pam_unix.so

/etc/pam.d/su

Change this file to confirm the su command with a finger-swipe:

/etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so nullok_secure try_first_pass
account		required	pam_unix.so
session		required	pam_unix.so
Tip: Do not forget to do a tf-tool --add-user root to use this feature.

/etc/pam.d/sudo

Change this file to confirm the sudo command with a finger-swipe:

/etc/pam.d/su
#%PAM-1.0
auth		sufficient 	pam_thinkfinger.so
auth		required	pam_unix.so nullok_secure try_first_pass
auth		required	pam_nologin.so

/etc/pam.d/xscreensaver

XScreensaver is a bit tricky. First, configure PAM with a file /etc/pam.d/xscreensaver containing:

/etc/pam.d/xscreensaver
 auth            sufficient      pam_thinkfinger.so
 auth            required        pam_unix_auth.so try_first_pass

This still won't work because Xscreensaver cannot read/write from /dev/misc/uinput and /dev/bus/usb*. A udev rule must be written to authorize a new group read/write access.

First, create a new group, let's say fingerprint:

# groupadd fingerprint

Add the user you want to be able to unlock Xscreensaver with the fingerprint reader to the group:

# gpasswd -a <user> fingerprint

Logout and login again for the changes to take effect.

Next, search for uinput and bus/usb in your udev rules directory:

$ grep -in uinput /etc/udev/rules.d/*

/etc/udev/rules.d/udev.rules:222:KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k"
/etc/udev/rules.d/udev.rules:263:KERNEL=="uinput", NAME="input/%k"
$ grep -in "bus/usb" /etc/udev/rules.d/*

/etc/udev/rules.d/udev.rules:318:SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
/etc/udev/rules.d/udev.rules:320:SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"

Copy the lines you found with grep in the previous step to a new udev rules file:

/etc/udev/rules.d/99fingerprint.rules
KERNEL=="uinput",  NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="fingerprint"
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="fingerprint"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="fingerprint"

The difference between the rules in /etc/udev/rules.d/99fingreprint.rules and those in /etc/udev/rules.d/udev.rules should only be the addition of MODE="0664", GROUP="fingerprint" or MODE="0660", GROUP="fingerprint" at the end of the lines.

After adding the custom udev rules, you should give your user permissions to access their own fingerprint file:

$ chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir
$ chmod 400 /etc/pam_thinkfinger/$USERNAME.bir
$ chmod o+x /etc/pam_thinkfinger
Note: The last command is opening up a directory for execution to everyone, beware of the security implications this might have.

As a last step, you need to remove the root setuid from /usr/bin/xscreensaver, otherwise Xscreensaver wont be able to unlock with the fingerprint reader:

# chmod -s /usr/bin/xscreensaver

/etc/pam.d/gdm

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: This section may need corrections. (Discuss in Talk:ThinkFinger#)

Edit /etc/pam.d/gdm and add the following line to the top:

/etc/pam.d/gdm
auth		sufficient 	pam_thinkfinger.so

Then modify auth required pam_unix.so to look like this:

/etc/pam.d/gdm
auth		required	pam_unix.so use_first_pass nullok_secure

/etc/pam.d/xdm

Edit /etc/pam.d/xdm to look like this:

/etc/pam.d/xdm
#%PAM-1.0
auth            sufficient      pam_thinkfinger.so
auth            required        pam_unix.so use_first_pass nullok_secure
auth            required        pam_nologin.so
auth            required        pam_env.so
account         required        pam_unix.so
password        required        pam_unix.so
session         required        pam_unix.so
session         required        pam_limits.so

SLiM

To have thinkfinger support for the [SLiM|SLiM Login Manager], you need to activate PAM support.

Get the package source of the slim package from ABS, and edit the PKGBUILD so that the make command builds SLiM with PAM support:

SLiM PKGBUILD
make USE_PAM=1

Rebuild the package and install it.

Then create /etc/pam.d/slim:

/etc/pam.d/slim
#%PAM-1.0
auth            sufficient      pam_thinkfinger.so
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_limits.so
session         required        pam_unix.so
password        required        pam_unix.so

Now restart SLiM and you may use the fingerprinter to login.

Alternative fingerprint reader software

Fprint is an alternative fingerprint reader software that works with some of the newer ThinkPad fingerprint readers.

See also