ThinkWiki - User contributions [en]

How to enable integrated fingerprint reader with BioAPI

2009-09-14T11:39:43Z

ZZamboni: /* Make xscreensaver use the scanner */

{| width="100%"
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
|style="vertical-align:top" |
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux, using bioapi and binary-only drivers. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and {{Gentoo}}. Note that experimental open-source driver is available, see [[How to enable the fingerprint reader with ThinkFinger|the apropriate page]] for details.
|}

==Basic installation==
===Installing the bioapi framework===
====Automated installation script====
The [[Script for enabling the fingerprint reader]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.

====Binary packages====

Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.

=====Debian/ Ubuntu Dapper=====
*If you're using {{Debian}} Sid (the unstable branch) or {{Ubuntu}} Dapper Drake 6.06 LTS you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.

{{HINT|Ignore the warning about not finding ''/usr/lib/libqtpwbsp.so'', it's not fatal.}}

=====Gentoo=====
Gentoo now includes needed ebuilds. Just run

''ACCEPT_KEYWORDS=~x86 emerge pam_bioapi''

You can also grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.

Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.

=====Fedora Core=====
RPM packages for Fedora Core and installation instructions are available [[Installing Fedora Core 5 on a ThinkPad X41 Tablet#Fingerprint_Reader|here]]

====Installing from source====
{{HINT|
For Ubuntu you'll need at least these packages, or building will fail:
* build-essential
* automake
* libqt3-headers
}}
* Get the bioapi source:
:{{cmduser|wget http://bioapi-linux.googlecode.com/files/bioapi_1.2.3.tar.gz}}
* Edit the configure file to patch a bug. At line 25975, change
:<code>bnv_qt_LIBS="-l$bnv_qt_lib_dir $LIBS"</code>
:to
:<code>bnv_qt_LIBS="-L$bnv_qt_lib_dir $LIBS"</code>
* Compile bioapi:
:{{cmduser|tar xzf bioapi_1.2.3.tar.gz}}
:{{cmduser|cd bioapi-1.2.3}}
:{{cmduser|1=./configure}}
:{{cmduser|make}}
:and then as root
:{{cmdroot|make install}}
* If configure fails when checking the Qt installation, you may need to manually specify the Qt lib directory and Qt lib name. For example:
:{{cmduser|1=./configure --with-Qt-lib-dir=/usr/lib/qt3 --with-Qt-lib=qt-mt}}
:or you can compile without the graphical Qt tools:
:{{cmduser|1=./configure --with-Qt-dir=no}}
* If make install fails, be sure you're root and then:
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
:{{cmdroot|make install}}
:and if you want to compile [http://code.google.com/p/pam-bioapi/ pam_bioapi] for auth later
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
:Be aware that checkinstall will not work!
* By default, bioapi will install several files in {{path|/usr/local/bin}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}

====Adjusting ldconfigs library search path====
At least on {{Fedora}} or {{Aurox}} 11, you may need to add {{path|/usr/local/lib}} to the library path so that the libraries referenced from <tt>pam_bioapi.so</tt> get picked up properly. The usual way to do this is adding it to the ldconfig configuration:
:{{cmdroot|echo '/usr/local/lib' > /etc/ld.so.conf.d/bioapi.conf}}
:{{cmdroot|ldconfig}}
Alternatively you can add it to the LD_LIBRARY variable.

If you see bioapi libs in the output of
:{{cmdroot|ldconfig -p | grep bioapi}}
then it should work.

===Installing and configuring the driver===
====Installing the driver====
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/support/dl_linux_bsp.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
*Change to that folder and do as root:
:{{cmdroot|sh install.sh}}
:If you're running Gentoo, Debian or Ubuntu Dapper, use
:{{cmdroot|sh install.sh /usr/lib}}
{{HINT|
For me it didn't work this way, but following did:
:sh install.sh /usr/local/lib
greetings, tec}}
{{HINT|On my debian install I had to "cp libtfmessbsp.so /usr/lib" to avoid a errormessage during "sh install.sh /usr/lib": "Could not find file:/usr/lib/libtfmessbsp.so"}}
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again. You also need {{cmd|mod_install|}} from bioapi in your PATH.
:May there still occures and error, which means mod_install: command not found.
:Then login as root - not su!
:Do this:
:{{cmdroot|sh install.sh}}
:again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.

====Configuring permissions for non-root use====
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section. More details on what is necessary on which distributions would be greately appreciated.
*Create two groups, one for access to BioAPI files and the other for access to the usb files. (This is done for full generality; i.e., you may have other USB devices which you want accessable to other users, without exposing your BioAPI configuration to them). Add your normal user (the one you wish to use PAM-aware applications with) to both of these groups.
On {{Debian}} this is done with
:{{cmdroot|addgroup --system bioapi}}
:{{cmdroot|addgroup --system usbfs}}
:{{cmdroot|adduser yournormaluser bioapi}}
:{{cmdroot|adduser yournormaluser usbfs}}
On {{SUSE}} this is done with
:{{cmdroot|groupadd --system bioapi}}
:{{cmdroot|groupadd --system usbfs}}
:{{cmdroot|groupmod -A yournormaluser bioapi}}
:{{cmdroot|groupmod -A yournormaluser usbfs}}
On {{Mandriva}} this is done with
:{{cmdroot|groupadd -r bioapi}}
:{{cmdroot|groupadd -r usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}
On {{Fedora}} this is done with
:{{cmdroot|groupadd bioapi}}
:{{cmdroot|groupadd usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}

:(where {{cmd|yournormaluser|}} is your normal user name). You will need to log out and log back in for this to take effect.
*Set permissions on the BioAPI config/registry directory:
:{{cmdroot|chown -R root:bioapi /usr/local/var/bioapi/}}
:{{cmdroot|chmod -R 770 /usr/local/var/bioapi/}}
:(change this path if you used an alternate BioAPI install directory above)
*Set permissions on the files in {{path|/proc/bus/usb}}:
:{{cmdroot|chown -R root:usbfs /proc/bus/usb}}
:{{cmdroot|chmod -R g+X /proc/bus/usb}}
:{{cmdroot|chown root:usbfs /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro. It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
In {{Fedora}} {{cmd|lsusb|}} is not installed by default. To intall it just type:
:{{cmdroot|yum install usbutils}}

*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}). Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}. See the {{cmd|mount(8)|}} manpage for more information on these options. This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}. If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}. Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}.
*On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file. On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
:{{cmdroot|touch /var/log/BSP.log && chown root:bioapi /var/log/BSP.log && chmod 660 /var/log/BSP.log}}

====Miscellaneous configuration====
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
security-level="5"
{{WARN|Please see discussion section Security Level!}}

===Testing the driver and enrolling a fingerprint===
To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error; if they don't work for you, try the binary {{cmd|Sample|}} utility that came with the beta versions of the driver (i.e., {{path|TFMESS_BSP_LIN_1.0beta2.zip}} as mentioned above).
Go to the folder where you extracted {{path|TFMESS_BSP_LIN_1.0.zip}} and do:
:{{cmdroot|cd NonGUI_Sample}}
:Edit {{path|main.c|}} and remove (or comment out) the line
#include "port/bioapi_port.h"
:then add the line
#include <stdlib.h>
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
:{{cmdroot|./Sample}}
:Note that Sample may only run as root, unless you've already configured the usbfs file permissions.
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
:You'll save a step later if you use your own login username as the username to enroll here.
:If running {{cmd |./Sample|}} produces the error message 'BioAPI_ModuleLoad failed, BioAPI Error Code: 6477 (0x194d)'
:then uncommenting the line
://BioAPI_SetGUICallbacks(gModuleHandle, NULL, NULL,TextGuiCallback, NULL);
:in {{path|main.c|}} can help.

==Login via pam_bioapi==

The following explains how to add fingerprint authentiation to programs that use the PAM (Pluggable Authentication Modules) framework, such as Gnome's GDM and KDE's KDM and screensaver.

===Getting required libs & tools===
====Installing pam_bioapi====
*Prerequisites
:On SuSE 10, I needed to install the pam-devel RPM
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
*Get and compile the pam_bioapi module.
{{HINT|A new version, pam_bioapi 0.3.0, with multi-finger and identification support can be found [http://www.nax.cz/pub/bioapi/pam_bioapi/pam-bioapi_0.3.0.tar.gz here].
There's work in progress. pam_bioapi and biometrics-manager can be downloaded [http://download.savannah.gnu.org/releases/pam-bioapi/ here].}}
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
:{{cmduser|cd pam_bioapi-0.2.1}}
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
:{{cmduser|patch -p0 < fingerprint.patch}}
:If you want to, review the patch. In general you should review all code you download and compile, if possible.
:{{cmduser|<nowiki>./configure --libdir=/lib && make </nowiki>}}
:and as root
:{{cmdroot| make install}}
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
*If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
*If you get 'configure: error: cannot find required header: security/pam_modules.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again.
*If you get 'configure: error: cannot find required header: sqlite3.h' and are on a Debian-like system, do "apt-get install libsqlite3-dev" and try again.
*If you get 'make: msgfmt: command not found' and are on a Debian-like system, do "apt-get install gettext" and try again.
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
*Use the sample tool from the fingerprint reader to create {{path|<username>.bir}} (<tt><username></tt> '''must''' be the username you want to login with. gdm will probably break for any login name that has no .bir file).
*As root do:
:{{cmdroot|SERIAL<nowiki>=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: $.\{9\}$$.\{4\}$$.\{4\}$$.\{4\}$$.*$/\1-\2-\3-\4-\5/gp}"` </nowiki>}}
:{{cmdroot|echo $SERIAL}} should print something like {{cmdresult|<nowiki>{5550454b-2054-464d-2f45-535320425350}</nowiki>}} now.
:If it does, do:
:{{cmdroot|mkdir -p /etc/bioapi/pam/$SERIAL}}
:{{cmdroot|cp <username>.bir /etc/bioapi/pam/$SERIAL}}
:If not, you might just try
:{{cmdroot|SERIAL<nowiki>={5550454b-2054-464d-2f45-535320425350}</nowiki>}}
:as this value is hardcoded into the UPEK docs.

===Configuring pam===
The following part is distribution specific. On {{Ubuntu}} or {{SUSE}} you can modify {{path|/etc/pam.d/common-auth}} (on {{Gentoo}} and {{Fedora}} it is {{path|/etc/pam.d/system-auth}}) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

----
For '''Gentoo'''-Users - this allows you to attempt a password first. If you simply press enter, it then prompts for a fingerprints. Create a file named {{path|/etc/pam.d/bioapi}}. This also means that remote services, such as SSH keep working:

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_deny.so

account required pam_unix.so

session required pam_limits.so
session required pam_unix.so

----

Now, simply replace "auth include system-auth" in all services that you wish to use fingerprint for with "auth include bioapi". For example, {{path|/etc/pam.d/kde}} by default contains

auth include system-auth
auth required pam_nologin.so

account include system-auth

password include system-auth

session include system-auth

Simply replace the first "system-auth" with bioapi and you can also get rid of KDE desktop lock with a fingerprint. If you do not wish to allow for "password fallback" then remove

auth sufficient pam_unix.so likeauth nullok

from {{path|/etc/pam.d/bioapi}}.

{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir). Otherwise, they get a segmentation fault. Which is a little unfortunate, given that you need to su or sudo to change your settings... }}
{{WARN|Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...}}
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}. I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}. That way most local services use the fingerprint reader, but sshd does not.

{{NOTE|su/sudo will call for your fingerprint even if you are remote via ssh. Pressing *CTLR-c* (or closing graphic window) will allow you the desired password option.}}

Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader. In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.

{{NOTE|This was discovered through trial and success, if it is plain wrong, wikorrect it, please.}}

In {{Fedora}} the original 'session' terms in {{path|/etc/pam.d/system-auth}} need to be kept.

{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger) To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}

----

To enable normal password authorization to work with remote SSH in {{SUSE}} 10.3, edit the <tt>/etc/pam.d/sshd</tt> file. Remove all entries and replace them with:

auth required pam_env.so
auth required pam_unix2.so
auth required pam_nologin.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_limits.so
session required pam_unix2.so

{{NOTE|These entries are what common-auth normally does. Since we've changed common-auth around for bioapi, these need to be specified manually. -Ransak}}

----

You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice. Examples:
:{{cmdroot|pamtester xdm yourusername authenticate}}
:{{cmduser|pamtester xscreensaver yourusername authenticate}}
where {{cmd|yourusername|}} is your username. Note that {{cmd|pamtester|}} should run as root if and only if the program in question does.

===Application support===
The implementation of fingerprint scanning support in the relevant applications varies.

Here is the behaviour of the most common ones:
* In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
* In xdm, enter your username and a blank password, then swipe (there is no popup as well). Identification support for xdm can be achieved with [http://www.nax.cz/pub/bioapi/2005/xdm/xdm_bio.patch this patch].
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
:{{cmduser|xhost +local:}}
* For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work

===kdm support===
To add graphical popup to kdm, you need following:
* Patch for pam_bioapi. This patch adds third parameter to {{path|pam_bioapi.so}} module, which is a name of file with additional environment variables that will be supplied to the UPEK driver.
:{{cmdroot|wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch}}
:{{cmdroot|patch -p1 < pam_bioapi-0.2.1-alter-environ.patch}}
* Edit your {{path|Xsetup}} file (on SUSE 10 it's {{path|/etc/X11/xdm/Xsetup}}) and add these lines:
echo "XAUTHORITY=$XAUTHORITY" > /var/lib/xdm/kdm_env
echo "DISPLAY=$DISPLAY" >> /var/lib/xdm/kdm_env
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env
* On Ubuntu simply do:
echo "DISPLAY=$DISPLAY" >> /var/lib/kdm/kdm_env
* If you have created /etc/pam.d/bioapi then modify:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/kdm/kdm_env

Please note, that this won't work if you have more than one Xserver.

