Talk:How to enable integrated fingerprint reader with BioAPI

From ThinkWiki
Revision as of 20:00, 26 June 2006 by Meba (Talk | contribs) (Security level)
Jump to: navigation, search

chmod 777 -R /usr/local/var/bioapi/

Is the above necessary? I just made a debian package of xscreensaver with the patch applied, and when using the bioapi debian pacakge from Michael R. Crusoe's site which has this directory put in /usr/var/bioapi I had not to change the permissions to world-writeable there. Write access to the logfile and usb device are necessary, but that directory works with 755 as well (even though it comes with 777 in Michael's package), and all files and subdirectories are 644/755 too.

--spiney 00:08, 11 Nov 2005 (CET)


Qt Compilation Success

Here it worked with qt ;)

--

I didn't get it to work anyway, but I'm curious about your Qt version(s) as it seemed to want Qt 3 when I was playing with it.

--keegan 05:07, 24 Dec 2005 (CET)

using absolute paths for commands

I don't know whether using absolute paths in the articles is a good idea, at least not for tools like lsusb which are not established utilities (i.e. used for more than a decade or something ;)) and happen to be in different locations in different distributions. E.g. said lsusb resides in /usr/sbin on Debian systems.

--spiney 16:45, 12 Nov 2005 (CET)


I'm using debian testing and it's in /usr/bin. I agree that the confusion is bad; dropping the absolute paths and adding a general note about checking $PATH in case of problems is probably good.

--keegan

BioAPI error #3

Its kind of strage it used to work with everythig (kdm,console,lock,etc) Now it only works with kdm. It allways gives back:

pam_bioapi[8113]: Unable to initialize Bioapi framework, BioAPI error #:3.

Even when I set the right permissions on /proc/bus/usb.

I am able to run the Sample program as normal user after setting the permissions, but when I change within a user session by su I amnot able to run the Sample program a also get an error Code #3.

From an other terminal (alt+strg+Fx) I am able to run the Sample program but at the login I still get the error #3.

I cant remember to have changed anything an d bevor I was able to login in a console with my fingerprint now only kdm is working even kde lock-session isnt working anymore.

Any suggestions ?

Permission errors exclusive to xscreensaver

I followed the instructions above and got everything working, including non-root programs like xscreensaver. However, the script to change usbfs permissions is finicky and fails to work with a lot of things like suspend/resume. Therefore, I switched to specifying devgid=108,devmode=0660,busgid=108,busmode=0770,listgid=108,listmode=0660 as mount parameters for usbfs, where group 108 is a group I created and added my normal user to. This seems like a much better way of doing things, and it almost works. However, xscreensaver (using the newer patch) gives the familiar Unable to load BioAPI BSP with UUID of {5550454b-2054-464d-2f45-535320425350}, BioAPI error #194d. error in /var/log/auth.log. I don't think this is a straightfoward permissions problem because

  • the permissions in /proc/bus/usb are correct by inspection
  • I can write to the device file as my normal user
  • other programs like test_verify-pam_bioapi and pamtester work as my normal user
  • the weirdest one: xscreensaver works when the xscreensaver daemon is launched from within strace. It's still running as my normal user (strace is not setuid root). I have absolutely no idea what would cause this. I thought it might be an environment issue, but the difference in environment between the strace session and my normal session is trivial.

At this point I'm hoping it's something dumb, but I'm out of ideas. The xscreensaver error is pam_authenticate (...) ==> 7 (Authentication failure), for the record.

--keegan


Could you provide all the log lines between pam_start and pam_end when running xscreensaver -verbose?

BTW, the idea with using the mount options for usbfs is very good, maybe you should add that info to the article page? I use the permission changing script without problems, also after resume, but the usbfs version is probably easier to set up, most people will be able to find /etc/fstab.

--spiney 10:12, 23 Dec 2005 (CET)


xscreensaver: 20:56:01: alternative_pam:  1 -> pam service: xscreensaver-alternative
xscreensaver: 20:56:01: pam_start ("xscreensaver-alternative", "keegan", ...) ==> 0 (Success)
xscreensaver: 20:56:01:   pam_set_item (p, PAM_TTY, ":0.0") ==> 0 (Success)
xscreensaver: 20:56:01:     PAM ECHO_OFF("Password: ") ==> password
xscreensaver: 20:56:03:   pam_authenticate (...) ==> 7 (Authentication failure)
xscreensaver: 20:56:03: pam_end (...) ==> 0 (Success)
xscreensaver: 20:56:03: prompting for password.
xscreensaver: 20:56:03: 0: creating password dialog.
xscreensaver: 20:56:03: 0: mouse is at 442,412.
xscreensaver: 20:56:03: grabbing server...
xscreensaver: 20:56:03: 0: ungrabbing mouse (was 0x48).
xscreensaver: 20:56:03: 0: grabbing mouse on 0xe0002b... GrabSuccess.
xscreensaver: 20:56:03: ungrabbing server.
xscreensaver: 20:56:05: alternative_pam:  12582928 -> pam service: xscreensaver
xscreensaver: 20:56:05: pam_start ("xscreensaver", "keegan", ...) ==> 0 (Success)
xscreensaver: 20:56:05:   pam_set_item (p, PAM_TTY, ":0.0") ==> 0 (Success)
xscreensaver: 20:56:05:     PAM ECHO_OFF("Password: ") ==> password
xscreensaver: 20:56:05:   pam_authenticate (...) ==> 0 (Success)
xscreensaver: 20:56:05:   pam_acct_mgmt (...) ==> 9 (Authentication service cannot retrieve authentication info.)
xscreensaver: 20:56:05:   pam_setcred (...) ==> 0 (Success)
xscreensaver: 20:56:05: pam_end (...) ==> 0 (Success)
xscreensaver: 20:56:05: password correct.

