Difference between revisions of "How to enable integrated fingerprint reader with BioAPI"

From ThinkWiki
Jump to: navigation, search
m (The history page can show messages like that (use "Summary)
(Bioapi error #3: add category)
 
(91 intermediate revisions by 39 users not shown)
Line 2: Line 2:
 
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
 
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
 
|style="vertical-align:top" |
 
|style="vertical-align:top" |
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4, SuSE 9.3, SuSE 10, and {{Gentoo}}.
+
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux using [[BioAPI]] and binary-only drivers. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and {{Gentoo}}. Note that experimental open-source driver is available, see [[How to enable the integrated fingerprint reader with ThinkFinger|the apropriate page]] for details.
 
|}
 
|}
  
Line 8: Line 8:
 
===Installing the bioapi framework===
 
===Installing the bioapi framework===
 
====Automated installation script====
 
====Automated installation script====
The [[Script for enabling the fingerprint reader]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.
+
The [[Script for enabling the fingerprint reader with BioAPI]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.
  
 
====Binary packages====
 
====Binary packages====
=====Debian=====
+
 
*If you're using {{Debian}} Sid (the unstable branch) you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.
+
Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.
*This seems to work for {{Ubuntu}} Breezy/Dapper too, so save yourself some trouble and grab it.
+
 
 +
=====Debian/ Ubuntu Dapper=====
 +
*If you're using {{Debian}} Sid (the unstable branch) or {{Ubuntu}} Dapper Drake 6.06 LTS you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.
 +
 
 +
{{HINT|Ignore the warning about not finding ''/usr/lib/libqtpwbsp.so'', it's not fatal.}}
 +
 
 
=====Gentoo=====
 
=====Gentoo=====
You can either grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.
+
Gentoo now includes needed ebuilds. Just run
 +
 
 +
''ACCEPT_KEYWORDS=~x86 emerge pam_bioapi''
 +
 
 +
You can also grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.
  
 
Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.
 
Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.
 +
 +
=====Fedora Core=====
 +
RPM packages for Fedora Core and installation instructions are available [[Installing Fedora Core 5 on a ThinkPad X41 Tablet#Fingerprint_Reader|here]]
  
 
====Installing from source====
 
====Installing from source====
*Get the bioapi source:
+
{{HINT|
:{{cmduser|wget http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2}}
+
For Ubuntu you'll need at least these packages, or building will fail:
*I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:
+
* build-essential
:{{cmduser|tar xjf bioapi-latest.tar.bz2}}
+
* automake
:{{cmduser|cd bioapi-1.2.2}}
+
* libqt3-headers
:{{cmduser|1=./configure --with-Qt-dir=no}}
+
}}
 +
* Get the bioapi source and extract the files to a directory of your choice:
 +
:{{cmduser|wget http://bioapi-linux.googlecode.com/files/bioapi_1.2.3.tar.gz}}
 +
:{{cmduser|tar xzf bioapi_1.2.3.tar.gz}}
 +
* Edit the configure file to patch a bug.  At line 25975, change
 +
:<code>bnv_qt_LIBS="-l$bnv_qt_lib_dir $LIBS"</code>
 +
:to
 +
:<code>bnv_qt_LIBS="-L$bnv_qt_lib_dir $LIBS"</code>
 +
* There is a bug in <code>framework/mds_util_api/mds_app_util.c</code>.  At line 31, change <code>#elif</code> to <code>#else</code>.
 +
* Optional: By default, bioapi will install several files in {{path|/usr/local/bin}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
 +
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
 +
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
 +
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
 +
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}
 +
* Compile bioapi:
 +
:{{cmduser|cd bioapi-1.2.3}}
 +
:{{cmduser|1=./configure}}
 
:{{cmduser|make}}
 
:{{cmduser|make}}
 
:and then as root
 
:and then as root
 
:{{cmdroot|make install}}
 
:{{cmdroot|make install}}
:If make install fails, be sure you're root and then:
+
* If configure fails when checking the Qt installation, you may need to manually specify the Qt lib directory and Qt lib name.  For example:
 +
:{{cmduser|1=./configure --with-Qt-lib-dir=/usr/lib/qt3 --with-Qt-lib=qt-mt}}
 +
:or you can compile without the graphical Qt tools:
 +
:{{cmduser|1=./configure --with-Qt-dir=no}}
 +
* If make install fails, be sure you're root and then:
 
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
 
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
 
:{{cmdroot|make install}}
 
:{{cmdroot|make install}}
:and if you want to compile pam_bioapi for auth later
+
:and if you want to compile [http://code.google.com/p/pam-bioapi/ pam_bioapi] for auth later
 
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
 
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
 
:Be aware that checkinstall will not work!
 