==Make xscreensaver use the scanner==
If you are using Gentoo, you can get a portage overlay with the necessary patches here: http://dl.getdropbox.com/u/869/xscreensaver-fingerprint-overlay.tar.gz
*Get the needed xscreensaver sources:
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
:{{cmduser|cd xscreensaver-4.23}}
:{{cmduser|wget http://www.nax.cz/pub/bioapi/2005/xscreensaver/xscreensaver-4.22_alternativeAuth.diff mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff For xscreensaver 5.00, you can get a patch here: http://dl.getdropbox.com/u/869/xscreensaver-5.00-alternativeauth.patch}}
*After reviewing the patch (it's small and straightforward), do
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}} The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
*Compile with
:{{cmduser|./configure --with-pam && make}} 
*If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
*If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
:{{cmduser|su -c make install}} .
*Make sure that the newly compiled xscreensaver is used:
:{{cmduser|which xscreensaver}} should return
:{{cmdresult|/usr/local/bin/xscreensaver}} .
*In case it doesn't, try adjusting your PATH.

==Common problems==
===Bioapi error #3===
This is sometimes caused by improper permissions. The full error message is "BioAPI Error Code: 3 (0x3)".

However, at least on Gentoo, recent upgrades to glibc and gcc 4.1.1 caused Bioapi to break down due to some sort of incompatibility with bioapi registry. Reinstalling does '''not''' repair the issue automatically. However, you can still fix the issue manually, by removing /var/bioapi. You need to reinstall tfm-fingerprint driver after reinstalling bioapi so that the driver is properly re-registered. As root, type

:{{cmdroot|emerge -C bioapi}}
:{{cmdroot|rm -rf /var/bioapi}}
:{{cmdroot|emerge -av1 bioapi tfm-fingerprint}}

How to enable integrated fingerprint reader with BioAPI

2009-09-14T11:38:05Z

ZZamboni: Changed URL of xscreensaver-fingerprint-overlay.tar.gz (current copy will disappear soon)

{| width="100%"
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
|style="vertical-align:top" |
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux, using bioapi and binary-only drivers. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and {{Gentoo}}. Note that experimental open-source driver is available, see [[How to enable the fingerprint reader with ThinkFinger|the apropriate page]] for details.
|}

==Basic installation==
===Installing the bioapi framework===
====Automated installation script====
The [[Script for enabling the fingerprint reader]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.

====Binary packages====

Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.

=====Debian/ Ubuntu Dapper=====
*If you're using {{Debian}} Sid (the unstable branch) or {{Ubuntu}} Dapper Drake 6.06 LTS you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.

{{HINT|Ignore the warning about not finding ''/usr/lib/libqtpwbsp.so'', it's not fatal.}}

=====Gentoo=====
Gentoo now includes needed ebuilds. Just run

''ACCEPT_KEYWORDS=~x86 emerge pam_bioapi''

You can also grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.

Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.

=====Fedora Core=====
RPM packages for Fedora Core and installation instructions are available [[Installing Fedora Core 5 on a ThinkPad X41 Tablet#Fingerprint_Reader|here]]

====Installing from source====
{{HINT|
For Ubuntu you'll need at least these packages, or building will fail:
* build-essential
* automake
* libqt3-headers
}}
* Get the bioapi source:
:{{cmduser|wget http://bioapi-linux.googlecode.com/files/bioapi_1.2.3.tar.gz}}
* Edit the configure file to patch a bug. At line 25975, change
:<code>bnv_qt_LIBS="-l$bnv_qt_lib_dir $LIBS"</code>
:to
:<code>bnv_qt_LIBS="-L$bnv_qt_lib_dir $LIBS"</code>
* Compile bioapi:
:{{cmduser|tar xzf bioapi_1.2.3.tar.gz}}
:{{cmduser|cd bioapi-1.2.3}}
:{{cmduser|1=./configure}}
:{{cmduser|make}}
:and then as root
:{{cmdroot|make install}}
* If configure fails when checking the Qt installation, you may need to manually specify the Qt lib directory and Qt lib name. For example:
:{{cmduser|1=./configure --with-Qt-lib-dir=/usr/lib/qt3 --with-Qt-lib=qt-mt}}
:or you can compile without the graphical Qt tools:
:{{cmduser|1=./configure --with-Qt-dir=no}}
* If make install fails, be sure you're root and then:
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
:{{cmdroot|make install}}
:and if you want to compile [http://code.google.com/p/pam-bioapi/ pam_bioapi] for auth later
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
:Be aware that checkinstall will not work!
* By default, bioapi will install several files in {{path|/usr/local/bin}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}

====Adjusting ldconfigs library search path====
At least on {{Fedora}} or {{Aurox}} 11, you may need to add {{path|/usr/local/lib}} to the library path so that the libraries referenced from <tt>pam_bioapi.so</tt> get picked up properly. The usual way to do this is adding it to the ldconfig configuration:
:{{cmdroot|echo '/usr/local/lib' > /etc/ld.so.conf.d/bioapi.conf}}
:{{cmdroot|ldconfig}}
Alternatively you can add it to the LD_LIBRARY variable.

If you see bioapi libs in the output of
:{{cmdroot|ldconfig -p | grep bioapi}}
then it should work.

===Installing and configuring the driver===
====Installing the driver====
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/support/dl_linux_bsp.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
*Change to that folder and do as root:
:{{cmdroot|sh install.sh}}
:If you're running Gentoo, Debian or Ubuntu Dapper, use
:{{cmdroot|sh install.sh /usr/lib}}
{{HINT|
For me it didn't work this way, but following did:
:sh install.sh /usr/local/lib
greetings, tec}}
{{HINT|On my debian install I had to "cp libtfmessbsp.so /usr/lib" to avoid a errormessage during "sh install.sh /usr/lib": "Could not find file:/usr/lib/libtfmessbsp.so"}}
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again. You also need {{cmd|mod_install|}} from bioapi in your PATH.
:May there still occures and error, which means mod_install: command not found.
:Then login as root - not su!
:Do this:
:{{cmdroot|sh install.sh}}
:again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.

====Configuring permissions for non-root use====
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section. More details on what is necessary on which distributions would be greately appreciated.
*Create two groups, one for access to BioAPI files and the other for access to the usb files. (This is done for full generality; i.e., you may have other USB devices which you want accessable to other users, without exposing your BioAPI configuration to them). Add your normal user (the one you wish to use PAM-aware applications with) to both of these groups.
On {{Debian}} this is done with
:{{cmdroot|addgroup --system bioapi}}
:{{cmdroot|addgroup --system usbfs}}
:{{cmdroot|adduser yournormaluser bioapi}}
:{{cmdroot|adduser yournormaluser usbfs}}
On {{SUSE}} this is done with
:{{cmdroot|groupadd --system bioapi}}
:{{cmdroot|groupadd --system usbfs}}
:{{cmdroot|groupmod -A yournormaluser bioapi}}
:{{cmdroot|groupmod -A yournormaluser usbfs}}
On {{Mandriva}} this is done with
:{{cmdroot|groupadd -r bioapi}}
:{{cmdroot|groupadd -r usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}
On {{Fedora}} this is done with
:{{cmdroot|groupadd bioapi}}
:{{cmdroot|groupadd usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}

:(where {{cmd|yournormaluser|}} is your normal user name). You will need to log out and log back in for this to take effect.
*Set permissions on the BioAPI config/registry directory:
:{{cmdroot|chown -R root:bioapi /usr/local/var/bioapi/}}
:{{cmdroot|chmod -R 770 /usr/local/var/bioapi/}}
:(change this path if you used an alternate BioAPI install directory above)
*Set permissions on the files in {{path|/proc/bus/usb}}:
:{{cmdroot|chown -R root:usbfs /proc/bus/usb}}
:{{cmdroot|chmod -R g+X /proc/bus/usb}}
:{{cmdroot|chown root:usbfs /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro. It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
In {{Fedora}} {{cmd|lsusb|}} is not installed by default. To intall it just type:
:{{cmdroot|yum install usbutils}}

*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}). Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}. See the {{cmd|mount(8)|}} manpage for more information on these options. This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}. If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}. Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}.
*On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file. On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
:{{cmdroot|touch /var/log/BSP.log && chown root:bioapi /var/log/BSP.log && chmod 660 /var/log/BSP.log}}

====Miscellaneous configuration====
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
security-level="5"
{{WARN|Please see discussion section Security Level!}}

===Testing the driver and enrolling a fingerprint===
To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error; if they don't work for you, try the binary {{cmd|Sample|}} utility that came with the beta versions of the driver (i.e., {{path|TFMESS_BSP_LIN_1.0beta2.zip}} as mentioned above).
Go to the folder where you extracted {{path|TFMESS_BSP_LIN_1.0.zip}} and do:
:{{cmdroot|cd NonGUI_Sample}}
:Edit {{path|main.c|}} and remove (or comment out) the line
#include "port/bioapi_port.h"
:then add the line
#include <stdlib.h>
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
:{{cmdroot|./Sample}}
:Note that Sample may only run as root, unless you've already configured the usbfs file permissions.
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
:You'll save a step later if you use your own login username as the username to enroll here.
:If running {{cmd |./Sample|}} produces the error message 'BioAPI_ModuleLoad failed, BioAPI Error Code: 6477 (0x194d)'
:then uncommenting the line
://BioAPI_SetGUICallbacks(gModuleHandle, NULL, NULL,TextGuiCallback, NULL);
:in {{path|main.c|}} can help.

==Login via pam_bioapi==

The following explains how to add fingerprint authentiation to programs that use the PAM (Pluggable Authentication Modules) framework, such as Gnome's GDM and KDE's KDM and screensaver.

===Getting required libs & tools===
====Installing pam_bioapi====
*Prerequisites
:On SuSE 10, I needed to install the pam-devel RPM
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
*Get and compile the pam_bioapi module.
{{HINT|A new version, pam_bioapi 0.3.0, with multi-finger and identification support can be found [http://www.nax.cz/pub/bioapi/pam_bioapi/pam-bioapi_0.3.0.tar.gz here].
There's work in progress. pam_bioapi and biometrics-manager can be downloaded [http://download.savannah.gnu.org/releases/pam-bioapi/ here].}}
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
:{{cmduser|cd pam_bioapi-0.2.1}}
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
:{{cmduser|patch -p0 < fingerprint.patch}}
:If you want to, review the patch. In general you should review all code you download and compile, if possible.
:{{cmduser|<nowiki>./configure --libdir=/lib && make </nowiki>}}
:and as root
:{{cmdroot| make install}}
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
*If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
*If you get 'configure: error: cannot find required header: security/pam_modules.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again.
*If you get 'configure: error: cannot find required header: sqlite3.h' and are on a Debian-like system, do "apt-get install libsqlite3-dev" and try again.
*If you get 'make: msgfmt: command not found' and are on a Debian-like system, do "apt-get install gettext" and try again.
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
*Use the sample tool from the fingerprint reader to create {{path|<username>.bir}} (<tt><username></tt> '''must''' be the username you want to login with. gdm will probably break for any login name that has no .bir file).
*As root do:
:{{cmdroot|SERIAL<nowiki>=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: $.\{9\}$$.\{4\}$$.\{4\}$$.\{4\}$$.*$/\1-\2-\3-\4-\5/gp}"` </nowiki>}}
:{{cmdroot|echo $SERIAL}} should print something like {{cmdresult|<nowiki>{5550454b-2054-464d-2f45-535320425350}</nowiki>}} now.
:If it does, do:
:{{cmdroot|mkdir -p /etc/bioapi/pam/$SERIAL}}
:{{cmdroot|cp <username>.bir /etc/bioapi/pam/$SERIAL}}
:If not, you might just try
:{{cmdroot|SERIAL<nowiki>={5550454b-2054-464d-2f45-535320425350}</nowiki>}}
:as this value is hardcoded into the UPEK docs.

===Configuring pam===
The following part is distribution specific. On {{Ubuntu}} or {{SUSE}} you can modify {{path|/etc/pam.d/common-auth}} (on {{Gentoo}} and {{Fedora}} it is {{path|/etc/pam.d/system-auth}}) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

----
For '''Gentoo'''-Users - this allows you to attempt a password first. If you simply press enter, it then prompts for a fingerprints. Create a file named {{path|/etc/pam.d/bioapi}}. This also means that remote services, such as SSH keep working:

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_deny.so

account required pam_unix.so

session required pam_limits.so
session required pam_unix.so

----

Now, simply replace "auth include system-auth" in all services that you wish to use fingerprint for with "auth include bioapi". For example, {{path|/etc/pam.d/kde}} by default contains

auth include system-auth
auth required pam_nologin.so

account include system-auth

password include system-auth

session include system-auth

Simply replace the first "system-auth" with bioapi and you can also get rid of KDE desktop lock with a fingerprint. If you do not wish to allow for "password fallback" then remove

auth sufficient pam_unix.so likeauth nullok

from {{path|/etc/pam.d/bioapi}}.

{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir). Otherwise, they get a segmentation fault. Which is a little unfortunate, given that you need to su or sudo to change your settings... }}
{{WARN|Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...}}
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}. I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}. That way most local services use the fingerprint reader, but sshd does not.

{{NOTE|su/sudo will call for your fingerprint even if you are remote via ssh. Pressing *CTLR-c* (or closing graphic window) will allow you the desired password option.}}

Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader. In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.

{{NOTE|This was discovered through trial and success, if it is plain wrong, wikorrect it, please.}}

In {{Fedora}} the original 'session' terms in {{path|/etc/pam.d/system-auth}} need to be kept.

{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger) To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}

----

To enable normal password authorization to work with remote SSH in {{SUSE}} 10.3, edit the <tt>/etc/pam.d/sshd</tt> file. Remove all entries and replace them with:

auth required pam_env.so
auth required pam_unix2.so
auth required pam_nologin.so
account required pam_unix2.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_limits.so
session required pam_unix2.so

{{NOTE|These entries are what common-auth normally does. Since we've changed common-auth around for bioapi, these need to be specified manually. -Ransak}}

----

You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice. Examples:
:{{cmdroot|pamtester xdm yourusername authenticate}}
:{{cmduser|pamtester xscreensaver yourusername authenticate}}
where {{cmd|yourusername|}} is your username. Note that {{cmd|pamtester|}} should run as root if and only if the program in question does.

