Difference between revisions of "How to enable integrated fingerprint reader with BioAPI"

Disclaimer: This is how I got the fingerprint reader on my T43 to work. It can _NOT_ yet be used to log me into the system. Working on that.

This is on Ubuntu Breezy.

Basic driver installation

Getting required libs and tools

Installing the bioapi source

• Get the bioapi source:

$ wget http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.tar.bz2

• I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:

$ tar xjf bioapi-1.2.2.tar.bz2

$ cd bioapi-1.2.2

$ ./configure --with-Qt-dir=no

$ make

and then as root

# make install

and if you want to compile pam_bioapi for auth later

# cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include

Be aware that checkinstall will not work!

Installing the driver

• Download TFMESS_BSP_LIN_1.0beta2.zip from http://www.qrivy.net/~michael/blua/upek-bsp.html and unzip it into a seperate folder, as it will not create one.
• Change to that folder and do as root:

# sh install.sh

# chmod 777 -R /usr/local/var/bioapi/

Actually this depends on where you installed, if you did as suggested, it should work. Otherwise you probably know what you're doing anyways. :)

# touch /var/log/BSP.log && chmod 666 /var/log/BSP.log

# chmod -R a+X /proc/bus/usb

# chmod 666 /proc/bus/usb/`lsusb | grep "0483:2016" | sed -e "s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/"`

It might be nessecary to put the above line into a startup script somewhere.

Testing the driver

Go to the folder where you extracted TFMESS_BSP_LIN_1.0beta2.zip and do:

# cd NonGUI_Sample

# chmod +x Sample

# ./Sample

If it doesn't work, ask for help at: t43fingerprint (at) badcode.de

GDM Login via pam_bioapi

Getting required libs & tools

Installing pam_bioapi

• Get and compile the pam_bioapi module.

$ wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-0.2.1.tar.bz2

$ tar xjf pam_bioapi-0.2.1.tar.bz2

$ cd pam_bioapi-0.2.1

$ wget http://badcode.de/downloads/fingerprint.patch

$ patch -p0 < fingerprint.patch

If you want to, review the patch. In general you should review all code you download and compile, if possible.

The patch comes from this thread.

$ ./configure && make

and as root

# make install

# cp /usr/local/lib/security/* /lib/security/

• Use the sample tool from the fingerprint reader to create <username>.bir

<username> must be the username you want to login with, gdm will probably break for any login name that has no .bir file.

• As root do:

# BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-

It should print something like

{5550454b2054464d2f45535320425350}

If it does, do:

# mkdir /etc/bioapi1.10/pam`BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-`

# cp <username>.bir /etc/bioapi1.10/pam`BioAPITest | grep -A2 Fingerprint | tail -n1 | cut -b 12-`

Configuring pam

The following part is distribution specific. On Ubuntu you can modify /etc/pam.d/common-auth (on Gentoo it is file /etc/pam.d/system-auth) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    sufficient      pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/
password   sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/
auth    required        pam_unix.so nullok_secure

With this modification pam immediatelly starts to use the fingerprint reader to do local authorization (e.g. sudo/gdm use the fingerprint reader).

Now gdm should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.

Make xscreensaver use the scanner

$ wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz

$ tar xzf xscreensaver-4.23.tar.gz

$ cd xscreensaver-4.23

$ wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff

after reviewing the patch (it's small and straightforward)

$ patch -p1 < xscreensaver-4.22_alternativeAuth.diff

The patch should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem. This patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case pam ans pam_bioapi.

$ ./configure --with-pam && make

now as root

# make install

Make sure that the newly compiled xscreensaver is used

$ which xscreensaver

should return

/usr/local/bin/xscreensaver

if it doesn't try:

$ {{{1}}}

and retry

$ xscreensaver-command -exit

kills your running instance of xscreensaver make sure you have the following line in your ~/.xscreensaver:

alternativeAuth: True

now look at /etc/pam.d/xscreensaver. If you're on ubuntu breezy and you have already changed /etc/pam.d/common-auth you should be good to go. Otherwise check that the following line is at the top of the file:

auth    sufficient      pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam

start the new xscreensaver

$ xscreensaver

there should be a splash screen with the version 4.23

now try with

$ xscreensaver-command -lock

If you have questions or problems with this procedure, ask: t43fingerprint (at) badcode.de .