So we've got the first attempt with pam_bioapi, which fails immediately (no sign of the GUI fingerprint prompt, nor a "silent" chance to swipe the finger as with xdm), then the fallback to pam_unix which succeeds. Earlier I had xscreensaver set up to only try pam_bioapi, with essentially the same result -- it gives up on pam entirely and does unix auth itself.

I'd really like to strace the pam module and see what it's attempting to do to /proc/bus/usb, but as that actually fixes the problem I'm kinda at a loss. Maybe there's some kernel option to print debugging info for usbfs? I'd be all for changing the article to suggest using mount options in /etc/fstab, if it weren't for this one weird bug. Has anyone else had the same problem?

-- keegan

Same here, I had the whole setup workin flawlessly (I really need to get that 'never-touch-a-running-system' mantra burnt into the back of my hands), but after a fresh install of the same distro (Ubuntu) and following the same procedure to get things working i get exactly this behaviour. Login works (now even with multifinger, although there are other issues with that), I can use test_verify-pam_bioapi as a user. and the stock xscreensaver works, albeit only after entering a bogus password first. The patched xscreensaver works when run within a strace (Now that sucks) but fails otherwise. And as i said before, I had this working...


open("/dev/bus/usb", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 13
fstat64(13, {st_mode=S_IFDIR|0755, st_size=140, ...}) = 0
fcntl64(13, F_SETFD, FD_CLOEXEC)        = 0
getdents64(13, /* 7 entries */, 4096)   = 168
getdents64(13, /* 0 entries */, 4096)   = 0
close(13)                               = 0
open("/dev/bus/usb/003", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 13
fstat64(13, {st_mode=S_IFDIR|0755, st_size=80, ...}) = 0
fcntl64(13, F_SETFD, FD_CLOEXEC)        = 0
getdents64(13, /* 4 entries */, 4096)   = 96
open("/dev/bus/usb/003/002", O_RDWR)    = -1 EACCES (Permission denied)
open("/dev/bus/usb/003/002", O_RDONLY)  = 14
ioctl(14, USBDEVFS_CONNECTINFO, 0xafd5bd34) = -1 EPERM (Operation not permitted)
read(14, "\22\1\0\1\0\0\0\10\203\4\26 \1\0\1\2\0\1", 18) = 18
read(14, "\t\2\'\0\1\1\0\240", 8)       = 8
read(14, "2\t\4\0\0\3\377\0\0\0\7\5\201\2@\0\0\7\5\2\2@\0\0\7\5\203"..., 31) = 31
close(14)                               = 0

Here is all the excitement from the strace on xscreensaver. As I originally thought, you cannot get away with just playing with the proc entries :P You also need to deal with the counterpart in /dev. We can wrap up all the permissions issues with a single UDEV rule:

# fingerprint fun
BUS=="usb", DRIVER=="usb", SYSFS{product}=="Biometric Coprocessor", GROUP="bioapi", SYMLINK="misc/fingerprint", RUN+="/bin/sh -c 'chgrp bioapi /proc/$RESULT; chmod g+rw /proc/$RESULT'"

I created a 'bioapi' group and configured pam to add groups to anyone logging in locally. Now all you need to do is amend the pam configuraion files below. We use 'wdm', but of course its as applicable for all those resource hungry touchy-feely gdm/kdm folk out there too ;)

/etc/security/group.conf

# local group settings
login; tty*; *; al0000-2400; audio,floppy,video,cdrom,nvram,plugdev,bioapi
wdm; :*; *; al0000-2400; audio,floppy,video,cdrom,nvram,plugdev,bioapi

/etc/pam.d/login

[snipped]

# group *has* to go here
auth       optional   pam_group.so

# fingerprint action
auth       sufficient /usr/local/lib/security/pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
#auth       optional   pam_group.so

[snipped]

/etc/pam.d/wdm

#%PAM-1.0
auth            required        pam_nologin.so
auth            required        pam_env.so

# local tweak
auth       optional   pam_group.so

# fingerprint action
auth       sufficient /usr/local/lib/security/pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi1.10/pam/

@include common-auth
@include common-account
@include common-session

N.B. as with all pam related things, the order is important

-- Jim diGriz


Driver Expiring!!!