:Be aware that checkinstall will not work!
:(I got through configure with Qt, but got a cryptic build error.  It all worked fine with Qt disabled as above)
 
:buzz: This is due to a wrong qt include path, set it manually in configure and everything should work.
 
*Bioapi (at least version 1.2.2) doesn't compile with GCC4. You need to patch it:
 
:{{cmduser|wget http://upir.cz/linux/patches/bioapi-1.2.2-gcc4.patch}}
 
:{{cmduser|patch -p1 < bioapi-1.2.2-gcc4.patch}}
 
* By default, bioapi will install numerous files in {{path|/usr/local/<nowiki>{</nowiki>bin,lib,include<nowiki>}</nowiki>}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
 
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
 
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
 
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
 
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}
 
  
 
====Adjusting ldconfigs library search path====
 
====Adjusting ldconfigs library search path====
Line 58: Line 80:
 
===Installing and configuring the driver===
 
===Installing and configuring the driver===
 
====Installing the driver====
 
====Installing the driver====
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/support/dl_linux_bsp.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
+
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/solutions/pc_and_networking/sdks/linux/DownloadBSP.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
 
*Change to that folder and do as root:
 
*Change to that folder and do as root:
 
:{{cmdroot|sh install.sh}}
 
:{{cmdroot|sh install.sh}}
:If you're running Gentoo, use
+
:If you're running Gentoo, Debian or Ubuntu Dapper, use
 
:{{cmdroot|sh install.sh /usr/lib}}
 
:{{cmdroot|sh install.sh /usr/lib}}
 +
{{HINT|
 +
For me it didn't work this way, but following did:
 +
:sh install.sh /usr/local/lib
 +
greetings, tec}}
 +
{{HINT|On my debian install I had to "cp libtfmessbsp.so /usr/lib" to avoid a errormessage during "sh install.sh /usr/lib": "Could not find file:/usr/lib/libtfmessbsp.so"}}
 
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again.  You also need {{cmd|mod_install|}} from bioapi in your PATH.
 
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again.  You also need {{cmd|mod_install|}} from bioapi in your PATH.
 +
:May there still occures and error, which means mod_install: command not found.
 +
:Then login as root - not su!
 +
:Do this:
 +
:{{cmdroot|sh install.sh}}
 +
:again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.
 +
 
====Configuring permissions for non-root use====
 
====Configuring permissions for non-root use====
 
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section.  More details on what is necessary on which distributions would be greately appreciated.
 
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section.  More details on what is necessary on which distributions would be greately appreciated.
Line 80: Line 113:
 
:{{cmdroot|groupadd -r bioapi}}
 
:{{cmdroot|groupadd -r bioapi}}
 
:{{cmdroot|groupadd -r usbfs}}
 
:{{cmdroot|groupadd -r usbfs}}
 +
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}
 +
On {{Fedora}} this is done with
 +
:{{cmdroot|groupadd bioapi}}
 +
:{{cmdroot|groupadd usbfs}}
 
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}
 
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}
  
Line 93: Line 130:
 
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`}}
 
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`}}
 
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro.  It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
 
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro.  It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
 +
In {{Fedora}} {{cmd|lsusb|}} is not installed by default. To intall it just type:
 +
:{{cmdroot|yum install usbutils}}
 +
 
*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
 
*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
 
  none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
 
  none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
 
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}).  Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}.  See the {{cmd|mount(8)|}} manpage for more information on these options.  This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
 
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}).  Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}.  See the {{cmd|mount(8)|}} manpage for more information on these options.  This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}.  If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}.  Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}. On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file.  On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
+
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}.  If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}.  Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}.
 +
*On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file.  On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
 
  SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
 
  SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
 
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
 
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
Line 104: Line 145:
 
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
 
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
 
  security-level="5"
 
  security-level="5"
 +
{{WARN|Please see discussion section Security Level!}}
  
 
===Testing the driver and enrolling a fingerprint===
 
===Testing the driver and enrolling a fingerprint===
Line 111: Line 153:
 
:Edit {{path|main.c|}} and remove (or comment out) the line
 
:Edit {{path|main.c|}} and remove (or comment out) the line
 
  #include "port/bioapi_port.h"
 
  #include "port/bioapi_port.h"
 +
:then add the line
 +
#include <stdlib.h>
 
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
 
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
 
:{{cmdroot|./Sample}}
 
:{{cmdroot|./Sample}}
Line 116: Line 160:
 
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
 
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
 
:You'll save a step later if you use your own login username as the username to enroll here.
 
:You'll save a step later if you use your own login username as the username to enroll here.
 +
:If running {{cmd |./Sample|}} produces the error message 'BioAPI_ModuleLoad failed, BioAPI Error Code: 6477 (0x194d)'
 +
:then uncommenting the line
 +
://BioAPI_SetGUICallbacks(gModuleHandle, NULL, NULL,TextGuiCallback, NULL);
 +
:in {{path|main.c|}} can help.
  
