ThinkWiki - User contributions [en]

Script for enabling the fingerprint reader with BioAPI

2006-02-22T19:49:22Z

Dclatot: /* The script */

Using the [[Integrated Fingerprint Reader|integrated fingerprint reader]] under Linux is currently a fairly complicated [[How to enable the fingerprint reader|process]]. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.

Usage: just copy into a file and run as root.

After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:
* KDE's KDM login (enter an empty password, then swipe finger)
* KDE's screensaver (enter an empty password, then swipe finger)
* Gnome's GDM login
* <tt>su</tt>
* <tt>sudo</tt>

Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only files affected outside {{path|/opt/bioapi}} are the ldconfig configuration, PAM configuration, {{path|/etc/rc.local}} and a few symlinks in {{path|/lib/security}}.

For details, manual installation and hints for other distributions, see [[How to enable the fingerprint reader]].

===Distributions supported by this script===
* {{Fedora}} 4

If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.

==The script==

<pre>
#!/bin/bash
# Install UPEK fingerprint reader driver and associated software on Linux systems.
# Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader

set -e -E -x -u # verbose, abort if anything fails

WHERE=/opt/bioapi
PASSWD_ENROLLS=0 # should "passwd" do fingerprint enrollment (always)?

########################################
# Install bioapi:

mkdir -p $WHERE
wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2
sha1sum --check <<EOF
932425e847449e9612c6894dcbaf44630aecfc13 bioapi-latest.tar.bz2
EOF
tar xjf bioapi-latest.tar.bz2
pushd bioapi-1.2.2
./configure --with-Qt-dir=no --prefix=$WHERE
make
make install
install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
install -m644 include/installdefs.h $WHERE/include/installdefs.h
install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
chmod o-w $WHERE/var/bioapi
popd

########################################
# Tell ldconfig about bioapi libraries:

[ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
ldconfig
ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }

########################################
# Install UPEK driver:

wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
sha1sum --check <<EOF
c73466b5c3b26415b300d5c5ffb76deaefadeb32 TFMESS_BSP_LIN_1.0.zip
EOF
mkdir -p driver
pushd driver
unzip ../TFMESS_BSP_LIN_1.0.zip
PATH="$PATH:$WHERE/bin"
sh install.sh $WHERE/lib/
cd NonGUI_Sample
perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!' main.c
gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
popd

SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: $.\{9\}$$.\{4\}$$.\{4\}$$.\{4\}$$.*$/\1-\2-\3-\4-\5/gp}"`

########################################
# Install (patched) pam_bioapi:

wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2
wget -N http://badcode.de/downloads/fingerprint.patch
sha1sum --check <<EOF
a0bdf3436e55f7dc8b4795243f08a4c9b399dec8 pam_bioapi-latest.tar.bz2
619254a5bcd3acb8bf1d72b15ea69bfe00f0f064 fingerprint.patch
EOF
tar xjvf pam_bioapi-latest.tar.bz2
pushd pam_bioapi-0.2.1
patch -p0 < ../fingerprint.patch
CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
make
make install
ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
popd

########################################
# Install pamtester:

wget http://mesh.dl.sourceforge.net/sourceforge/pamtester/pamtester-0.1.2.tar.gz
sha1sum --check <<EOF
33bcc610d7f208b50a0a23c144bdbd1e2cae4ac6 pamtester-0.1.2.tar.gz
EOF
tar xzvf pamtester-0.1.2.tar.gz
pushd pamtester-0.1.2
./configure --prefix=$WHERE
make
make install
popd

########################################
# Configure pam to use pam_bioapi:

grep -q 'Fedora Core release 4' /etc/redhat-release || { echo \
"I don't know how to configure PAM on this distribution.
See: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam";
exit 1; }

PAMFILE=/etc/pam.d/system-auth
if ! grep -q 'pam_bioapi\.so' $PAMFILE; then
perl -i -pe '
if (!$a && m/^auth.*pam_unix\.so/) {$a=1; print
"auth sufficient pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
' $PAMFILE
if [ $PASSWD_ENROLLS == 1 ]; then
perl -i -pe '
if (!$p && m/^password/) {$p=1; print
"password required pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
' $PAMFILE
fi
fi

########################################
# USB permissions (set now and add to startup):

RC_FILE=/etc/rc.local
SET_PERMS=$WHERE/bin/set_fingerprint_perms

cat > $SET_PERMS <<'EOF'
#!/bin/bash
# Make fingerprint reader USB device world-writable:
chmod -R a+X /proc/bus/usb
chmod 666 /proc/bus/usb/`/sbin/lsusb | sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`
EOF
chmod 755 $SET_PERMS

$SET_PERMS

[ -e $RC_FILE ] || { echo "No $RC_FILE, can't handle this distribution."; exit 1; }
if ! grep -q 0483:2016 $SET_PERMS; then
echo $SET_PERMS >> $RC_FILE
fi

########################################
# Enroll:

mkdir -p /etc/bioapi/pam/$SERIAL
pushd /etc/bioapi/pam/$SERIAL
read -p "Now enroll all relevant Unix accounts (press Enter to start)."
$WHERE/bin/upek-NonGUI_Sample
popd

########################################
# Done:

set +x
cat<<EOF

Success.
* To test the fingerprint-enabled PAM login, run:
$WHERE/bin/pamtester -v login USERNAME authenticate
* Add the following command to your resume-from-suspend script:
$WHERE/bin/set_fingerprint_perms

EOF
</pre>

==Ideas for improvement==
* Support more distributions
* Minimize changes to {{path|/etc/pam.d/system-auth}} by creating a separate file (e.g., {{path|/etc/pam.d/bioapi-auth}}) and <tt>@include</tt>-ing it.
* Do something about {{path|/etc/pam.d/sshd}} - it invokes {{path|/etc/pam.d/system-auth}} by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in [[How_to_enable_the_fingerprint_reader]].
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
* Add "<tt>OnResume 10 /opt/bioapi/bin/set_fingerprint_perms</tt>" to [[Software Suspend 2|suspend2]]'s {{path|/etc/hibernate/hibernate.conf}}?

[[Category:Scripts]]

Script for enabling the fingerprint reader with BioAPI

2006-02-22T18:17:50Z

Dclatot: /* The script */

Script for enabling the fingerprint reader with BioAPI

2006-02-22T15:14:51Z

Dclatot: /* The script */