===Application support===
The implementation of fingerprint scanning support in the relevant applications varies.

Here is the behaviour of the most common ones:
* In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
* In xdm, enter your username and a blank password, then swipe (there is no popup as well). Identification support for xdm can be achieved with [http://www.nax.cz/pub/bioapi/2005/xdm/xdm_bio.patch this patch].
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
:{{cmduser|xhost +local:}}
* For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work

===kdm support===
To add graphical popup to kdm, you need following:
* Patch for pam_bioapi. This patch adds third parameter to {{path|pam_bioapi.so}} module, which is a name of file with additional environment variables that will be supplied to the UPEK driver.
:{{cmdroot|wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch}}
:{{cmdroot|patch -p1 < pam_bioapi-0.2.1-alter-environ.patch}}
* Edit your {{path|Xsetup}} file (on SUSE 10 it's {{path|/etc/X11/xdm/Xsetup}}) and add these lines:
echo "XAUTHORITY=$XAUTHORITY" > /var/lib/xdm/kdm_env
echo "DISPLAY=$DISPLAY" >> /var/lib/xdm/kdm_env
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env
* On Ubuntu simply do:
echo "DISPLAY=$DISPLAY" >> /var/lib/kdm/kdm_env
* If you have created /etc/pam.d/bioapi then modify:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/kdm/kdm_env

Please note, that this won't work if you have more than one Xserver.

==Make xscreensaver use the scanner==
If you are using Gentoo, you can get a portage overlay with the necessary patches here: http://dl.getdropbox.com/u/869/xscreensaver-fingerprint-overlay.tar.gz
*Get the needed xscreensaver sources:
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
:{{cmduser|cd xscreensaver-4.23}}
:{{cmduser|wget http://www.nax.cz/pub/bioapi/2005/xscreensaver/xscreensaver-4.22_alternativeAuth.diff mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff For xscreensaver 5.00, you can get a patch here: http://www.zzamboni.org/brt/files/xscreensaver-5.00-alternativeauth.patch}}
*After reviewing the patch (it's small and straightforward), do
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}} The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
*Compile with
:{{cmduser|./configure --with-pam && make}} 
*If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
*If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
:{{cmduser|su -c make install}} .
*Make sure that the newly compiled xscreensaver is used:
:{{cmduser|which xscreensaver}} should return
:{{cmdresult|/usr/local/bin/xscreensaver}} .
*In case it doesn't, try adjusting your PATH.

==Common problems==
===Bioapi error #3===
This is sometimes caused by improper permissions. The full error message is "BioAPI Error Code: 3 (0x3)".

However, at least on Gentoo, recent upgrades to glibc and gcc 4.1.1 caused Bioapi to break down due to some sort of incompatibility with bioapi registry. Reinstalling does '''not''' repair the issue automatically. However, you can still fix the issue manually, by removing /var/bioapi. You need to reinstall tfm-fingerprint driver after reinstalling bioapi so that the driver is properly re-registered. As root, type

:{{cmdroot|emerge -C bioapi}}
:{{cmdroot|rm -rf /var/bioapi}}
:{{cmdroot|emerge -av1 bioapi tfm-fingerprint}}

How to hotswap Ultrabay devices

2006-10-10T08:50:23Z

ZZamboni: Patched the ultrabay_open script to unmount filesystems by reverse length of mount point, to unmount nested mountpoints in the correct order.

The following discusses hotswap (AKA "hotplug") of devices in the [[UltraBay]].

==When using the <tt>ide-disk</tt> driver==
The following applies if you use the <tt>ide-disk</tt> driver for the UltraBay device.

Hotswapping is supposed to be supported as well, using either hdparm/[http://packages.debian.org/unstable/admin/hotswap Debian hotswap] or [[lt_hotswap]] to (un)register IDE devices. The latter is the recommended method with kernels from 2.6, since it will leave DMA working. However, for recent models (R52, T43, X41, Z60 and later) no method is known to work while maintaining DMA support; see [[Problems with SATA and Linux]].

Only IDE devices (HDD's, optical drives, zip drives) require special treatment - batteries, floppies and other devices can just be pulled from the bay, provided they are not mounted or in use at the time. However, you should still power them down first using the [[ibm-acpi]] eject function.

The [[ibm-acpi]] kernel module has an eject function ({{cmdroot|echo eject > /proc/acpi/ibm/bay}}). This only manages the ACPI calls to power down the device and the bay. It does not actually unregister the device from the IDE driver. {{cmdroot|cat /proc/acpi/ibm/bay}} shows "unoccupied" unless an IDE device is present, but the eject function still works and should still be used.

To unregister the device, you can either use the [http://packages.debian.org/unstable/admin/hotswap Debian hotswap] package, or [[lt_hotswap]].

[http://packages.debian.org/unstable/admin/hotswap Debian hotswap] also allows the drive to be swapped as a normal user by default, which is useful. You should use <tt>hotswap</tt> to unregister the device and then {{cmdroot|echo eject > /proc/acpi/ibm/bay}}. However, if you use this method on a 2.6 kernel, you will lose DMA support for the reinserted drive. This is due to kernel issues. This method was reported to work on a ThinkPad {{T23}} (kernels 2.6.8.1, 2.6.14.2 and 2.6.15-arch) and {{T42}} (kernel 2.6.13), but fails on a ThinkPad {{T43}} (kernel 2.6.14.3).

[[lt_hotswap]] is now the recommended method to un- and reregister the IDE device. It installs as a kernel module and has support for automatically unregistering the device when the eject event is generated by [[ibm-acpi]]. It will leave DMA support intact. It has supported to work on a ThinkPad {{T22}} and {{T40}} and should work with many other models (but not recent models which require the <tt>ata_piix</tt> driver for disk DMA support).

==When using the <tt>ata_piix</tt> driver==
The following applies when using the <tt>ata_piix</tt> driver, which is necessary for many recent ThinkPad models that use an [[Intel ICH6-M]] controller. See also [[Problems with SATA and Linux]].

Mainline kernels before 2.6.18 cannot reliably recognize newly (re-)inserted UltraBay drives without a reboot. There are experimental hotplug patches against pre-2.6.18 mainline kernels [http://home-tj.org/wiki/index.php/Libata-tj-stable here].

* Available hotplug patches
**[http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.16.16-20060512.tar.bz2 Patch tarball against 2.6.16.16] ([http://lwn.net/Articles/183407/ Announce])
**[http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17-20060625-1.tar.bz2 Patch tarball against 2.6.17/2.6.17.1] ([http://article.gmane.org/gmane.linux.ide/11598 Announce])
**[http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17.4-20060710.tar.bz2 Patch tarball against 2.6.17.4]

* Confirmed to work on
**ThinkPad {{T43}}, {{T43p}}
**ThinkPad {{R52}}

For 2.6.18 kernels, or older kernels that were patched to support <tt>ata_piix</tt> hotplug (don't try it otherwise!), one can issue the following after inserting an UltraBay drive to rescan the port:
{{cmdroot|echo 0 0 0 > /sys/class/scsi_host/host1/scan}}
The inserted drive should now be recognized by the kernel, and appropriate {{path|/dev/*}} entries created automatically (e.g., by <tt>udev</tt>).

You can safely shut down the drive by issuing the following (this works with all recent mainline kernels):
{{cmdroot|echo 1 > /sys/class/scsi_device/1\:0\:0\:0/device/delete}}
{{cmdroot|echo eject > /proc/acpi/ibm/bay}}
The drive can now be ejected.

===Scripts for hotswapping===

The following scripts and [[acpid]] daemon configuration files do the following:
* Automatically unmounts the relevant filesystems and power off the UltraBay when the UltraBay eject lever is released. Screams if some filesystem can't be unmounted.
* Rescans the UltraBay port when then UltraBay eject lever is pushed back in.

They assumes you're using the <tt>ata_piix</tt> driver with an appropriate kernel (see above).

Create {{path|/usr/local/sbin/ultrabay_close}} with permissions 755:
<pre>
#!/bin/bash
echo 12 > /proc/acpi/ibm/beep
sync
echo 0 0 0 > /sys/class/scsi_host/host1/scan
</pre>

Create {{path|/usr/local/sbin/ultrabay_open}} with permissions 755:
<pre>
#!/bin/bash
ULTRABAY_SYSDIR='/sys/class/scsi_device/1:0:0:0/device'
shopt -s nullglob

# Umount the filesystem(s) backed by the given major:minor device(s)
unmount_rdev() { perl - "$@" <<'EOPERL' # let's do it in Perl
for $major_minor (@ARGV) {
$major_minor =~ m/^(\d+):(\d+)$/ or die;
push(@tgt_rdevs, ($1<<8)|$2);
}
# Sort by reverse length of mount point, to unmount sub-directories first
open MOUNTS,"</proc/mounts" or die "$!";
@mounts=sort { length($b->[1]) <=> length($a->[1]) } map { [ split ] } <MOUNTS>;
close MOUNTS;
foreach $m (@mounts) {
($dev,$dir)=@$m;
next unless -b $dev; $rdev=(stat($dev))[6];
next unless grep($_==$rdev, @tgt_rdevs);
system("umount","-v","$dir")==0 or $bad=1;
}
exit 1 if $bad;
EOPERL
}

# Get the UltraBay's /dev/foo block device node
ultrabay_dev_node() {
UDEV_PATH="`readlink -e "$ULTRABAY_SYSDIR/block:"*`" || return 1
UDEV_NAME="`udevinfo -q name -p $UDEV_PATH`" || return 1
echo /dev/$UDEV_NAME
}

if [ -d $ULTRABAY_SYSDIR ]; then
sync
# Unmount filesystems backed by this device
unmount_rdev `cat $ULTRABAY_SYSDIR/block\:*/dev \
$ULTRABAY_SYSDIR/block\:*/*/dev` \
|| {
echo 10 > /proc/acpi/ibm/beep; # error tone
exit 1;
}
sync
# Nicely power off the device
DEVNODE=`ultrabay_dev_node` && hdparm -Y $DEVNODE
# Let HAL+KDE notice the unmount and let the disk spin down
sleep 0.5
# Unregister this SCSI device:
sync
echo 1 > $ULTRABAY_SYSDIR/delete
fi
sync
# Turn off power to the UltraBay:
if [ -d /proc/acpi/bay ]; then
echo 1 > /proc/acpi/bay/*/eject
else
echo eject > /proc/acpi/ibm/bay
fi
# Tell the user we're OK
echo 12 > /proc/acpi/ibm/beep
</pre>

Create {{path|/etc/acpi/events/ultrabay-close}}:
<pre>
event=(ibm/bay|bay) MSTR 00000001 00000000
action=/usr/local/sbin/ultrabay_close
</pre>

Create {{path|/etc/acpi/events/ultrabay-open}}:
<pre>
event=(ibm/bay|bay) MSTR 00000003 00000000
action=/usr/local/sbin/ultrabay_open
</pre>

Restart <tt>acpid</tt>.

===HAL support===

Many programs, KDe included, rely on [[HAL]] to get notifications and information about device hotplugging. You need to tell HAL that devices connected the UltraBay port are hotpluggable. To do so, create the file {{path|/etc/hal/fdi/information/10-ultrabay.fdi}} as follows:
<pre>
<?xml version="1.0" encoding="UTF-8"?> 

<deviceinfo version="0.2">
<device>


<match key="storage.bus" string="scsi">
<match key="storage.physical_device" string="/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0">
<merge key="storage.hotpluggable" type="bool">true</merge>
</match>
</match>

</device>
</deviceinfo>
</pre>

====Details====

By default, HAL doesn't know that UltraBay devices are hotpluggable:

# PHYSDEV=/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0
# UDI=`hal-find-by-property --key storage.physical_device --string $PHYSDEV` || echo Failed
# hal-get-property --udi $UDI --key block.device
/dev/sdb
# hal-get-property --udi $UDI --key storage.hotpluggable
false

After creating {{path|/etc/hal/fdi/information/10-ultrabay.fdi}} as above and re-plugging the device, it will get marked correctly:

# PHYSDEV=/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0
# UDI=`hal-find-by-property --key storage.physical_device --string $PHYSDEV` || echo Failed
# hal-get-property --udi $UDI --key block.device
/dev/sdb
# hal-get-property --udi $UDI --key storage.hotpluggable
true

The string "8086_2653" gives the PCI ID of the [[Intel 82801FBM]] southbridge. If your model has a different southbridge, or the UltraBay is attached to a different port, then you can find the appropriate <tt>storage.physical_device</tt> value by finding out the block device of the currently running UltraBay device (<tt>/dev/sdb</tt> in the following example) and then running:

# DEVICE=/dev/sdb
# UDI=`hal-find-by-property --key block.device --string $DEVICE` || echo Failed
# hal-get-property --udi $UDI --key storage.physical_device
/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0

If you have a different <tt>storage.physical_device</tt> value, please report your findings.

==Other comments==

If you are hot-swapping a hard disk on a disk tray, make sure the disk does not have a password set, otherwise it will not be recognized on reinsertion.

[[Category:Scripts]]

How to hotswap Ultrabay devices

2006-10-10T08:45:13Z

ZZamboni:

The following discusses hotswap (AKA "hotplug") of devices in the [[UltraBay]].

==When using the <tt>ide-disk</tt> driver==
The following applies if you use the <tt>ide-disk</tt> driver for the UltraBay device.

Hotswapping is supposed to be supported as well, using either hdparm/[http://packages.debian.org/unstable/admin/hotswap Debian hotswap] or [[lt_hotswap]] to (un)register IDE devices. The latter is the recommended method with kernels from 2.6, since it will leave DMA working. However, for recent models (R52, T43, X41, Z60 and later) no method is known to work while maintaining DMA support; see [[Problems with SATA and Linux]].