 
==Login via pam_bioapi==
 
==Login via pam_bioapi==
Line 127: Line 175:
 
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
 
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
 
*Get and compile the pam_bioapi module.
 
*Get and compile the pam_bioapi module.
 +
{{HINT|A new version, pam_bioapi 0.3.0, with multi-finger and identification support can be found [http://www.nax.cz/pub/bioapi/pam_bioapi/pam-bioapi_0.3.0.tar.gz here].
 +
There's work in progress. pam_bioapi and biometrics-manager can be downloaded [http://download.savannah.gnu.org/releases/pam-bioapi/ here].}}
 
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
 
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
 
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
 
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
Line 132: Line 182:
 
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
 
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
 
:{{cmduser|patch -p0 < fingerprint.patch}}
 
:{{cmduser|patch -p0 < fingerprint.patch}}
:If you want to, review the patch. In general you should review all code you download and compile, if possible. The patch comes from [http://linuxbiometrics.com/modules/newbb/viewtopic.php?viewmode=flat&topic_id=80&forum=1 this thread].
+
:If you want to, review the patch. In general you should review all code you download and compile, if possible.
:{{cmduser|./configure && make}}
+
:{{cmduser|<nowiki>./configure --libdir=/lib && make </nowiki>}}
 
:and as root
 
:and as root
 
:{{cmdroot| make install}}
 
:{{cmdroot| make install}}
:{{cmdroot| cp /usr/local/lib/security/* /lib/security/}}
 
 
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
 
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
 +
*If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
 +
*If you get 'configure: error: cannot find required header: security/pam_modules.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again.
 +
*If you get 'configure: error: cannot find required header: sqlite3.h' and are on a Debian-like system, do "apt-get install libsqlite3-dev" and try again.
 +
*If you get 'make: msgfmt: command not found' and are on a Debian-like system, do "apt-get install gettext" and try again.
 
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
 
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
 
  LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
 
  LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
Line 200: Line 253:
 
from {{path|/etc/pam.d/bioapi}}.
 
from {{path|/etc/pam.d/bioapi}}.
  
{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir).  Otherwise, they get a segmentation fault.  Which is a little unfortunate, given that you need to su or sudo to change your settings...}}
+
{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir).  Otherwise, they get a segmentation fault.  Which is a little unfortunate, given that you need to su or sudo to change your settings... }}
 
+
{{WARN|Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...}}
 
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}.  I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}.  That way most local services use the fingerprint reader, but sshd does not.
 
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}.  I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}.  That way most local services use the fingerprint reader, but sshd does not.
 +
 +
{{NOTE|su/sudo will call for your fingerprint even if you are remote via ssh.  Pressing *CTLR-c* (or closing graphic window) will allow you the desired password option.}}
  
 
Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader.  In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.
 
Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader.  In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.
Line 211: Line 266:
  
 
{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger)<br />To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}
 
{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger)<br />To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}
 +
 +
 +
----
 +
 +
To enable normal password authorization to work with remote SSH in {{SUSE}} 10.3, edit the <tt>/etc/pam.d/sshd</tt> file. Remove all entries and replace them with:
 +
 +
auth    required        pam_env.so
 +
auth    required        pam_unix2.so
 +
auth    required        pam_nologin.so
 +
account required        pam_unix2.so
 +
password required      pam_pwcheck.so  nullok
 +
password required      pam_unix2.so    nullok use_first_pass use_authtok
 +
session required        pam_limits.so
 +
session required        pam_unix2.so
 +
 +
{{NOTE|These entries are what common-auth normally does. Since we've changed common-auth around for bioapi, these need to be specified manually. -Ransak}}
 +
 +
----
  
 
You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice.  Examples:
 
You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice.  Examples:
Line 221: Line 294:
  
 
Here is the behaviour of the most common ones:
 
Here is the behaviour of the most common ones:
* gdm should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
+
* In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
 
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
 
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
* In xdm, enter your username and a blank password, then swipe (there is no popup as well).
+
* In xdm, enter your username and a blank password, then swipe (there is no popup as well). Identification support for xdm can be achieved with [http://www.nax.cz/pub/bioapi/2005/xdm/xdm_bio.patch this patch].
 
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
 
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
 
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
 
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
 
:{{cmduser|xhost +local:}}
 
:{{cmduser|xhost +local:}}
 +
* For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work
  
 
===kdm support===
 
===kdm support===
Line 238: Line 312:
 
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
 
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
 
  auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env
 
  auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env
 +
* On Ubuntu simply do:
 +
echo "DISPLAY=$DISPLAY" >> /var/lib/kdm/kdm_env
 +
* If you have created /etc/pam.d/bioapi then modify:
 +
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/kdm/kdm_env
 +
  
 
Please note, that this won't work if you have more than one Xserver.
 
