How to enable the integrated fingerprint reader with ThinkFinger

2008-04-02T10:55:14Z

Rosss: /* GNOME */

[[How to enable the fingerprint reader]] has a good explanation for using the fingerprint reader with the closed-source binary driver. But there is also an opensource project called [http://thinkfinger.sourceforge.net ThinkFinger] which does the same, but open.

However: The fingerprint reader is an INSECURE device and gives a false sense of security! There has been quite a bit of research by a hacker named Starbug, a member of the Chaos Computer Club, Berlin, Germany. He outlined in two very good talks how to forge each and every available fingerprint sensor available at the cost of a few euros, using materials from your local hardware store, a digicam and a laser printer! Here's some links:
* [http://www.ccc.de/updates/2007/umsonst-im-supermarkt?language=en Fingerprint recognition in supermarkets]
* [ftp://ftp.ccc.de/pub/video/Fingerabdruck_Hack/fingerabdruck.mpg?language=en Video tutorial for forging fingerprints]

== Installing ==
=== From source ===

Download thinkfinger-0.3.tar.gz from the [http://thinkfinger.sourceforge.net/ homepage] and unpack it somewhere, make sure you have the gcc compiler, libtool, pkg-config, libusb-dev and libpam0g-dev installed, then:

{{cmduser|cd thinkfinger-0.3}}

<code style="white-space:nowrap;color:#495988;background-color:white;"><nowiki>$</nowiki> ./configure --prefix=/usr --sysconfdir=/etc --with-securedir=/lib/security --with-birdir=/etc/pam_thinkfinger</code>

{{cmduser|make}}

{{cmdroot|make install}}

{{NOTE|/lib/security is the directory, where PAM assumes its modules on Debian and openSUSE, it may vary for your distro!}}

"make install" doesn't create the birdir we specified (where thinkfinger will store users' biometric info), so create it:

{{cmdroot|mkdir /etc/pam_thinkfinger}}

If everything went OK assert that you find pam_thinkfinger.so in /lib/security typing:

{{cmduser|ls /lib/security}}

=== From package ===

==== Debian ====
[http://packages.debian.org/source/experimental/thinkfinger Packages] arrived in Debian experimental on Aug 2nd, 2007 (cf. [http://bugs.debian.org/409563 bug #409563]). To access the experimental packages via apt, add the following lines to your sources.list:
<pre>
# experimental
deb ftp://mirrors.kernel.org/debian/ experimental main contrib non-free
deb-src ftp://mirrors.kernel.org/debian/ experimental main contrib non-free
</pre>
where of course you may replace mirrors.kernel.org with your mirror of choice. Just make sure that it hosts the experimental repositories.
<pre>
aptitude update
aptitude install libthinkfinger0 libpam-thinkfinger thinkfinger-tools
</pre>
should then get you up and running.

==== Ubuntu ====
From https://wiki.ubuntu.com/ThinkFinger

Add PPA repositories to your sources.list:
<pre>
deb http://ppa.launchpad.net/jldugger/ubuntu gutsy main restricted universe multiverse
deb-src http://ppa.launchpad.net/jldugger/ubuntu gutsy main restricted universe multiverse
</pre>

Install necessary packages:
<pre>
sudo apt-get install thinkfinger-tools libpam-thinkfinger
</pre>

==== Fedora/Fedora Core ====
*Packages for Fedora Core 6 are available in "extras" repository (# yum install thinkfinger).
*Packages for Fedora 7 are available in the "updates" repository (# yum install thinkfinger).

==== Gentoo ====
<pre>
emerge sys-auth/thinkfinger
</pre>

==== OpenSUSE ====
openSUSE 10.2 includes the package "libthinkfinger" (version 0.1-7) - you will find newer packages [http://beta1.suse.com/private/thoenig/10.2/thinkfinger/ here].

== Testing the driver ==

Now the driver is installed and should be working. You can try it (as root) with

{{cmdroot|tf-tool --acquire}}

and

{{cmdroot|tf-tool --verify}}

This will ask you to swipe your finger three times, save the fingerprint to /tmp/test.bir and then verify your fingerprint with the bir-file.

== Configuring PAM to use ThinkFinger ==
Now you can configure PAM to use ThinkFinger:

Open {{path|/etc/pam.d/common-auth}} (In FC6, F7, and Gentoo, this file is {{path|/etc/pam.d/system-auth}}):

{{cmdroot|nano -w /etc/pam.d/common-auth}}

Add this line before any pam_unix or pam_unix2 directives:
auth sufficient pam_thinkfinger.so

If your PAM uses the pam_unix and not the pam_unix2 module, you need to pass a specific argument in
the /etc/pam.d/common-auth directive to make it consider the password entered at the pam_thinkfinger prompt.
auth required pam_unix.so try_first_pass

For instance, {{path|/etc/pam.d/common-auth}} looks like this:
auth sufficient pam_thinkfinger.so
auth required pam_unix.so nullok_secure try_first_pass

On openSUSE 10.2, it looks like this now:
auth required pam_env.so
auth sufficient pam_thinkfinger.so
auth required pam_unix2.so

Now we are ready to add users to thinkfinger. You can add a fingerprint for a user with:

{{cmdroot|tf-tool --add-user $USERNAME}}

Now the user should be able to login with his finger instead of the password.