Only IDE devices (HDD's, optical drives, zip drives) require special treatment - batteries, floppies and other devices can just be pulled from the bay, provided they are not mounted or in use at the time. However, you should still power them down first using the [[ibm-acpi]] eject function.

The [[ibm-acpi]] kernel module has an eject function ({{cmdroot|echo eject > /proc/acpi/ibm/bay}}). This only manages the ACPI calls to power down the device and the bay. It does not actually unregister the device from the IDE driver. {{cmdroot|cat /proc/acpi/ibm/bay}} shows "unoccupied" unless an IDE device is present, but the eject function still works and should still be used.

To unregister the device, you can either use the [http://packages.debian.org/unstable/admin/hotswap Debian hotswap] package, or [[lt_hotswap]].

[http://packages.debian.org/unstable/admin/hotswap Debian hotswap] also allows the drive to be swapped as a normal user by default, which is useful. You should use <tt>hotswap</tt> to unregister the device and then {{cmdroot|echo eject > /proc/acpi/ibm/bay}}. However, if you use this method on a 2.6 kernel, you will lose DMA support for the reinserted drive. This is due to kernel issues. This method was reported to work on a ThinkPad {{T23}} (kernels 2.6.8.1, 2.6.14.2 and 2.6.15-arch) and {{T42}} (kernel 2.6.13), but fails on a ThinkPad {{T43}} (kernel 2.6.14.3).

[[lt_hotswap]] is now the recommended method to un- and reregister the IDE device. It installs as a kernel module and has support for automatically unregistering the device when the eject event is generated by [[ibm-acpi]]. It will leave DMA support intact. It has supported to work on a ThinkPad {{T22}} and {{T40}} and should work with many other models (but not recent models which require the <tt>ata_piix</tt> driver for disk DMA support).

==When using the <tt>ata_piix</tt> driver==
The following applies when using the <tt>ata_piix</tt> driver, which is necessary for many recent ThinkPad models that use an [[Intel ICH6-M]] controller. See also [[Problems with SATA and Linux]].

Mainline kernels before 2.6.18 cannot reliably recognize newly (re-)inserted UltraBay drives without a reboot. There are experimental hotplug patches against pre-2.6.18 mainline kernels [http://home-tj.org/wiki/index.php/Libata-tj-stable here].

* Available hotplug patches
**[http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.16.16-20060512.tar.bz2 Patch tarball against 2.6.16.16] ([http://lwn.net/Articles/183407/ Announce])
**[http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17-20060625-1.tar.bz2 Patch tarball against 2.6.17/2.6.17.1] ([http://article.gmane.org/gmane.linux.ide/11598 Announce])
**[http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17.4-20060710.tar.bz2 Patch tarball against 2.6.17.4]

* Confirmed to work on
**ThinkPad {{T43}}, {{T43p}}
**ThinkPad {{R52}}

For 2.6.18 kernels, or older kernels that were patched to support <tt>ata_piix</tt> hotplug (don't try it otherwise!), one can issue the following after inserting an UltraBay drive to rescan the port:
{{cmdroot|echo 0 0 0 > /sys/class/scsi_host/host1/scan}}
The inserted drive should now be recognized by the kernel, and appropriate {{path|/dev/*}} entries created automatically (e.g., by <tt>udev</tt>).

You can safely shut down the drive by issuing the following (this works with all recent mainline kernels):
{{cmdroot|echo 1 > /sys/class/scsi_device/1\:0\:0\:0/device/delete}}
{{cmdroot|echo eject > /proc/acpi/ibm/bay}}
The drive can now be ejected.

===Scripts for hotswapping===

The following scripts and [[acpid]] daemon configuration files do the following:
* Automatically unmounts the relevant filesystems and power off the UltraBay when the UltraBay eject lever is released. Screams if some filesystem can't be unmounted.
* Rescans the UltraBay port when then UltraBay eject lever is pushed back in.

They assumes you're using the <tt>ata_piix</tt> driver with an appropriate kernel (see above).

Create {{path|/usr/local/sbin/ultrabay_close}} with permissions 755:
<pre>
#!/bin/bash
echo 12 > /proc/acpi/ibm/beep
sync
echo 0 0 0 > /sys/class/scsi_host/host1/scan
</pre>

Create {{path|/usr/local/sbin/ultrabay_open}} with permissions 755:
<pre>
#!/bin/bash
ULTRABAY_SYSDIR='/sys/class/scsi_device/1:0:0:0/device'
shopt -s nullglob

# Umount the filesystem(s) backed by the given major:minor device(s)
unmount_rdev() { perl - "$@" <<'EOPERL' # let's do it in Perl
for $major_minor (@ARGV) {
$major_minor =~ m/^(\d+):(\d+)$/ or die;
push(@tgt_rdevs, ($1<<8)|$2);
}
open MOUNTS,"</proc/mounts" or die "$!";
while (<MOUNTS>) {
($dev,$dir)=split;
next unless -b $dev; $rdev=(stat($dev))[6];
next unless grep($_==$rdev, @tgt_rdevs);
system("umount","-v","$dir")==0 or $bad=1;
}
exit 1 if $bad;
EOPERL
}

# Get the UltraBay's /dev/foo block device node
ultrabay_dev_node() {
UDEV_PATH="`readlink -e "$ULTRABAY_SYSDIR/block:"*`" || return 1
UDEV_NAME="`udevinfo -q name -p $UDEV_PATH`" || return 1
echo /dev/$UDEV_NAME
}

if [ -d $ULTRABAY_SYSDIR ]; then
sync
# Unmount filesystems backed by this device
unmount_rdev `cat $ULTRABAY_SYSDIR/block\:*/dev \
$ULTRABAY_SYSDIR/block\:*/*/dev` \
|| {
echo 10 > /proc/acpi/ibm/beep; # error tone
exit 1;
}
sync
# Nicely power off the device
DEVNODE=`ultrabay_dev_node` && hdparm -Y $DEVNODE
# Let HAL+KDE notice the unmount and let the disk spin down
sleep 0.5
# Unregister this SCSI device:
sync
echo 1 > $ULTRABAY_SYSDIR/delete
fi
sync
# Turn off power to the UltraBay:
if [ -d /proc/acpi/bay ]; then
echo 1 > /proc/acpi/bay/*/eject
else
echo eject > /proc/acpi/ibm/bay
fi
# Tell the user we're OK
echo 12 > /proc/acpi/ibm/beep
</pre>

Create {{path|/etc/acpi/events/ultrabay-close}}:
<pre>
event=(ibm/bay|bay) MSTR 00000001 00000000
action=/usr/local/sbin/ultrabay_close
</pre>

Create {{path|/etc/acpi/events/ultrabay-open}}:
<pre>
event=(ibm/bay|bay) MSTR 00000003 00000000
action=/usr/local/sbin/ultrabay_open
</pre>

Restart <tt>acpid</tt>.

===HAL support===

Many programs, KDe included, rely on [[HAL]] to get notifications and information about device hotplugging. You need to tell HAL that devices connected the UltraBay port are hotpluggable. To do so, create the file {{path|/etc/hal/fdi/information/10-ultrabay.fdi}} as follows:
<pre>
<?xml version="1.0" encoding="UTF-8"?> 

<deviceinfo version="0.2">
<device>


<match key="storage.bus" string="scsi">
<match key="storage.physical_device" string="/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0">
<merge key="storage.hotpluggable" type="bool">true</merge>
</match>
</match>

</device>
</deviceinfo>
</pre>

====Details====

By default, HAL doesn't know that UltraBay devices are hotpluggable:

# PHYSDEV=/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0
# UDI=`hal-find-by-property --key storage.physical_device --string $PHYSDEV` || echo Failed
# hal-get-property --udi $UDI --key block.device
/dev/sdb
# hal-get-property --udi $UDI --key storage.hotpluggable
false

After creating {{path|/etc/hal/fdi/information/10-ultrabay.fdi}} as above and re-plugging the device, it will get marked correctly:

# PHYSDEV=/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0
# UDI=`hal-find-by-property --key storage.physical_device --string $PHYSDEV` || echo Failed
# hal-get-property --udi $UDI --key block.device
/dev/sdb
# hal-get-property --udi $UDI --key storage.hotpluggable
true

The string "8086_2653" gives the PCI ID of the [[Intel 82801FBM]] southbridge. If your model has a different southbridge, or the UltraBay is attached to a different port, then you can find the appropriate <tt>storage.physical_device</tt> value by finding out the block device of the currently running UltraBay device (<tt>/dev/sdb</tt> in the following example) and then running:

# DEVICE=/dev/sdb
# UDI=`hal-find-by-property --key block.device --string $DEVICE` || echo Failed
# hal-get-property --udi $UDI --key storage.physical_device
/org/freedesktop/Hal/devices/pci_8086_2653_scsi_host_scsi_device_lun0

If you have a different <tt>storage.physical_device</tt> value, please report your findings.

==Other comments==

If you are hot-swapping a hard disk on a disk tray, make sure the disk does not have a password set, otherwise it will not be recognized on reinsertion.

[[Category:Scripts]]

Talk:How to hotswap Ultrabay devices

2006-10-10T08:42:18Z

ZZamboni: Added solution.

I recently tried using the libata-tj patch tarball for 2.6.16.16, applying this against the newly released 2.6.16.18 kernel (released today.) Patch applied cleanly. Upon boot, I immediately get a multitude of "weird" errors -- strange lockups, programs segmentation fault (running "top" resulted in a seg fault), and ultimately a hard lockup.

I booted back to my vanilla 2.6.16.16, ran fsck (appeared to just replay a few transactions, no major damage), and am back to normal. However, it successfully scared me off - unfortunately can't risk too much downtime (or worse, subtle fs corruption) right now on my main system. Anybody have experiences with this on a T43p using piix driver?

--[[User:gsmenden|gsmenden]] 00:00, 23 May 2006 (EST)
----

The 2.6.16.16 patch works fine on my T43. There's a git tree (mentioned on the patch's webpage) which is closer to 2.6.18, but AFAIK no simple unified patch was prepred.

--[[User:Thinker|Thinker]] 08:37, 23 May 2006 (CEST)
----

Cool. If I get brave I'll try it again on the 43p against 2.6.16.16 proper and report back.

--[[User:gsmenden|gsmenden]] 15:29, 23 May 2006 (EST)
----

Works fine here on 2.6.16.
I got only one crash with Suspend to Ram, which I'm unable to reproduce yet.
I renamed the acpi event files because at least my acpid doesn't read files that ends with .conf

--[[User:Defiant|Defiant]] 21:09, 28 May 2006 (CEST)

----
Update - patched against 2.6.16.19, works fine. It appears my previous problems were due to a disk error unrelated to the patch. Excellent!

--[[User:gsmenden|gsmenden]] 00:57, 31 May 2006 (EST)

Anybody have time to make a patch of the libata(-tj) .git tree against the recently released 2.6.17? I hope to make one in the future if not...

--[[User:gsmenden|gsmenden]] 22:08, 19 Jun 2006 (EST)

== one nit about ultrabay_close script / patch against 2.6.17 available ==

Howdy,

In ultrabay_close, there is 'sleep 3' for disk spinup, which isn't necessary. libata itself waits for disk spinup and if something breaks (e.g. first reset fails w/ timeout or something), it's libata's fault. Please remove that line and see if anything breaks.

Also, I've uploaded patch against 2.6.17/2.6.17.1 today.

http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17-20060625-1.tar.bz2

Hmmm... My post looks different from others. This wasn't intentional. Just don't know how to add normal discussion entry. Sorry.

--tj
----

Right, it works fine without "sleep 3" using the new patches. Sleep removed.

--[[User:Thinker|Thinker]] 12:35, 1 July 2006 (CEST)
----

Is it correct, that the ata_piix driver in kernel 2.6.18 RC4 now supports hot swapping like described in the howto and announced here http://lwn.net/Articles/183734/?

--[[User:cob|cob]] 15:53, 23 August 2006

== T42 freezing up when trying to hot swap ultrabay. ==

Hi,

Please bear with me. I am totally new at this and I am making my best effort to understand and learn.

My problem is that when typing "# echo eject > /proc/acpi/ibm/bay" to eject my ultrabay and put another in, I see the power going off in the ultrabay LED, but then my PC freezes completely.

I am running Fedora 6 Test 3, kernel 2.6.17-1.2647 and my notebook is a ThinkPad T42.

Please help! I have to constantly be changing my bay to use information in other hard drives, and I have to shutdown the system completely to not have any problems.

Thanks,

--Barny 09/21/2006@7:46PM EST

----
Have the same problem on a T40p running SuSE 10.1. Also lt_hotplug module is of no help. Keep me informed in case you have a solution!
Thanks,
--[[User:Ays|Ays]] 19:49, 5 October 2006 (CEST)

== Second disk not seen correctly on reinsert (T43p) [solved] ==

(update: see below for solution)

I have followed the instructions on my T43p running Gentoo using 2.6.18. I have a second hard disk in the UltraBay, using ata_piix, so it is seen as /dev/sdb (as described in [[Problems with SATA and Linux#No_DMA_on_system_hard_disk|Problems with SATA and Linux]]). The eject works fine. When I reinsert it and issue the rescan command, Only the main /dev/sdb device reappears, but not the ones corresponding to the partitions (/dev/sdb1, etc.), so I cannot mount them, and fdisk /dev/sdb says that it cannot open the device.