Please note, that this won't work if you have more than one Xserver.
  
 
==Make xscreensaver use the scanner==
 
==Make xscreensaver use the scanner==
 +
If you are using Gentoo, you can get a portage overlay with the necessary patches here: http://dl.getdropbox.com/u/869/xscreensaver-fingerprint-overlay.tar.gz
 
*Get the needed xscreensaver sources:
 
*Get the needed xscreensaver sources:
 
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
 
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
 
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
 
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
 
:{{cmduser|cd xscreensaver-4.23}}
 
:{{cmduser|cd xscreensaver-4.23}}
:{{cmduser|wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff}}
+
:{{cmduser|wget http://www.nax.cz/pub/bioapi/2005/xscreensaver/xscreensaver-4.22_alternativeAuth.diff<br/> mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff<br/>For xscreensaver 5.00, you can get a patch here: http://dl.getdropbox.com/u/869/xscreensaver-5.00-alternativeauth.patch}}
 
*After reviewing the patch (it's small and straightforward), do
 
*After reviewing the patch (it's small and straightforward), do
 
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}}<br />The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
 
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}}<br />The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
 
*Compile with
 
*Compile with
 
:{{cmduser|./configure --with-pam && make}}<br />
 
:{{cmduser|./configure --with-pam && make}}<br />
*If you recieve an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again
+
*If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
*and then install as root with
+
*If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
 
:{{cmduser|su -c make install}} .
 
:{{cmduser|su -c make install}} .
 
*Make sure that the newly compiled xscreensaver is used:
 
*Make sure that the newly compiled xscreensaver is used:
 
:{{cmduser|which xscreensaver}} should return
 
:{{cmduser|which xscreensaver}} should return
 
:{{cmdresult|/usr/local/bin/xscreensaver}} .
 
:{{cmdresult|/usr/local/bin/xscreensaver}} .
:*In case it doesn't, try  
+
*In case it doesn't, try adjusting your PATH.
::{{cmduser|1=export PATH=/usr/local/bin:$PATH}}<br />and retry.
+
*Kill the running instance of xscreensaver:
+
:{{cmduser|xscreensaver-command -exit}}
+
*Make sure you have the following line in your {{path|~/.xscreensaver}}:
+
alternativeAuth: True
+
*Now edit {{path|/etc/pam.d/xscreensaver}} to include the following line (If you're on {{Ubuntu}} Breezy and you already changed {{path|/etc/pam.d/common-auth}} you should not need to do this.):
+
auth    sufficient      pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
+
*Start the new xscreensaver
+
:{{cmduser|xscreensaver}}<br />There should be a splash screen with version 4.23.
+
*Now try:
+
:{{cmduser|xscreensaver-command -lock}}
+
 
+
If you have questions or problems with this procedure, ask: t43fingerprint (at) badcode.de .
+
 
+
===Package for Debian sid===
+
 
+
If you're running {{Debian}} sid (the unstable branch) you can also try the patched .deb-package (built from current Debian sources fetched with {{cmd|apt-get source|}}) from [http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p_fingerprint_reader this page], which also has Debian-specific instructions on how to setup the fingerprint reader. Use it on your own risk.
+
 
