Talk:How to enable the integrated fingerprint reader with ThinkFinger

From ThinkWiki
Revision as of 13:49, 28 January 2009 by Derex (Talk | contribs) (Security issue: new section)
Jump to: navigation, search

about fingerpring security or should we pay more for it?

GDM

Howdy.

With latest versions of GDM, PAM and ThinFinger you may experience a GDM segfault when using the Face Browser to select a user. This stops you from using the aforementioned software combination to log in to a pure tablet system. That is, you're going to need a keyboard to type the username. Please see this bug report and contribute if you can.

Problem

Hello! I have Lenovo R61i and Debian 4.0 (sid). I have done all what was in this article, but when I do:

pokorski@debian:~$ sudo tf-tool --acquire

the terminal is writing:

ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/) Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>

Initializing...USB device not found.

I read manuals and howtos but I can't install it on my R61i. On M$ Windows biometric reader worked correctly. Can anybody help me? Sorry for my English (I'm Polish)

- Hi, I have the same notebook, runnning ubuntu 8.04, and it seems this device isn't supported by thinkfinger, what worked for me is libfprint, the newest version. 
  regards


Intrepid Ibex

Has anyone got thinkfinger to work with pam in Ubuntu Intrepid Ibex? If so, how did you configure /etc/pam.d/common_auth?

Configuration of thinkfinger has been simplified, but the change was not not documented in the man page... This bug report will probably help. Install the modified packages mentioned in the HowTo. My /etc/pam.d/common-auth (note "-" not "_") looks like following. Best, Tec 02:20, 19 November 2008 (CET)

# here are the per-package modules (the "Primary" block)
auth    sufficient      pam_thinkfinger.so
auth    [success=1 default=ignore]      pam_unix.so try_first_pass nullok_secure
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Security issue

Hello, I think adding pam_thinkfinger.so to /etc/pam.d/common-auth is not that good idea. On my gentoo laptop after adding this, it is possible to login from ssh with the fingerprint reader, I think this is not good.

For example ( 169-44 is a remote host, Derex-PC is my laptop with thinkfinger ):

derex@169-44:~$ ssh root@192.168.168.168
Password or swipe finger:
derex@Derex-PC ~ $ su -
Password:

Then I swipe my finger on the laptop, and press enter (just it, no password) on the remote host, and I get this:

derex@169-44:~$ ssh root@192.168.168.168
Password or swipe finger:
Last login: Wed Jan 28 13:36:15 EET 2009 from 192.168.168.1 on pts/1
Last login: Wed Jan 28 13:48:17 2009 from 192.168.168.1
Derex-PC ~ #
derex@Derex-PC ~ $ su -
Password:
su: Authentication failure
derex@Derex-PC ~ $
NOTE!
"su" prompts for "Password" only, but ususally it asks "Password or swipe finger".

I added pam_thinkfinger.so only to gdm, gnome-screensaver, login and su in /etc/pam.d/ and now I dont have this issue.