In dmesg, I see a bunch of errors like these, repeated multiple times:

<pre>
sd 1:0:0:0: SCSI error: return code = 0x08000002
sdb: Current: sense key=0xb
ASC=0x0 ASCQ=0x0
end_request: I/O error, dev sdb, sector 0
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
</pre>

And at the end:

<pre>
sdb: Current: sense key=0xb
ASC=0x0 ASCQ=0x0
end_request: I/O error, dev sdb, sector 0
ata2: EH complete
SCSI device sdb: 117210240 512-byte hdwr sectors (60012 MB)
sdb: Write Protect is off
sdb: Mode Sense: 00 3a 00 00
SCSI device sdb: drive cache: write back
SCSI device sdb: 117210240 512-byte hdwr sectors (60012 MB)
sdb: Write Protect is off
sdb: Mode Sense: 00 3a 00 00
SCSI device sdb: drive cache: write back
</pre>

The situation is not cured by a reboot (I still see only /dev/sdb), I have to power cycle to get the devices back.

Thanks for any ideas.

----

(2006-10-10) As a followup to my note above, I have noticed that the DVD-RW drive works perfectly after hot-swapping it - it's just the second hard disk that doesg not get recognized properly. I can "scsiping" the /dev/sdb device and it seems to respond OK, I have tried restarting udevd without success, and I'm at a loss as to what to try next.

---

It turned out to be an obvious problem - I had a disk password set on my second disk, so on reinsert it could not be accessed. I turned off the disk password, and now it works perfectly.

Talk:How to hotswap Ultrabay devices

2006-10-10T06:56:20Z

ZZamboni: Update about DVD-RW working properly after hotswap, even though hard disk does not.

I recently tried using the libata-tj patch tarball for 2.6.16.16, applying this against the newly released 2.6.16.18 kernel (released today.) Patch applied cleanly. Upon boot, I immediately get a multitude of "weird" errors -- strange lockups, programs segmentation fault (running "top" resulted in a seg fault), and ultimately a hard lockup.

I booted back to my vanilla 2.6.16.16, ran fsck (appeared to just replay a few transactions, no major damage), and am back to normal. However, it successfully scared me off - unfortunately can't risk too much downtime (or worse, subtle fs corruption) right now on my main system. Anybody have experiences with this on a T43p using piix driver?

--[[User:gsmenden|gsmenden]] 00:00, 23 May 2006 (EST)
----

The 2.6.16.16 patch works fine on my T43. There's a git tree (mentioned on the patch's webpage) which is closer to 2.6.18, but AFAIK no simple unified patch was prepred.

--[[User:Thinker|Thinker]] 08:37, 23 May 2006 (CEST)
----

Cool. If I get brave I'll try it again on the 43p against 2.6.16.16 proper and report back.

--[[User:gsmenden|gsmenden]] 15:29, 23 May 2006 (EST)
----

Works fine here on 2.6.16.
I got only one crash with Suspend to Ram, which I'm unable to reproduce yet.
I renamed the acpi event files because at least my acpid doesn't read files that ends with .conf

--[[User:Defiant|Defiant]] 21:09, 28 May 2006 (CEST)

----
Update - patched against 2.6.16.19, works fine. It appears my previous problems were due to a disk error unrelated to the patch. Excellent!

--[[User:gsmenden|gsmenden]] 00:57, 31 May 2006 (EST)

Anybody have time to make a patch of the libata(-tj) .git tree against the recently released 2.6.17? I hope to make one in the future if not...

--[[User:gsmenden|gsmenden]] 22:08, 19 Jun 2006 (EST)

== one nit about ultrabay_close script / patch against 2.6.17 available ==

Howdy,

In ultrabay_close, there is 'sleep 3' for disk spinup, which isn't necessary. libata itself waits for disk spinup and if something breaks (e.g. first reset fails w/ timeout or something), it's libata's fault. Please remove that line and see if anything breaks.

Also, I've uploaded patch against 2.6.17/2.6.17.1 today.

http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17-20060625-1.tar.bz2

Hmmm... My post looks different from others. This wasn't intentional. Just don't know how to add normal discussion entry. Sorry.

--tj
----

Right, it works fine without "sleep 3" using the new patches. Sleep removed.

--[[User:Thinker|Thinker]] 12:35, 1 July 2006 (CEST)
----

Is it correct, that the ata_piix driver in kernel 2.6.18 RC4 now supports hot swapping like described in the howto and announced here http://lwn.net/Articles/183734/?

--[[User:cob|cob]] 15:53, 23 August 2006

== T42 freezing up when trying to hot swap ultrabay. ==

Hi,

Please bear with me. I am totally new at this and I am making my best effort to understand and learn.

My problem is that when typing "# echo eject > /proc/acpi/ibm/bay" to eject my ultrabay and put another in, I see the power going off in the ultrabay LED, but then my PC freezes completely.

I am running Fedora 6 Test 3, kernel 2.6.17-1.2647 and my notebook is a ThinkPad T42.

Please help! I have to constantly be changing my bay to use information in other hard drives, and I have to shutdown the system completely to not have any problems.

Thanks,

--Barny 09/21/2006@7:46PM EST

----
Have the same problem on a T40p running SuSE 10.1. Also lt_hotplug module is of no help. Keep me informed in case you have a solution!
Thanks,
--[[User:Ays|Ays]] 19:49, 5 October 2006 (CEST)

== Second disk not seen correctly on reinsert (T43p) ==

I have followed the instructions on my T43p running Gentoo using 2.6.18. I have a second hard disk in the UltraBay, using ata_piix, so it is seen as /dev/sdb (as described in [[Problems with SATA and Linux#No_DMA_on_system_hard_disk|Problems with SATA and Linux]]). The eject works fine. When I reinsert it and issue the rescan command, Only the main /dev/sdb device reappears, but not the ones corresponding to the partitions (/dev/sdb1, etc.), so I cannot mount them, and fdisk /dev/sdb says that it cannot open the device.

In dmesg, I see a bunch of errors like these, repeated multiple times:

<pre>
sd 1:0:0:0: SCSI error: return code = 0x08000002
sdb: Current: sense key=0xb
ASC=0x0 ASCQ=0x0
end_request: I/O error, dev sdb, sector 0
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
</pre>

And at the end:

<pre>
sdb: Current: sense key=0xb
ASC=0x0 ASCQ=0x0
end_request: I/O error, dev sdb, sector 0
ata2: EH complete
SCSI device sdb: 117210240 512-byte hdwr sectors (60012 MB)
sdb: Write Protect is off
sdb: Mode Sense: 00 3a 00 00
SCSI device sdb: drive cache: write back
SCSI device sdb: 117210240 512-byte hdwr sectors (60012 MB)
sdb: Write Protect is off
sdb: Mode Sense: 00 3a 00 00
SCSI device sdb: drive cache: write back
</pre>

The situation is not cured by a reboot (I still see only /dev/sdb), I have to power cycle to get the devices back.

Thanks for any ideas.

----

(2006-10-10) As a followup to my note above, I have noticed that the DVD-RW drive works perfectly after hot-swapping it - it's just the second hard disk that doesg not get recognized properly. I can "scsiping" the /dev/sdb device and it seems to respond OK, I have tried restarting udevd without success, and I'm at a loss as to what to try next.

Talk:How to hotswap Ultrabay devices

2006-10-05T13:44:30Z

ZZamboni: Second disk not seen correctly on reinsert (T43p)

I recently tried using the libata-tj patch tarball for 2.6.16.16, applying this against the newly released 2.6.16.18 kernel (released today.) Patch applied cleanly. Upon boot, I immediately get a multitude of "weird" errors -- strange lockups, programs segmentation fault (running "top" resulted in a seg fault), and ultimately a hard lockup.

I booted back to my vanilla 2.6.16.16, ran fsck (appeared to just replay a few transactions, no major damage), and am back to normal. However, it successfully scared me off - unfortunately can't risk too much downtime (or worse, subtle fs corruption) right now on my main system. Anybody have experiences with this on a T43p using piix driver?

--[[User:gsmenden|gsmenden]] 00:00, 23 May 2006 (EST)
----

The 2.6.16.16 patch works fine on my T43. There's a git tree (mentioned on the patch's webpage) which is closer to 2.6.18, but AFAIK no simple unified patch was prepred.

--[[User:Thinker|Thinker]] 08:37, 23 May 2006 (CEST)
----

Cool. If I get brave I'll try it again on the 43p against 2.6.16.16 proper and report back.

--[[User:gsmenden|gsmenden]] 15:29, 23 May 2006 (EST)
----

Works fine here on 2.6.16.
I got only one crash with Suspend to Ram, which I'm unable to reproduce yet.
I renamed the acpi event files because at least my acpid doesn't read files that ends with .conf

--[[User:Defiant|Defiant]] 21:09, 28 May 2006 (CEST)

----
Update - patched against 2.6.16.19, works fine. It appears my previous problems were due to a disk error unrelated to the patch. Excellent!

--[[User:gsmenden|gsmenden]] 00:57, 31 May 2006 (EST)

Anybody have time to make a patch of the libata(-tj) .git tree against the recently released 2.6.17? I hope to make one in the future if not...

--[[User:gsmenden|gsmenden]] 22:08, 19 Jun 2006 (EST)

== one nit about ultrabay_close script / patch against 2.6.17 available ==

Howdy,

In ultrabay_close, there is 'sleep 3' for disk spinup, which isn't necessary. libata itself waits for disk spinup and if something breaks (e.g. first reset fails w/ timeout or something), it's libata's fault. Please remove that line and see if anything breaks.

Also, I've uploaded patch against 2.6.17/2.6.17.1 today.

http://home-tj.org/files/libata-tj-stable/libata-tj-2.6.17-20060625-1.tar.bz2

Hmmm... My post looks different from others. This wasn't intentional. Just don't know how to add normal discussion entry. Sorry.

--tj
----

Right, it works fine without "sleep 3" using the new patches. Sleep removed.

--[[User:Thinker|Thinker]] 12:35, 1 July 2006 (CEST)
----

Is it correct, that the ata_piix driver in kernel 2.6.18 RC4 now supports hot swapping like described in the howto and announced here http://lwn.net/Articles/183734/?

--[[User:cob|cob]] 15:53, 23 August 2006

== T42 freezing up when trying to hot swap ultrabay. ==

Hi,

Please bear with me. I am totally new at this and I am making my best effort to understand and learn.

My problem is that when typing "# echo eject > /proc/acpi/ibm/bay" to eject my ultrabay and put another in, I see the power going off in the ultrabay LED, but then my PC freezes completely.

I am running Fedora 6 Test 3, kernel 2.6.17-1.2647 and my notebook is a ThinkPad T42.

Please help! I have to constantly be changing my bay to use information in other hard drives, and I have to shutdown the system completely to not have any problems.

Thanks,

--Barny 09/21/2006@7:46PM EST

== Second disk not seen correctly on reinsert (T43p) ==

I have followed the instructions on my T43p running Gentoo using 2.6.18. I have a second hard disk in the UltraBay, using ata_piix, so it is seen as /dev/sdb (as described in [[Problems with SATA and Linux#No_DMA_on_system_hard_disk|Problems with SATA and Linux]]). The eject works fine. When I reinsert it and issue the rescan command, Only the main /dev/sdb device reappears, but not the ones corresponding to the partitions (/dev/sdb1, etc.), so I cannot mount them, and fdisk /dev/sdb says that it cannot open the device.

In dmesg, I see a bunch of errors like these, repeated multiple times:

<pre>
sd 1:0:0:0: SCSI error: return code = 0x08000002
sdb: Current: sense key=0xb
ASC=0x0 ASCQ=0x0
end_request: I/O error, dev sdb, sector 0
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
ata2: EH complete
ata2.00: speed down requested but no transfer mode left
ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
ata2.00: tag 0 cmd 0x20 Emask 0x1 stat 0x51 err 0x4 (device error)
</pre>

And at the end:

<pre>
sdb: Current: sense key=0xb
ASC=0x0 ASCQ=0x0
end_request: I/O error, dev sdb, sector 0
ata2: EH complete
SCSI device sdb: 117210240 512-byte hdwr sectors (60012 MB)
sdb: Write Protect is off
sdb: Mode Sense: 00 3a 00 00
SCSI device sdb: drive cache: write back
SCSI device sdb: 117210240 512-byte hdwr sectors (60012 MB)
sdb: Write Protect is off
sdb: Mode Sense: 00 3a 00 00
SCSI device sdb: drive cache: write back
</pre>

The situation is not cured by a reboot (I still see only /dev/sdb), I have to power cycle to get the devices back.

Thanks for any ideas.

How to enable integrated fingerprint reader with BioAPI

2006-06-26T12:42:24Z

ZZamboni: /* Make xscreensaver use the scanner */

{| width="100%"
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
|style="vertical-align:top" |
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and {{Gentoo}}.
|}

==Basic installation==
===Installing the bioapi framework===
====Automated installation script====
The [[Script for enabling the fingerprint reader]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.

====Binary packages====

Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.

=====Debian=====
*If you're using {{Debian}} Sid (the unstable branch) you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.
*This seems to work for {{Ubuntu}} Breezy/Dapper too, so save yourself some trouble and grab it.
=====Gentoo=====
You can either grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.

Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.
=====Fedora Core=====
RPM packages for Fedora Core and installation instructions are available [[Installing Fedora Core 5 on a ThinkPad X41 Tablet#Fingerprint_Reader|here]]

====Installing from source====
*Get the bioapi source:
:{{cmduser|wget http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2}}
*I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:
:{{cmduser|tar xjf bioapi-latest.tar.bz2}}
:{{cmduser|cd bioapi-1.2.2}}
:{{cmduser|1=./configure --with-Qt-dir=no}}
:{{cmduser|make}}
:and then as root
:{{cmdroot|make install}}
:If make install fails, be sure you're root and then:
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
:{{cmdroot|make install}}
:and if you want to compile pam_bioapi for auth later
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
:Be aware that checkinstall will not work!
:(I got through configure with Qt, but got a cryptic build error. It all worked fine with Qt disabled as above)
:buzz: This is due to a wrong qt include path, set it manually in configure and everything should work.
*Bioapi (at least version 1.2.2) doesn't compile with GCC4. You need to patch it:
*This is neccessary to compile on SUSE 10.1 which it using gcc version 4.1.0.
:{{cmduser|wget http://upir.cz/linux/patches/bioapi-1.2.2-gcc4.patch}}
:{{cmduser|patch -p1 < bioapi-1.2.2-gcc4.patch}}
*Patch for gcc 4.1 is available here - http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/bioapi-c++.patch
* By default, bioapi will install numerous files in {{path|/usr/local/<nowiki>{</nowiki>bin,lib,include<nowiki>}</nowiki>}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}

====Adjusting ldconfigs library search path====
At least on {{Fedora}} or {{Aurox}} 11, you may need to add {{path|/usr/local/lib}} to the library path so that the libraries referenced from <tt>pam_bioapi.so</tt> get picked up properly. The usual way to do this is adding it to the ldconfig configuration:
:{{cmdroot|echo '/usr/local/lib' > /etc/ld.so.conf.d/bioapi.conf}}
:{{cmdroot|ldconfig}}
Alternatively you can add it to the LD_LIBRARY variable.