+
==Troubleshooting and Hints==
+
# After installing the driver, don't forget to reboot!
+
## This might not be necessary. it worked here without having to reboot.
+
# To see if the fingerprint device is know on the USB bus do:
+
:{{cmdroot|lsusb}}
+
:as root and you should see a line like:
+
:{{cmdresult|Bus 003 Device 004: ID 0483:2016 SGS Thomson Microelectronics}}
+
:The bus and device number can be different. This should work without the driver installed. If the device does not show up, you have a hardware problem/quirk, Rebooting or removing/inserting USB kernel modules might fix this.
+
# For some installation, after installing the driver as in section [[#Installing the driver|Installing the driver]] and making´sure the device is recognized, try to test it  by going to {{path|NonGUI_Sample}} directory and run {{cmdroot|./Sample}}, one get segmentation fault. In this case, try getting the Beta1 instead of Beta2 of the driver and installing it
+
# There was some confusion about the /etc/bioapi1.10/pam{5550454b-2054-464d-2f45-535320425350} path, this has been fixed in the howto, if you have problems, check the section again, the path needs to have the '-' in them
+
# When something goes wrong look at the tail of {{path|/var/log/auth.log}}. (on {{Fedora}} it is {{path|/var/log/secure}}) Specifically if you see an entry saying something like
+
pam_bioapi[10480]: Unable to load BioAPI BSP with UUID of {5550454b-2054-464d-2f45-535320425350}, BioAPI error <nowiki>#</nowiki>194d.
+
Check whether your {{path|/proc/bus/usb}} directory permissions are set up as in the
+
section [[#Installing the driver|Installing the driver]].
+
# To get the xscreensaver compiled you might need a bunch of header files (depending on which xscreensaver features you want), in my case I need the following:
+
#*python-gtk2-dev
+
#*libgstreamer0.8-dev
+
#*xlibs-dev
+
# Sometimes {{path|$HOME/.xscreensaver}} got overwritten, try changing it to read-only.
+
# If after suspending to RAM and resume, lsusb no longer have "SGS Thomson Microelectronics" entry, try adding a line
+
/etc/init.d/hotplug restart
+
to your {{path|/etc/acpi/resume.sh}} file
+
#If after resume lsusb shows the device but xscreensaver does not ask for fingerprint for login, you might want to check the permission of the usb bus in the appropriate {{path|/proc/bus/usb/}} entry. If necessesary you might need to add a line to {{path|/etc/acpi/resume.sh}} as in section [[#Installing the driver|Installing the driver]] to set the permission right.
+
-----
+
If it still doesn't work, ask me for help (and make sure all usefull stuff makes it back into this wiki :)
+
to get a starting point as to where your problem is please include the output of:
+
  
:{{cmduser|lsusb}}
+
==Common problems==
 +
===Bioapi error #3===
 +
This is sometimes caused by improper permissions. The full error message is "BioAPI Error Code: 3 (0x3)".
  
:{{cmdroot|ldconfig -p <nowiki>|</nowiki> grep bioapi}}
+
However, at least on Gentoo, recent upgrades to glibc and gcc 4.1.1 caused Bioapi to break down due to some sort of incompatibility with bioapi registry. Reinstalling does '''not''' repair the issue automatically. However, you can still fix the issue manually, by removing /var/bioapi. You need to reinstall tfm-fingerprint driver after reinstalling bioapi so that the driver is properly re-registered. As root, type
  
:{{cmdroot|updatedb && locate bioapi}}
+
:{{cmdroot|emerge -C bioapi}}
 +
:{{cmdroot|rm -rf /var/bioapi}}
 +
:{{cmdroot|emerge -av1 bioapi tfm-fingerprint}}
  
t43fingerprint (at) badcode.de
+
[[Category:HOWTOs]]

Latest revision as of 15:07, 2 December 2015

This page describes the process of getting the integrated fingerprint reader to work under Linux using BioAPI and binary-only drivers. It is based on experiences in Ubuntu on a T43. The same works on Fedora 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and Gentoo. Note that experimental open-source driver is available, see the apropriate page for details.

Basic installation

Installing the bioapi framework

Automated installation script

The Script for enabling the fingerprint reader with BioAPI automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.

Binary packages

Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.

Debian/ Ubuntu Dapper
  • If you're using Debian Sid (the unstable branch) or Ubuntu Dapper Drake 6.06 LTS you can try the packages from Michael R. Crusoe's site, either version 1.2.3 (recommended) or older versions which might not work with the steps in this howto.
Hint:
Ignore the warning about not finding /usr/lib/libqtpwbsp.so, it's not fatal.
Gentoo

Gentoo now includes needed ebuilds. Just run

ACCEPT_KEYWORDS=~x86 emerge pam_bioapi

You can also grab the ebuild, or use the source-install procedure below.

Also see http://toe.ch/~tsa/ibm-fingerprint/ for alternative documentation on installing on Gentoo including ebuilds for all the packages used.

Fedora Core

RPM packages for Fedora Core and installation instructions are available here

Installing from source

Hint:

For Ubuntu you'll need at least these packages, or building will fail:

  • build-essential
  • automake
  • libqt3-headers
  • Get the bioapi source and extract the files to a directory of your choice:
$ wget http://bioapi-linux.googlecode.com/files/bioapi_1.2.3.tar.gz
$ tar xzf bioapi_1.2.3.tar.gz
  • Edit the configure file to patch a bug. At line 25975, change
bnv_qt_LIBS="-l$bnv_qt_lib_dir $LIBS"
to
bnv_qt_LIBS="-L$bnv_qt_lib_dir $LIBS"
  • There is a bug in framework/mds_util_api/mds_app_util.c. At line 31, change #elif to #else.
  • Optional: By default, bioapi will install several files in /usr/local/bin, including files with "self-explanatory" names such as /usr/local/bin/Sample. To prevent this pollution:
Create a dedicated directory, for example /opt/bioapi .
Append --prefix=/opt/bioapi to the above ./configure command.
Append /opt/bioapi/bin to $PATH and /opt/bioapi/lib to $LD_LIBRARY_PATH.
When installing the driver (below), tell it the new install path: # sh install.sh /opt/bioapi/lib
  • Compile bioapi:
$ cd bioapi-1.2.3
$ ./configure
$ make
and then as root
# make install
  • If configure fails when checking the Qt installation, you may need to manually specify the Qt lib directory and Qt lib name. For example:
$ ./configure --with-Qt-lib-dir=/usr/lib/qt3 --with-Qt-lib=qt-mt
or you can compile without the graphical Qt tools:
$ ./configure --with-Qt-dir=no
  • If make install fails, be sure you're root and then:
# export LD_LIBRARY_PATH=/usr/local/lib
# make install
and if you want to compile pam_bioapi for auth later
# cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include
Be aware that checkinstall will not work!