If you would like to use thinkfinger for su, you have to enroll the fingerprint for root user with:

{{cmdroot|tf-tool --add-user root}}

{{NOTE|You should see the "Password or swipe finger:" prompt when trying to sudo or su. If you don't, you probably do not have the "User level driver support" compiled into your kernel or the "uinput" module loaded!}}

== xscreensaver/gnome-screensaver ==
{{NOTE|In Fedora 7, the package has been modified in such a way as to make doing this unnecessary.}}

If you'd like to be able to unlock your screen using the fingerprint reader, you must have current versions of xscreesaver (>~5.03) or gnome-screensaver (>~2.18.2). Then you must give yourself access to the fingerprint reader and your bir-file, because unlike login/gdm/su/sudo, both gnome-screensaver and xscreensaver do not run as root. The following procedure will make the fingerprint reader accessible to members of the "fingerprint" group.

Make the group: {{cmdroot|groupadd fingerprint}}

Save the following as {{path|/etc/udev/rules.d/60-thinkfinger.rules}} (you may need to reboot for this to take effect):
#
# udev rules file for the thinkfinger fingerprint scanner
#
# gives access to the fingerprint reader to those in the "fingerprint" group
#
# Taken from:
# http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger
# which was taken and modified from:
# http://article.gmane.org/gmane.linux.drivers.thinkfinger/329
#

# SGS Thomson Microelectronics Fingerprint Reader
SYSFS{idVendor}=="0483", SYSFS{idProduct}=="2016", SYMLINK+="input/thinkfinger-%k", MODE="0660", GROUP="fingerprint"

# the also-needed uinput device
KERNEL=="uinput", MODE="0660", GROUP="fingerprint"

Finally, edit {{path|/etc/pam.d/gnome-screensaver}} so that it looks like this:
auth sufficient pam_thinkfinger.so
auth required pam_unix.so try_first_pass nullok_secure

Per user:

# Add him to the group: {{cmdroot|gpasswd -a $USERNAME fingerprint}}
# Make him owner of his bir-file: {{cmdroot|chown $USERNAME:root /etc/pam_thinkfinger/$USERNAME.bir}}
# Give him read-only access to his bir-file: {{cmdroot|chmod 400 /etc/pam_thinkfinger/$USERNAME.bir}}
# Give "execute only" access to everyone for the /etc/pam_thinkfinger/ directory: {{cmdroot|chmod o+x /etc/pam_thinkfinger}} (WARNING: this opens up security a little).

== GNOME ==

gksu/gksudo doesn't work correctly. It just stays invisible. When starting a su privileged application such as synaptics you will not get prompted for the password. Nevertheless you can swipe your finger and it should authenticate you. Starting synaptics twice makes gksudo visible.

There are two possibilities to solve it:
* Changing the string "Password or swipe finger:" to a plain "Password:" (like sudo normally would do) in the file pam/pam_thinkfinger.c of the thinkfinger source directory. Of course, in the console you will then only see a "Password:" instead of "Password or swipe finger:" but this is still more usefull than having gksu/gksudo crashing everytime.
* Patching libgksu with the following patch. This is also a nasty hack until a better solution is implemented.
<pre>
--- libgksu-2.0.3/libgksu/libgksu.c.orig 2007-06-17 16:00:24.000000000 +0200
+++ libgksu-2.0.3/libgksu/libgksu.c 2007-06-17 16:00:47.000000000 +0200
@@ -2663,7 +2663,7 @@
*/
for (counter = 0; counter < 50; counter++)
{
- if (strncmp (buffer, "GNOME_SUDO_PASS", 15) == 0)
+ if (strncmp (buffer, "GNOME_SUDO_PASS", 15) == 0 || strncmp (buffer, "Password or swi", 15) == 0)
break;

read_line (parent_pipe[0], buffer, 256);
@@ -2675,7 +2675,7 @@
if (context->debug)
fprintf (stderr, "brute force GNOME_SUDO_PASS ended...\n");

- if (strncmp(buffer, "GNOME_SUDO_PASS", 15) == 0)
+ if (strncmp(buffer, "GNOME_SUDO_PASS", 15) == 0 || strncmp(buffer, "Password or swi", 15) == 0)
{
gchar *password = NULL;
gboolean prompt_grab;
</pre>

This problem does not appear on Debian Lenny running a 2.6.24 kernel.

== KDE ==

Integration in KDE and kdm seems not to be easily possible now. There is a filed [https://bugs.kde.org/show_bug.cgi?id=116682 bug] at kde.org where you can vote for this.

Moreover, kdm in openSUSE 10.3 crashes when pam_thinkfinger is enabled. A possible "workaround" is downgrading to thinkfinger 0.2.2.

Another workaround is to use Fprint from [http://www.reactivated.net/fprint/wiki/Main_Page] which works quite nicely on my X61s and Kubuntu Hardy.

This Howto was copied from [[Installing Ubuntu 6.06 on a ThinkPad T43#Fingerprint_Reader]] and then slightly modified.

ThinkWiki - User contributions [en]

How to enable the integrated fingerprint reader with ThinkFinger