If you see bioapi libs in the output of
:{{cmdroot|ldconfig -p | grep bioapi}}
then it should work.

===Installing and configuring the driver===
====Installing the driver====
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/support/dl_linux_bsp.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
*Change to that folder and do as root:
:{{cmdroot|sh install.sh}}
:If you're running Gentoo, use
:{{cmdroot|sh install.sh /usr/lib}}
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again. You also need {{cmd|mod_install|}} from bioapi in your PATH.
:May there still occures and error, which means mod_install: command not found.
:Then login as root - not su!
:Do this:
:{{cmdroot|sh install.sh}}
:again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.

====Configuring permissions for non-root use====
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section. More details on what is necessary on which distributions would be greately appreciated.
*Create two groups, one for access to BioAPI files and the other for access to the usb files. (This is done for full generality; i.e., you may have other USB devices which you want accessable to other users, without exposing your BioAPI configuration to them). Add your normal user (the one you wish to use PAM-aware applications with) to both of these groups.
On {{Debian}} this is done with
:{{cmdroot|addgroup --system bioapi}}
:{{cmdroot|addgroup --system usbfs}}
:{{cmdroot|adduser yournormaluser bioapi}}
:{{cmdroot|adduser yournormaluser usbfs}}
On {{SUSE}} this is done with
:{{cmdroot|groupadd --system bioapi}}
:{{cmdroot|groupadd --system usbfs}}
:{{cmdroot|groupmod -A yournormaluser bioapi}}
:{{cmdroot|groupmod -A yournormaluser usbfs}}
On {{Mandriva}} this is done with
:{{cmdroot|groupadd -r bioapi}}
:{{cmdroot|groupadd -r usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}

:(where {{cmd|yournormaluser|}} is your normal user name). You will need to log out and log back in for this to take effect.
*Set permissions on the BioAPI config/registry directory:
:{{cmdroot|chown -R root:bioapi /usr/local/var/bioapi/}}
:{{cmdroot|chmod -R 770 /usr/local/var/bioapi/}}
:(change this path if you used an alternate BioAPI install directory above)
*Set permissions on the files in {{path|/proc/bus/usb}}:
:{{cmdroot|chown -R root:usbfs /proc/bus/usb}}
:{{cmdroot|chmod -R g+X /proc/bus/usb}}
:{{cmdroot|chown root:usbfs /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro. It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}). Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}. See the {{cmd|mount(8)|}} manpage for more information on these options. This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}. If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}. Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}. On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file. On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
:{{cmdroot|touch /var/log/BSP.log && chown root:bioapi /var/log/BSP.log && chmod 660 /var/log/BSP.log}}

====Miscellaneous configuration====
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
security-level="5"

===Testing the driver and enrolling a fingerprint===
To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error; if they don't work for you, try the binary {{cmd|Sample|}} utility that came with the beta versions of the driver (i.e., {{path|TFMESS_BSP_LIN_1.0beta2.zip}} as mentioned above).
Go to the folder where you extracted {{path|TFMESS_BSP_LIN_1.0.zip}} and do:
:{{cmdroot|cd NonGUI_Sample}}
:Edit {{path|main.c|}} and remove (or comment out) the line
#include "port/bioapi_port.h"
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
:{{cmdroot|./Sample}}
:Note that Sample may only run as root, unless you've already configured the usbfs file permissions.
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
:You'll save a step later if you use your own login username as the username to enroll here.

==Login via pam_bioapi==

The following explains how to add fingerprint authentiation to programs that use the PAM (Pluggable Authentication Modules) framework, such as Gnome's GDM and KDE's KDM and screensaver.

===Getting required libs & tools===
====Installing pam_bioapi====
*Prerequisites
:On SuSE 10, I needed to install the pam-devel RPM
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
*Get and compile the pam_bioapi module.
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
:{{cmduser|cd pam_bioapi-0.2.1}}
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
:{{cmduser|patch -p0 < fingerprint.patch}}
:If you want to, review the patch. In general you should review all code you download and compile, if possible. The patch comes from [http://linuxbiometrics.com/modules/newbb/viewtopic.php?viewmode=flat&topic_id=80&forum=1 this thread].
:{{cmduser|./configure && make}}
:and as root
:{{cmdroot| make install}}
:{{cmdroot| cp /usr/local/lib/security/* /lib/security/}}
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
*If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
*Use the sample tool from the fingerprint reader to create {{path|<username>.bir}} (<tt><username></tt> '''must''' be the username you want to login with. gdm will probably break for any login name that has no .bir file).
*As root do:
:{{cmdroot|SERIAL<nowiki>=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: $.\{9\}$$.\{4\}$$.\{4\}$$.\{4\}$$.*$/\1-\2-\3-\4-\5/gp}"` </nowiki>}}
:{{cmdroot|echo $SERIAL}} should print something like {{cmdresult|<nowiki>{5550454b-2054-464d-2f45-535320425350}</nowiki>}} now.
:If it does, do:
:{{cmdroot|mkdir -p /etc/bioapi/pam/$SERIAL}}
:{{cmdroot|cp <username>.bir /etc/bioapi/pam/$SERIAL}}
:If not, you might just try
:{{cmdroot|SERIAL<nowiki>={5550454b-2054-464d-2f45-535320425350}</nowiki>}}
:as this value is hardcoded into the UPEK docs.

===Configuring pam===
The following part is distribution specific. On {{Ubuntu}} or {{SUSE}} you can modify {{path|/etc/pam.d/common-auth}} (on {{Gentoo}} and {{Fedora}} it is {{path|/etc/pam.d/system-auth}}) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

----
For '''Gentoo'''-Users - this allows you to attempt a password first. If you simply press enter, it then prompts for a fingerprints. Create a file named {{path|/etc/pam.d/bioapi}}. This also means that remote services, such as SSH keep working:

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_deny.so

account required pam_unix.so

session required pam_limits.so
session required pam_unix.so

----

Now, simply replace "auth include system-auth" in all services that you wish to use fingerprint for with "auth include bioapi". For example, {{path|/etc/pam.d/kde}} by default contains

auth include system-auth
auth required pam_nologin.so

account include system-auth

password include system-auth

session include system-auth

Simply replace the first "system-auth" with bioapi and you can also get rid of KDE desktop lock with a fingerprint. If you do not wish to allow for "password fallback" then remove

auth sufficient pam_unix.so likeauth nullok

from {{path|/etc/pam.d/bioapi}}.

{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir). Otherwise, they get a segmentation fault. Which is a little unfortunate, given that you need to su or sudo to change your settings... }}
{{WARN|Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...}}
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}. I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}. That way most local services use the fingerprint reader, but sshd does not.

Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader. In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.

{{NOTE|This was discovered through trial and success, if it is plain wrong, wikorrect it, please.}}

In {{Fedora}} the original 'session' terms in {{path|/etc/pam.d/system-auth}} need to be kept.

{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger) To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}

You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice. Examples:
:{{cmdroot|pamtester xdm yourusername authenticate}}
:{{cmduser|pamtester xscreensaver yourusername authenticate}}
where {{cmd|yourusername|}} is your username. Note that {{cmd|pamtester|}} should run as root if and only if the program in question does.

===Application support===
The implementation of fingerprint scanning support in the relevant applications varies.

Here is the behaviour of the most common ones:
* In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
* In xdm, enter your username and a blank password, then swipe (there is no popup as well).
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
:{{cmduser|xhost +local:}}
* For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work

===kdm support===
To add graphical popup to kdm, you need following:
* Patch for pam_bioapi. This patch adds third parameter to {{path|pam_bioapi.so}} module, which is a name of file with additional environment variables that will be supplied to the UPEK driver.
:{{cmdroot|wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch}}
:{{cmdroot|patch -p1 < pam_bioapi-0.2.1-alter-environ.patch}}
* Edit your {{path|Xsetup}} file (on SUSE 10 it's {{path|/etc/X11/xdm/Xsetup}}) and add these lines:
echo "XAUTHORITY=$XAUTHORITY" > /var/lib/xdm/kdm_env
echo "DISPLAY=$DISPLAY" >> /var/lib/xdm/kdm_env
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env

Please note, that this won't work if you have more than one Xserver.

==Make xscreensaver use the scanner==
If you are using Gentoo, you can get a portage overlay with the necessary patches here: http://www.zzamboni.org/brt/files/xscreensaver-fingerprint-overlay.tar.gz
*Get the needed xscreensaver sources:
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
:{{cmduser|cd xscreensaver-4.23}}
:{{cmduser|wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff This site seems to be down, use this mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff For xscreensaver 5.00, you can get a patch here: http://www.zzamboni.org/brt/files/xscreensaver-5.00-alternativeauth.patch}}
*After reviewing the patch (it's small and straightforward), do
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}} The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
*Compile with
:{{cmduser|./configure --with-pam && make}} 
*If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
*If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
:{{cmduser|su -c make install}} .
*Make sure that the newly compiled xscreensaver is used:
:{{cmduser|which xscreensaver}} should return
:{{cmdresult|/usr/local/bin/xscreensaver}} .
*In case it doesn't, try adjusting your PATH.

How to enable integrated fingerprint reader with BioAPI

2006-06-26T12:38:55Z

ZZamboni: /* Make xscreensaver use the scanner */

{| width="100%"
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
|style="vertical-align:top" |
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and {{Gentoo}}.
|}

==Basic installation==
===Installing the bioapi framework===
====Automated installation script====
The [[Script for enabling the fingerprint reader]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.

====Binary packages====

Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.

=====Debian=====
*If you're using {{Debian}} Sid (the unstable branch) you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.
*This seems to work for {{Ubuntu}} Breezy/Dapper too, so save yourself some trouble and grab it.
=====Gentoo=====
You can either grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.

Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.
=====Fedora Core=====
RPM packages for Fedora Core and installation instructions are available [[Installing Fedora Core 5 on a ThinkPad X41 Tablet#Fingerprint_Reader|here]]

====Installing from source====
*Get the bioapi source:
:{{cmduser|wget http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2}}
*I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:
:{{cmduser|tar xjf bioapi-latest.tar.bz2}}
:{{cmduser|cd bioapi-1.2.2}}
:{{cmduser|1=./configure --with-Qt-dir=no}}
:{{cmduser|make}}
:and then as root
:{{cmdroot|make install}}
:If make install fails, be sure you're root and then:
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
:{{cmdroot|make install}}
:and if you want to compile pam_bioapi for auth later
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
:Be aware that checkinstall will not work!
:(I got through configure with Qt, but got a cryptic build error. It all worked fine with Qt disabled as above)
:buzz: This is due to a wrong qt include path, set it manually in configure and everything should work.
*Bioapi (at least version 1.2.2) doesn't compile with GCC4. You need to patch it:
*This is neccessary to compile on SUSE 10.1 which it using gcc version 4.1.0.
:{{cmduser|wget http://upir.cz/linux/patches/bioapi-1.2.2-gcc4.patch}}
:{{cmduser|patch -p1 < bioapi-1.2.2-gcc4.patch}}
*Patch for gcc 4.1 is available here - http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/bioapi-c++.patch
* By default, bioapi will install numerous files in {{path|/usr/local/<nowiki>{</nowiki>bin,lib,include<nowiki>}</nowiki>}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}

====Adjusting ldconfigs library search path====
At least on {{Fedora}} or {{Aurox}} 11, you may need to add {{path|/usr/local/lib}} to the library path so that the libraries referenced from <tt>pam_bioapi.so</tt> get picked up properly. The usual way to do this is adding it to the ldconfig configuration:
:{{cmdroot|echo '/usr/local/lib' > /etc/ld.so.conf.d/bioapi.conf}}
:{{cmdroot|ldconfig}}
Alternatively you can add it to the LD_LIBRARY variable.

If you see bioapi libs in the output of
:{{cmdroot|ldconfig -p | grep bioapi}}
then it should work.

===Installing and configuring the driver===
====Installing the driver====
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/support/dl_linux_bsp.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
*Change to that folder and do as root:
:{{cmdroot|sh install.sh}}
:If you're running Gentoo, use
:{{cmdroot|sh install.sh /usr/lib}}
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again. You also need {{cmd|mod_install|}} from bioapi in your PATH.
:May there still occures and error, which means mod_install: command not found.
:Then login as root - not su!
:Do this:
:{{cmdroot|sh install.sh}}
:again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.