Adjusting ldconfigs library search path

At least on Fedora or Aurox Linux 11, you may need to add /usr/local/lib to the library path so that the libraries referenced from pam_bioapi.so get picked up properly. The usual way to do this is adding it to the ldconfig configuration:

# echo '/usr/local/lib' > /etc/ld.so.conf.d/bioapi.conf
# ldconfig

Alternatively you can add it to the LD_LIBRARY variable.

If you see bioapi libs in the output of

# ldconfig -p

then it should work.

Installing and configuring the driver

Installing the driver

  • Download TFMESS_BSP_LIN_1.0.zip from the UPEK support site and unzip it into a seperate folder, as it will not create one.
  • Change to that folder and do as root:
# sh install.sh
If you're running Gentoo, Debian or Ubuntu Dapper, use
# sh install.sh /usr/lib
Hint:

For me it didn't work this way, but following did:

sh install.sh /usr/local/lib

greetings, tec

Hint:
On my debian install I had to "cp libtfmessbsp.so /usr/lib" to avoid a errormessage during "sh install.sh /usr/lib": "Could not find file:/usr/lib/libtfmessbsp.so"
If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again. You also need mod_install from bioapi in your PATH.
May there still occures and error, which means mod_install: command not found.
Then login as root - not su!
Do this:
# sh install.sh
again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.

Configuring permissions for non-root use

If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section. More details on what is necessary on which distributions would be greately appreciated.

  • Create two groups, one for access to BioAPI files and the other for access to the usb files. (This is done for full generality; i.e., you may have other USB devices which you want accessable to other users, without exposing your BioAPI configuration to them). Add your normal user (the one you wish to use PAM-aware applications with) to both of these groups.

On Debian this is done with

# addgroup --system bioapi
# addgroup --system usbfs
# adduser yournormaluser bioapi
# adduser yournormaluser usbfs

On SUSE this is done with

# groupadd --system bioapi
# groupadd --system usbfs
# groupmod -A yournormaluser bioapi
# groupmod -A yournormaluser usbfs

On Mandriva this is done with

# groupadd -r bioapi
# groupadd -r usbfs
# usermod -G bioapi,usbfs yournormaluser

On Fedora this is done with

# groupadd bioapi
# groupadd usbfs
# usermod -G bioapi,usbfs yournormaluser
(where yournormaluser is your normal user name). You will need to log out and log back in for this to take effect.
  • Set permissions on the BioAPI config/registry directory:
# chown -R root:bioapi /usr/local/var/bioapi/
# chmod -R 770 /usr/local/var/bioapi/
(change this path if you used an alternate BioAPI install directory above)
  • Set permissions on the files in /proc/bus/usb:
# chown -R root:usbfs /proc/bus/usb
# chmod -R g+X /proc/bus/usb
# chown root:usbfs /proc/bus/usb/`lsusb | sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`
# chmod 660 /proc/bus/usb/`lsusb | sed -ne "/0483:2016/s/Bus\ \(.*\)\ Device\ \(.*\):\ .*/\1\/\2/p"`
You may need to replace lsusb with its full path, which is something like /sbin/lsusb or /usr/bin/lsusb depending on your distro. It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.

In Fedora lsusb is not installed by default. To intall it just type:

# yum install usbutils
  • As an alternative to the chown/chmod commands above, you can set mount options for usbfs with a line in /etc/fstab; an example would be
none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like cat /etc/group | grep usbfs | cut -d':' -f 3). Make sure you only have one /proc/bus/usb entry in /etc/fstab. See the mount(8) manpage for more information on these options. This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
  • You may also have files in /dev/bus/usb, which the driver will try before /proc/bus/usb. If this is another usbfs mount point (mount shows a line containing /dev/bus/usb type usbfs), then simply follow the above instructions with /dev/bus/usb rather than /proc/bus/usb. Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through /dev/bus/usb.
  • On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file. On Debian this is done by changing the usb_device line of /etc/udev/permissions.rules to read
SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
  • For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
# touch /var/log/BSP.log && chown root:bioapi /var/log/BSP.log && chmod 660 /var/log/BSP.log

Miscellaneous configuration

  • To increase the security level (minimize false accept rate), set this in /etc/tfmessbsp.cfg:
security-level="5"
ATTENTION!
Please see discussion section Security Level!

Testing the driver and enrolling a fingerprint

To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error; if they don't work for you, try the binary Sample utility that came with the beta versions of the driver (i.e., TFMESS_BSP_LIN_1.0beta2.zip as mentioned above). Go to the folder where you extracted TFMESS_BSP_LIN_1.0.zip and do:

# cd NonGUI_Sample
Edit main.c and remove (or comment out) the line
#include "port/bioapi_port.h"
then add the line
#include <stdlib.h>
# gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
# ./Sample
Note that Sample may only run as root, unless you've already configured the usbfs file permissions.
You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
You'll save a step later if you use your own login username as the username to enroll here.
If running ./Sample produces the error message 'BioAPI_ModuleLoad failed, BioAPI Error Code: 6477 (0x194d)'
then uncommenting the line
//BioAPI_SetGUICallbacks(gModuleHandle, NULL, NULL,TextGuiCallback, NULL);
in main.c can help.

Login via pam_bioapi

The following explains how to add fingerprint authentiation to programs that use the PAM (Pluggable Authentication Modules) framework, such as Gnome's GDM and KDE's KDM and screensaver.

Getting required libs & tools

Installing pam_bioapi

  • Prerequisites
On SuSE 10, I needed to install the pam-devel RPM
In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
  • Get and compile the pam_bioapi module.
Hint:
A new version, pam_bioapi 0.3.0, with multi-finger and identification support can be found here.

There's work in progress. pam_bioapi and biometrics-manager can be downloaded here.

$ wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2
$ tar xjf pam_bioapi-latest.tar.bz2
$ cd pam_bioapi-0.2.1
$ wget http://badcode.de/downloads/fingerprint.patch
$ patch -p0 < fingerprint.patch
If you want to, review the patch. In general you should review all code you download and compile, if possible.
$ ./configure --libdir=/lib && make
and as root
# make install
NOTE!
If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)
  • If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
  • If you get 'configure: error: cannot find required header: security/pam_modules.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again.
  • If you get 'configure: error: cannot find required header: sqlite3.h' and are on a Debian-like system, do "apt-get install libsqlite3-dev" and try again.
  • If you get 'make: msgfmt: command not found' and are on a Debian-like system, do "apt-get install gettext" and try again.
  • If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in libpam_bioapi/makefile with the following (of course, replace /opt/bioapi/ with the path where you installed bioapi):
LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
  • Use the sample tool from the fingerprint reader to create <username>.bir (<username> must be the username you want to login with. gdm will probably break for any login name that has no .bir file).
  • As root do:
# SERIAL=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
# echo $SERIAL should print something like {5550454b-2054-464d-2f45-535320425350} now.
If it does, do:
# mkdir -p /etc/bioapi/pam/$SERIAL
# cp <username>.bir /etc/bioapi/pam/$SERIAL
If not, you might just try
# SERIAL={5550454b-2054-464d-2f45-535320425350}
as this value is hardcoded into the UPEK docs.

Configuring pam

The following part is distribution specific. On Ubuntu or SUSE you can modify /etc/pam.d/common-auth (on Gentoo and Fedora it is /etc/pam.d/system-auth) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth       sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password   sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth       required     pam_unix.so nullok_secure



For Gentoo-Users - this allows you to attempt a password first. If you simply press enter, it then prompts for a fingerprints. Create a file named /etc/pam.d/bioapi. This also means that remote services, such as SSH keep working:

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth       required     pam_deny.so

account    required     pam_unix.so

session    required     pam_limits.so
session    required     pam_unix.so

Now, simply replace "auth include system-auth" in all services that you wish to use fingerprint for with "auth include bioapi". For example, /etc/pam.d/kde by default contains

 auth       include      system-auth
 auth       required     pam_nologin.so
 
 account    include      system-auth
 
 password   include      system-auth
 
 session    include      system-auth

Simply replace the first "system-auth" with bioapi and you can also get rid of KDE desktop lock with a fingerprint. If you do not wish to allow for "password fallback" then remove

auth       sufficient   pam_unix.so likeauth nullok

from /etc/pam.d/bioapi.

ATTENTION!
If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir). Otherwise, they get a segmentation fault. Which is a little unfortunate, given that you need to su or sudo to change your settings...
ATTENTION!
Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...

Note that sshd may pick up the fingerprint settings from /etc/pam.d/common-auth. I didn't want that, so I removed the "auth include common-auth" line from /etc/pam.d/sshd and replaced it with the lines that were originally in my /etc/pam.d/common-auth. That way most local services use the fingerprint reader, but sshd does not.