====Configuring permissions for non-root use====
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section. More details on what is necessary on which distributions would be greately appreciated.
*Create two groups, one for access to BioAPI files and the other for access to the usb files. (This is done for full generality; i.e., you may have other USB devices which you want accessable to other users, without exposing your BioAPI configuration to them). Add your normal user (the one you wish to use PAM-aware applications with) to both of these groups.
On {{Debian}} this is done with
:{{cmdroot|addgroup --system bioapi}}
:{{cmdroot|addgroup --system usbfs}}
:{{cmdroot|adduser yournormaluser bioapi}}
:{{cmdroot|adduser yournormaluser usbfs}}
On {{SUSE}} this is done with
:{{cmdroot|groupadd --system bioapi}}
:{{cmdroot|groupadd --system usbfs}}
:{{cmdroot|groupmod -A yournormaluser bioapi}}
:{{cmdroot|groupmod -A yournormaluser usbfs}}
On {{Mandriva}} this is done with
:{{cmdroot|groupadd -r bioapi}}
:{{cmdroot|groupadd -r usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}

:(where {{cmd|yournormaluser|}} is your normal user name). You will need to log out and log back in for this to take effect.
*Set permissions on the BioAPI config/registry directory:
:{{cmdroot|chown -R root:bioapi /usr/local/var/bioapi/}}
:{{cmdroot|chmod -R 770 /usr/local/var/bioapi/}}
:(change this path if you used an alternate BioAPI install directory above)
*Set permissions on the files in {{path|/proc/bus/usb}}:
:{{cmdroot|chown -R root:usbfs /proc/bus/usb}}
:{{cmdroot|chmod -R g+X /proc/bus/usb}}
:{{cmdroot|chown root:usbfs /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro. It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}). Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}. See the {{cmd|mount(8)|}} manpage for more information on these options. This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}. If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}. Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}. On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file. On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
:{{cmdroot|touch /var/log/BSP.log && chown root:bioapi /var/log/BSP.log && chmod 660 /var/log/BSP.log}}

====Miscellaneous configuration====
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
security-level="5"

===Testing the driver and enrolling a fingerprint===
To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error; if they don't work for you, try the binary {{cmd|Sample|}} utility that came with the beta versions of the driver (i.e., {{path|TFMESS_BSP_LIN_1.0beta2.zip}} as mentioned above).
Go to the folder where you extracted {{path|TFMESS_BSP_LIN_1.0.zip}} and do:
:{{cmdroot|cd NonGUI_Sample}}
:Edit {{path|main.c|}} and remove (or comment out) the line
#include "port/bioapi_port.h"
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
:{{cmdroot|./Sample}}
:Note that Sample may only run as root, unless you've already configured the usbfs file permissions.
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
:You'll save a step later if you use your own login username as the username to enroll here.

==Login via pam_bioapi==

The following explains how to add fingerprint authentiation to programs that use the PAM (Pluggable Authentication Modules) framework, such as Gnome's GDM and KDE's KDM and screensaver.

===Getting required libs & tools===
====Installing pam_bioapi====
*Prerequisites
:On SuSE 10, I needed to install the pam-devel RPM
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
*Get and compile the pam_bioapi module.
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
:{{cmduser|cd pam_bioapi-0.2.1}}
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
:{{cmduser|patch -p0 < fingerprint.patch}}
:If you want to, review the patch. In general you should review all code you download and compile, if possible. The patch comes from [http://linuxbiometrics.com/modules/newbb/viewtopic.php?viewmode=flat&topic_id=80&forum=1 this thread].
:{{cmduser|./configure && make}}
:and as root
:{{cmdroot| make install}}
:{{cmdroot| cp /usr/local/lib/security/* /lib/security/}}
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
*If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
*Use the sample tool from the fingerprint reader to create {{path|<username>.bir}} (<tt><username></tt> '''must''' be the username you want to login with. gdm will probably break for any login name that has no .bir file).
*As root do:
:{{cmdroot|SERIAL<nowiki>=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: $.\{9\}$$.\{4\}$$.\{4\}$$.\{4\}$$.*$/\1-\2-\3-\4-\5/gp}"` </nowiki>}}
:{{cmdroot|echo $SERIAL}} should print something like {{cmdresult|<nowiki>{5550454b-2054-464d-2f45-535320425350}</nowiki>}} now.
:If it does, do:
:{{cmdroot|mkdir -p /etc/bioapi/pam/$SERIAL}}
:{{cmdroot|cp <username>.bir /etc/bioapi/pam/$SERIAL}}
:If not, you might just try
:{{cmdroot|SERIAL<nowiki>={5550454b-2054-464d-2f45-535320425350}</nowiki>}}
:as this value is hardcoded into the UPEK docs.

===Configuring pam===
The following part is distribution specific. On {{Ubuntu}} or {{SUSE}} you can modify {{path|/etc/pam.d/common-auth}} (on {{Gentoo}} and {{Fedora}} it is {{path|/etc/pam.d/system-auth}}) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

----
For '''Gentoo'''-Users - this allows you to attempt a password first. If you simply press enter, it then prompts for a fingerprints. Create a file named {{path|/etc/pam.d/bioapi}}. This also means that remote services, such as SSH keep working:

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_deny.so

account required pam_unix.so

session required pam_limits.so
session required pam_unix.so

----

Now, simply replace "auth include system-auth" in all services that you wish to use fingerprint for with "auth include bioapi". For example, {{path|/etc/pam.d/kde}} by default contains

auth include system-auth
auth required pam_nologin.so

account include system-auth

password include system-auth

session include system-auth

Simply replace the first "system-auth" with bioapi and you can also get rid of KDE desktop lock with a fingerprint. If you do not wish to allow for "password fallback" then remove

auth sufficient pam_unix.so likeauth nullok

from {{path|/etc/pam.d/bioapi}}.

{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir). Otherwise, they get a segmentation fault. Which is a little unfortunate, given that you need to su or sudo to change your settings... }}
{{WARN|Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...}}
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}. I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}. That way most local services use the fingerprint reader, but sshd does not.

Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader. In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.

{{NOTE|This was discovered through trial and success, if it is plain wrong, wikorrect it, please.}}

In {{Fedora}} the original 'session' terms in {{path|/etc/pam.d/system-auth}} need to be kept.

{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger) To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}

You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice. Examples:
:{{cmdroot|pamtester xdm yourusername authenticate}}
:{{cmduser|pamtester xscreensaver yourusername authenticate}}
where {{cmd|yourusername|}} is your username. Note that {{cmd|pamtester|}} should run as root if and only if the program in question does.

===Application support===
The implementation of fingerprint scanning support in the relevant applications varies.

Here is the behaviour of the most common ones:
* In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
* In xdm, enter your username and a blank password, then swipe (there is no popup as well).
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
:{{cmduser|xhost +local:}}
* For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work

===kdm support===
To add graphical popup to kdm, you need following:
* Patch for pam_bioapi. This patch adds third parameter to {{path|pam_bioapi.so}} module, which is a name of file with additional environment variables that will be supplied to the UPEK driver.
:{{cmdroot|wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch}}
:{{cmdroot|patch -p1 < pam_bioapi-0.2.1-alter-environ.patch}}
* Edit your {{path|Xsetup}} file (on SUSE 10 it's {{path|/etc/X11/xdm/Xsetup}}) and add these lines:
echo "XAUTHORITY=$XAUTHORITY" > /var/lib/xdm/kdm_env
echo "DISPLAY=$DISPLAY" >> /var/lib/xdm/kdm_env
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env

Please note, that this won't work if you have more than one Xserver.

==Make xscreensaver use the scanner==
If you are using Gentoo, you can get a portage overlay with the necessary patches here: http://www.zzamboni.org/brt/2006/04/25/106/
*Get the needed xscreensaver sources:
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
:{{cmduser|cd xscreensaver-4.23}}
:{{cmduser|wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff This site seems to be down, use this mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff For xscreensaver 5.00, you can get a patch here: http://www.zzamboni.org/brt/files/xscreensaver-5.00-alternativeauth.patch}}
*After reviewing the patch (it's small and straightforward), do
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}} The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
*Compile with
:{{cmduser|./configure --with-pam && make}} 
*If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
*If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
:{{cmduser|su -c make install}} .
*Make sure that the newly compiled xscreensaver is used:
:{{cmduser|which xscreensaver}} should return
:{{cmdresult|/usr/local/bin/xscreensaver}} .
*In case it doesn't, try adjusting your PATH.

How to enable integrated fingerprint reader with BioAPI

2006-06-26T12:18:38Z

ZZamboni:

{| width="100%"
|style="vertical-align:top;padding-right:20px;width:10px;white-space:nowrap;" | __TOC__
|style="vertical-align:top" |
This page describes the process of getting the [[Integrated Fingerprint Reader|integrated fingerprint reader]] to work under Linux. It is based on experiences in {{Ubuntu}} on a T43. The same works on {{Fedora}} 4 and 5, RHEL4, SuSE 9.3, SuSE 10, and {{Gentoo}}.
|}

==Basic installation==
===Installing the bioapi framework===
====Automated installation script====
The [[Script for enabling the fingerprint reader]] automates the installation of most components (bioapi framework, driver, pam_bioapi, pam setup, device permissions, pamtester and enrolling), for some Linux distributions.

====Binary packages====

Note that these packages only take care of this one section. If you can use one, you should do so and then proceed to the section entitled, Installing and Configuring the Driver.

=====Debian=====
*If you're using {{Debian}} Sid (the unstable branch) you can try the packages from Michael R. Crusoe's site, either [http://www.qrivy.net/~michael/temp/ version 1.2.3] (recommended) or [http://www.qrivy.net/~michael/debs/unstable/ older versions] which might not work with the steps in this howto.
*This seems to work for {{Ubuntu}} Breezy/Dapper too, so save yourself some trouble and grab it.
=====Gentoo=====
You can either grab the [http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.ebuild.tar.bz2 ebuild], or use the source-install procedure below.

Also see [http://toe.ch/~tsa/ibm-fingerprint/ http://toe.ch/~tsa/ibm-fingerprint/] for alternative documentation on installing on Gentoo including ebuilds for all the packages used.
=====Fedora Core=====
RPM packages for Fedora Core and installation instructions are available [[Installing Fedora Core 5 on a ThinkPad X41 Tablet#Fingerprint_Reader|here]]

====Installing from source====
*Get the bioapi source:
:{{cmduser|wget http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2}}
*I could not compile bioapi with the graphical Qt tools. To do it manually, do the following:
:{{cmduser|tar xjf bioapi-latest.tar.bz2}}
:{{cmduser|cd bioapi-1.2.2}}
:{{cmduser|1=./configure --with-Qt-dir=no}}
:{{cmduser|make}}
:and then as root
:{{cmdroot|make install}}
:If make install fails, be sure you're root and then:
:{{cmdroot|1=export LD_LIBRARY_PATH=/usr/local/lib}}
:{{cmdroot|make install}}
:and if you want to compile pam_bioapi for auth later
:{{cmdroot|cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include}}
:Be aware that checkinstall will not work!
:(I got through configure with Qt, but got a cryptic build error. It all worked fine with Qt disabled as above)
:buzz: This is due to a wrong qt include path, set it manually in configure and everything should work.
*Bioapi (at least version 1.2.2) doesn't compile with GCC4. You need to patch it:
*This is neccessary to compile on SUSE 10.1 which it using gcc version 4.1.0.
:{{cmduser|wget http://upir.cz/linux/patches/bioapi-1.2.2-gcc4.patch}}
:{{cmduser|patch -p1 < bioapi-1.2.2-gcc4.patch}}
*Patch for gcc 4.1 is available here - http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/bioapi-c++.patch
* By default, bioapi will install numerous files in {{path|/usr/local/<nowiki>{</nowiki>bin,lib,include<nowiki>}</nowiki>}}, including files with "self-explanatory" names such as {{path|/usr/local/bin/Sample}}. To prevent this pollution:
:Create a dedicated directory, for example {{path|/opt/bioapi}} .
:Append <tt>--prefix=/opt/bioapi</tt> to the above <tt>./configure</tt> command.
:Append {{path|/opt/bioapi/bin}} to <tt>$PATH</tt> and {{path|/opt/bioapi/lib}} to <tt>$LD_LIBRARY_PATH</tt>.
:When installing the driver (below), tell it the new install path: {{cmdroot|sh install.sh /opt/bioapi/lib}}

====Adjusting ldconfigs library search path====
At least on {{Fedora}} or {{Aurox}} 11, you may need to add {{path|/usr/local/lib}} to the library path so that the libraries referenced from <tt>pam_bioapi.so</tt> get picked up properly. The usual way to do this is adding it to the ldconfig configuration:
:{{cmdroot|echo '/usr/local/lib' > /etc/ld.so.conf.d/bioapi.conf}}
:{{cmdroot|ldconfig}}
Alternatively you can add it to the LD_LIBRARY variable.

If you see bioapi libs in the output of
:{{cmdroot|ldconfig -p | grep bioapi}}
then it should work.

===Installing and configuring the driver===
====Installing the driver====
*Download {{path|TFMESS_BSP_LIN_1.0.zip}} from the [http://www.upek.com/support/dl_linux_bsp.asp UPEK support site] and unzip it into a seperate folder, as it will not create one.
*Change to that folder and do as root:
:{{cmdroot|sh install.sh}}
:If you're running Gentoo, use
:{{cmdroot|sh install.sh /usr/lib}}
:If that fails, it may be that make install failed up above -- try setting LD_LIBRARY_PATH, do the make install again, and come back here and try this again. You also need {{cmd|mod_install|}} from bioapi in your PATH.
:May there still occures and error, which means mod_install: command not found.
:Then login as root - not su!
:Do this:
:{{cmdroot|sh install.sh}}
:again. It should work. SU to root does not work since then the /usr/local/bin directory is not used per default.