NOTE!
su/sudo will call for your fingerprint even if you are remote via ssh. Pressing *CTLR-c* (or closing graphic window) will allow you the desired password option.

Another way to do this is to create a file (/etc/pam.d/bioapi for example) which contains the pam_bioapi.so lines, and explicitly @include this before /etc/pam.d/common-auth in the files for services which should use the fingerprint reader. In this case you should leave /etc/pam.d/common-auth alone.

NOTE!
This was discovered through trial and success, if it is plain wrong, wikorrect it, please.

In Fedora the original 'session' terms in /etc/pam.d/system-auth need to be kept.

Hint:
The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger)
To avoid that you can copy the default /etc/pam.d/system-auth to /etc/pam.d/sshd which will allow the sshd service to use the standard authentication procedure.



To enable normal password authorization to work with remote SSH in SUSE 10.3, edit the /etc/pam.d/sshd file. Remove all entries and replace them with:

auth    required        pam_env.so
auth    required        pam_unix2.so
auth    required        pam_nologin.so
account required        pam_unix2.so
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok
session required        pam_limits.so
session required        pam_unix2.so
NOTE!
These entries are what common-auth normally does. Since we've changed common-auth around for bioapi, these need to be specified manually. -Ransak

You can do some useful testing with pamtester, which calls the pam modules as if it were a program of your choice. Examples:

# pamtester xdm yourusername authenticate
$ pamtester xscreensaver yourusername authenticate

where yourusername is your username. Note that pamtester should run as root if and only if the program in question does.

Application support

The implementation of fingerprint scanning support in the relevant applications varies.

Here is the behaviour of the most common ones:

  • In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
  • kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
  • In xdm, enter your username and a blank password, then swipe (there is no popup as well). Identification support for xdm can be achieved with this patch.
  • The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
  • For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
$ xhost +local:
  • For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work

kdm support

To add graphical popup to kdm, you need following:

  • Patch for pam_bioapi. This patch adds third parameter to pam_bioapi.so module, which is a name of file with additional environment variables that will be supplied to the UPEK driver.
# wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch
# patch -p1 < pam_bioapi-0.2.1-alter-environ.patch
  • Edit your Xsetup file (on SUSE 10 it's /etc/X11/xdm/Xsetup) and add these lines:
echo "XAUTHORITY=$XAUTHORITY" > /var/lib/xdm/kdm_env
echo "DISPLAY=$DISPLAY" >> /var/lib/xdm/kdm_env
  • In /etc/pam.d/xdm file, add /var/lib/xdm/kdm_env as a third parameter for pam_bioapi.so module:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env
  • On Ubuntu simply do:
echo "DISPLAY=$DISPLAY" >> /var/lib/kdm/kdm_env
  • If you have created /etc/pam.d/bioapi then modify:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/kdm/kdm_env


Please note, that this won't work if you have more than one Xserver.

Make xscreensaver use the scanner

If you are using Gentoo, you can get a portage overlay with the necessary patches here: http://dl.getdropbox.com/u/869/xscreensaver-fingerprint-overlay.tar.gz

  • Get the needed xscreensaver sources:
$ wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz
$ tar xzf xscreensaver-4.23.tar.gz
$ cd xscreensaver-4.23
$ wget http://www.nax.cz/pub/bioapi/2005/xscreensaver/xscreensaver-4.22_alternativeAuth.diff
mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff
For xscreensaver 5.00, you can get a patch here: http://dl.getdropbox.com/u/869/xscreensaver-5.00-alternativeauth.patch
  • After reviewing the patch (it's small and straightforward), do
$ patch -p1 < xscreensaver-4.22_alternativeAuth.diff
The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case pam and pam_bioapi. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
  • Compile with
$ ./configure --with-pam && make
  • If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
  • If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
$ su -c make install .
  • Make sure that the newly compiled xscreensaver is used:
$ which xscreensaver should return
/usr/local/bin/xscreensaver .
  • In case it doesn't, try adjusting your PATH.

Common problems

Bioapi error #3

This is sometimes caused by improper permissions. The full error message is "BioAPI Error Code: 3 (0x3)".

However, at least on Gentoo, recent upgrades to glibc and gcc 4.1.1 caused Bioapi to break down due to some sort of incompatibility with bioapi registry. Reinstalling does not repair the issue automatically. However, you can still fix the issue manually, by removing /var/bioapi. You need to reinstall tfm-fingerprint driver after reinstalling bioapi so that the driver is properly re-registered. As root, type

# emerge -C bioapi
# rm -rf /var/bioapi
# emerge -av1 bioapi tfm-fingerprint