====Configuring permissions for non-root use====
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permissions (as opposed to login, gdm or other authentication mechanisms), you may need to do all or at least some of the things in this section. More details on what is necessary on which distributions would be greately appreciated.
*Create two groups, one for access to BioAPI files and the other for access to the usb files. (This is done for full generality; i.e., you may have other USB devices which you want accessable to other users, without exposing your BioAPI configuration to them). Add your normal user (the one you wish to use PAM-aware applications with) to both of these groups.
On {{Debian}} this is done with
:{{cmdroot|addgroup --system bioapi}}
:{{cmdroot|addgroup --system usbfs}}
:{{cmdroot|adduser yournormaluser bioapi}}
:{{cmdroot|adduser yournormaluser usbfs}}
On {{SUSE}} this is done with
:{{cmdroot|groupadd --system bioapi}}
:{{cmdroot|groupadd --system usbfs}}
:{{cmdroot|groupmod -A yournormaluser bioapi}}
:{{cmdroot|groupmod -A yournormaluser usbfs}}
On {{Mandriva}} this is done with
:{{cmdroot|groupadd -r bioapi}}
:{{cmdroot|groupadd -r usbfs}}
:{{cmdroot|usermod -G bioapi,usbfs yournormaluser}}

:(where {{cmd|yournormaluser|}} is your normal user name). You will need to log out and log back in for this to take effect.
*Set permissions on the BioAPI config/registry directory:
:{{cmdroot|chown -R root:bioapi /usr/local/var/bioapi/}}
:{{cmdroot|chmod -R 770 /usr/local/var/bioapi/}}
:(change this path if you used an alternate BioAPI install directory above)
*Set permissions on the files in {{path|/proc/bus/usb}}:
:{{cmdroot|chown -R root:usbfs /proc/bus/usb}}
:{{cmdroot|chmod -R g+X /proc/bus/usb}}
:{{cmdroot|chown root:usbfs /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:{{cmdroot|chmod 660 /proc/bus/usb/`lsusb <nowiki>|</nowiki> sed -ne "/0483:2016/s/Bus\ $.*$\ Device\ $.*$:\ .*/\1\/\2/p"`}}
:You may need to replace {{cmd|lsusb|}} with its full path, which is something like {{cmd|/sbin/lsusb|}} or {{cmd|/usr/bin/lsusb|}} depending on your distro. It might be necessary to put these lines into a script which is run at startup and resume from suspend/hibernate.
*As an alternative to the {{cmd|chown|}}/{{cmd|chmod|}} commands above, you can set mount options for usbfs with a line in {{path|/etc/fstab|}}; an example would be
none /proc/bus/usb usbfs defaults,devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 0 0
:where 108 is replaced with the numerical group ID of the usbfs group (you can determine this with something like {{cmd|cat /etc/group <nowiki>|</nowiki> grep usbfs <nowiki>|</nowiki> cut -d':' -f 3|}}). Make sure you only have one {{path|/proc/bus/usb}} entry in {{path|/etc/fstab}}. See the {{cmd|mount(8)|}} manpage for more information on these options. This is "cleaner" but seems to have a few weird issues -- see the talk page for details.
*You may also have files in {{path|/dev/bus/usb}}, which the driver will try before {{path|/proc/bus/usb}}. If this is another usbfs mount point ({{cmd|mount|}} shows a line containing {{cmdresult|/dev/bus/usb type usbfs}}), then simply follow the above instructions with {{path|/dev/bus/usb}} rather than {{path|/proc/bus/usb}}. Otherwise, you may be running a new kernel (i.e. 2.6.15) that makes usbfs-like files available through {{path|/dev/bus/usb}}. On systems running udev these files are dynamically created; you can configure their permissions by editing a udev config file. On Debian this is done by changing the <tt>usb_device</tt> line of {{path|/etc/udev/permissions.rules}} to read
SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"
*For the beta versions only, there is a logfile, which needs to exist with the proper permissions:
:{{cmdroot|touch /var/log/BSP.log && chown root:bioapi /var/log/BSP.log && chmod 660 /var/log/BSP.log}}

====Miscellaneous configuration====
* To increase the security level (minimize false accept rate), set this in {{path|/etc/tfmessbsp.cfg}}:
security-level="5"

===Testing the driver and enrolling a fingerprint===
To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error; if they don't work for you, try the binary {{cmd|Sample|}} utility that came with the beta versions of the driver (i.e., {{path|TFMESS_BSP_LIN_1.0beta2.zip}} as mentioned above).
Go to the folder where you extracted {{path|TFMESS_BSP_LIN_1.0.zip}} and do:
:{{cmdroot|cd NonGUI_Sample}}
:Edit {{path|main.c|}} and remove (or comment out) the line
#include "port/bioapi_port.h"
:{{cmdroot|gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN}}
:{{cmdroot|./Sample}}
:Note that Sample may only run as root, unless you've already configured the usbfs file permissions.
:You can try to "e"nroll (to record a fingerprint for an account) and then "v"erify (to test a fingerprint against the one it expects for an account).
:You'll save a step later if you use your own login username as the username to enroll here.

==Login via pam_bioapi==

The following explains how to add fingerprint authentiation to programs that use the PAM (Pluggable Authentication Modules) framework, such as Gnome's GDM and KDE's KDM and screensaver.

===Getting required libs & tools===
====Installing pam_bioapi====
*Prerequisites
:On SuSE 10, I needed to install the pam-devel RPM
:In general, you will need pam itself (standard for most distros) as well as the pam development files (probably an optional package for your distro).
*Get and compile the pam_bioapi module.
:{{cmduser|wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2}}
:{{cmduser|tar xjf pam_bioapi-latest.tar.bz2}}
:{{cmduser|cd pam_bioapi-0.2.1}}
:{{cmduser|wget http://badcode.de/downloads/fingerprint.patch}}
:{{cmduser|patch -p0 < fingerprint.patch}}
:If you want to, review the patch. In general you should review all code you download and compile, if possible. The patch comes from [http://linuxbiometrics.com/modules/newbb/viewtopic.php?viewmode=flat&topic_id=80&forum=1 this thread].
:{{cmduser|./configure && make}}
:and as root
:{{cmdroot| make install}}
:{{cmdroot| cp /usr/local/lib/security/* /lib/security/}}
{{NOTE|If you get a 'rpl_malloc' error in /var/log/auth.log when trying to use the fingerprint reader, redo these steps and remove the related term from Makefile after running ./configure. (FC3, Debian etch)}}
*If you get 'configure: error: cannot find required header: security/_pam_macros.h' and are on a Debian-like system, do "apt-get install libpam0g-dev" and try again. If you are using a Mandriva distribution, do "urpmi libpam0-devel" instead.
*If you get 'PAM [dlerror: /lib/security/pam_bioapi.so: undefined symbol: BioAPIMemoryFuncs]' error in your syslog, replace 'LIBS = ' line in {{path|libpam_bioapi/makefile}} with the following (of course, replace {{path|/opt/bioapi/}} with the path where you installed bioapi):
LIBS = -L/opt/bioapi/lib -lbioapi100 -lbioapi_mds300 -lmds_util
*Use the sample tool from the fingerprint reader to create {{path|<username>.bir}} (<tt><username></tt> '''must''' be the username you want to login with. gdm will probably break for any login name that has no .bir file).
*As root do:
:{{cmdroot|SERIAL<nowiki>=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: $.\{9\}$$.\{4\}$$.\{4\}$$.\{4\}$$.*$/\1-\2-\3-\4-\5/gp}"` </nowiki>}}
:{{cmdroot|echo $SERIAL}} should print something like {{cmdresult|<nowiki>{5550454b-2054-464d-2f45-535320425350}</nowiki>}} now.
:If it does, do:
:{{cmdroot|mkdir -p /etc/bioapi/pam/$SERIAL}}
:{{cmdroot|cp <username>.bir /etc/bioapi/pam/$SERIAL}}
:If not, you might just try
:{{cmdroot|SERIAL<nowiki>={5550454b-2054-464d-2f45-535320425350}</nowiki>}}
:as this value is hardcoded into the UPEK docs.

===Configuring pam===
The following part is distribution specific. On {{Ubuntu}} or {{SUSE}} you can modify {{path|/etc/pam.d/common-auth}} (on {{Gentoo}} and {{Fedora}} it is {{path|/etc/pam.d/system-auth}}) to look like this:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

----
For '''Gentoo'''-Users - this allows you to attempt a password first. If you simply press enter, it then prompts for a fingerprints. Create a file named {{path|/etc/pam.d/bioapi}}. This also means that remote services, such as SSH keep working:

auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_deny.so

account required pam_unix.so

session required pam_limits.so
session required pam_unix.so

----

Now, simply replace "auth include system-auth" in all services that you wish to use fingerprint for with "auth include bioapi". For example, {{path|/etc/pam.d/kde}} by default contains

auth include system-auth
auth required pam_nologin.so

account include system-auth

password include system-auth

session include system-auth

Simply replace the first "system-auth" with bioapi and you can also get rid of KDE desktop lock with a fingerprint. If you do not wish to allow for "password fallback" then remove

auth sufficient pam_unix.so likeauth nullok

from {{path|/etc/pam.d/bioapi}}.

{{WARN|If su/sudo expects to receive the root password (SuSE 10), you need to have fingerprint settings for root (that is, copy in a root.bir as well as a your-username.bir). Otherwise, they get a segmentation fault. Which is a little unfortunate, given that you need to su or sudo to change your settings... }}
{{WARN|Not only SuSE 10 requires root.bir to be available for su to work. Just make sure you have root.bir when su is not working with your fingerprint reader but other applications are...}}
Note that sshd may pick up the fingerprint settings from {{path|/etc/pam.d/common-auth}}. I didn't want that, so I removed the "auth include common-auth" line from {{path|/etc/pam.d/sshd}} and replaced it with the lines that were originally in my {{path|/etc/pam.d/common-auth}}. That way most local services use the fingerprint reader, but sshd does not.

Another way to do this is to create a file ({{path|/etc/pam.d/bioapi|}} for example) which contains the {{cmd|pam_bioapi.so|}} lines, and explicitly {{cmd|@include|}} this '''before''' {{path|/etc/pam.d/common-auth|}} in the files for services which should use the fingerprint reader. In this case you should leave {{path|/etc/pam.d/common-auth|}} alone.

{{NOTE|This was discovered through trial and success, if it is plain wrong, wikorrect it, please.}}

In {{Fedora}} the original 'session' terms in {{path|/etc/pam.d/system-auth}} need to be kept.

{{HINT|The setup described above will/could affect remote ssh logins to also use biometric logins, which is a bit silly (who wants to remote ssh to the laptop, and then have to walk over to it and swipe your finger) To avoid that you can copy the default <tt>/etc/pam.d/system-auth</tt> to <tt>/etc/pam.d/sshd</tt> which will allow the sshd service to use the standard authentication procedure.}}

You can do some useful testing with [http://pamtester.sourceforge.net/ {{cmd|pamtester|}}], which calls the pam modules as if it were a program of your choice. Examples:
:{{cmdroot|pamtester xdm yourusername authenticate}}
:{{cmduser|pamtester xscreensaver yourusername authenticate}}
where {{cmd|yourusername|}} is your username. Note that {{cmd|pamtester|}} should run as root if and only if the program in question does.

===Application support===
The implementation of fingerprint scanning support in the relevant applications varies.

Here is the behaviour of the most common ones:
* In gdm enter your username and there should pop up an (ugly) image to swipe your finger and... magic - you can login without a password.
* kdm doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and hope it lets you log in.
* In xdm, enter your username and a blank password, then swipe (there is no popup as well).
* The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password) in order to get the fingerprint prompt.
* For Fedora users, the redhat-config tools will crash if no root.bir presents. Also, there won't be any visual idication unless X server is properly configured for root to access. Just swipe your finger when the HDD stopped blinking or issue the following command in advance:
:{{cmduser|xhost +local:}}
* For RHEL4 users gdm, console (virtual terminal) logins and the xscreensaver all work

===kdm support===
To add graphical popup to kdm, you need following:
* Patch for pam_bioapi. This patch adds third parameter to {{path|pam_bioapi.so}} module, which is a name of file with additional environment variables that will be supplied to the UPEK driver.
:{{cmdroot|wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch}}
:{{cmdroot|patch -p1 < pam_bioapi-0.2.1-alter-environ.patch}}
* Edit your {{path|Xsetup}} file (on SUSE 10 it's {{path|/etc/X11/xdm/Xsetup}}) and add these lines:
echo "XAUTHORITY=$XAUTHORITY" > /var/lib/xdm/kdm_env
echo "DISPLAY=$DISPLAY" >> /var/lib/xdm/kdm_env
* In {{path|/etc/pam.d/xdm}} file, add {{path|/var/lib/xdm/kdm_env}} as a third parameter for {{path|pam_bioapi.so}} module:
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/ /var/lib/xdm/kdm_env

Please note, that this won't work if you have more than one Xserver.

==Make xscreensaver use the scanner==
*Get the needed xscreensaver sources:
:{{cmduser|wget http://www.jwz.org/xscreensaver/xscreensaver-4.23.tar.gz}}
:{{cmduser|tar xzf xscreensaver-4.23.tar.gz}}
:{{cmduser|cd xscreensaver-4.23}}
:{{cmduser|wget http://nax.hn.org/pub/bioapi/xscreensaver-4.22_alternativeAuth.diff This site seems to be down, use this mirror: http://zepan.org/files/xscreensaver-4.22_alternativeAuth.diff For xscreensaver 5.00, you can get a patch here: http://www.zzamboni.org/brt/files/xscreensaver-5.00-alternativeauth.patch}}
*After reviewing the patch (it's small and straightforward), do
:{{cmduser|patch -p1 < xscreensaver-4.22_alternativeAuth.diff}} The patch prevents xscreensaver from opening an authentification window and dispatches the authentification request to another program, in our case <tt>pam</tt> and <tt>pam_bioapi</tt>. It should apply with some offset, don't mind that. If it says something about rejected though, then there's a problem.
*Compile with
:{{cmduser|./configure --with-pam && make}} 
*If you receive an error like "Couldn't find X11 headers/libs" and are running a Debian-like system, try "apt-get install xlibs-dev"
*If you receive an error like "undefined reference to `XmuPrintDefaultErrorMessage'" then install the libxmu-dev package and run the previous line again and then install as root with
:{{cmduser|su -c make install}} .
*Make sure that the newly compiled xscreensaver is used:
:{{cmduser|which xscreensaver}} should return
:{{cmdresult|/usr/local/bin/xscreensaver}} .
*In case it doesn't, try adjusting your PATH.