Don't anyone notice that both betas of the UPEK driver is expiring in about a month in the new year, Jan 1st 2006? They really mean it! I set my computer date to next year and get a message "the driver has expired" when using fingerprint reader! This is a grave threat to our computer lifestyle, i.e. for those of us who got it working and use it daily:) Is there any workaround other than setting the date back a year when new year come and wait for new driver? Is there a way to figure out where exactly in the driver it checked the date and how? The must have set it somewhere in file libtfmessbsp.so, but it is binary and I can't figure out how to Reverse Engineer it.

---Jiang

Yes, the beta driver will expire. The final version (which is due REALLY soon now) will not.

Sumedha

Any news? Just 9 days left to expiry. --Thinker 21:36, 22 Dec 2005 (CET)

The final is out, get it at UPEK's download page. And how does one edit the industry watch section of the main page?

--spiney 21:39, 22 Dec 2005 (CET)

Ah, great! Both the article page and the driver page it points to are out of date... For the news, just follow the "News" link in the main page.

--Thinker 21:44, 22 Dec 2005 (CET)

As this is now very soon I've updated the article page to link to the final driver, which is better in a few ways anyway. This is unless anyone minds (are there any unresolved issues with the final that don't exist in the betas?).

--keegan 05:06, 24 Dec 2005 (CET)

Updated xscreensaver patch

I've tried to address some usability issues with the old patch, e.g. that it calls the PAM bioapi module twice before falling back to the normal authentication methods. It can be found on my Fingerprint Reader page, feedback is very welcome.

--spiney 20:36, 22 Dec 2005 (CET)


Fingerprint or password

Is there any way to have PAM accept either a password or a finger swipe, right away? Sometimes one is more convenient, sometimes the other, so and it's a lot of trouble to wait for the UPEK scanner prompt and then cancel it in order to reach the password entry.

--Thinker 19:27, 24 Dec 2005 (CET)

KDE screensaver

If you get the following in /var/log/secure when you try to unlock the KDE screensaver, it means you forgot to set the USB device permissions.

localhost pam_bioapi[24981]: Unable to load BioAPI BSP with UUID of {5550454b-2054-464d-2f45-535320425350}, BioAPI error #194d.

--Thinker 21:21, 24 Dec 2005 (CET)


fingerprint reader in action.

small video with fingerprint reader in action with login: http://chao.ch/tmp/mov01302.mpg

--62.202.35.30 17:57, 29 Dec 2005 (CET)

A little feedback...

...for all the editors of this article:

"How to enable the fingerprint reader over at ThinkWiki.org is some real exhaustive documentation for getting the fingerprint scanner working on the ThinkPads. There is also a troubleshooting section towards the end that might be very useful to anyone messing around with it.

Thanks to those responsible for taking the time to write up this excellent guide."

Those thanks come from LinuxBiometrics.com

Wyrfel 01:24, 9 Jan 2006 (CET)


pam_bioapi.so is not linked to libbioapi100.so

I downloaded the pam_bioapi package and patched the file by following the wiki. However, I got the following result:

   ~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$ ls -la
   total 48
   drwxr-xr-x  2 louis users   248 2006-01-12 01:18 ./
   drwxr-xr-x  4 louis users   312 2006-01-12 01:18 ../
   lrwxrwxrwx  1 louis users    16 2006-01-12 01:18 pam_bioapi.la -> ../pam_bioapi.la
   -rw-r--r--  1 louis users   824 2006-01-12 01:18 pam_bioapi.lai
   -rw-r--r--  1 louis users 19716 2006-01-12 01:18 pam_bioapi.o
   lrwxrwxrwx  1 louis users    19 2006-01-12 01:18 pam_bioapi.so -> pam_bioapi.so.0.0.0*
   lrwxrwxrwx  1 louis users    19 2006-01-12 01:18 pam_bioapi.so.0 -> pam_bioapi.so.0.0.0*
   -rwxr-xr-x  1 louis users 21789 2006-01-12 01:18 pam_bioapi.so.0.0.0*
   
   ~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$ ldd pam_bioapi.so
           linux-gate.so.1 =>  (0xffffe000)
           libc.so.6 => /lib/tls/libc.so.6 (0x40025000)
           /lib/ld-linux.so.2 (0x80000000)
   ~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$

pam_bioapi.so is NOT linked to libbioapi100.so. The latter is in the ld path:

   ~/soft/thinkpad/pam_bioapi-0.2.1/libpam_bioapi/.libs$ ldconfig -p |grep bioapi
           libtfmessbsp.so (libc6) => /opt/bioapi/lib/libtfmessbsp.so
           libpwbsp.so.0 (libc6) => /opt/bioapi/lib/libpwbsp.so.0
           libpwbsp.so (libc6) => /opt/bioapi/lib/libpwbsp.so
           libmds_util.so.0 (libc6) => /opt/bioapi/lib/libmds_util.so.0
           libmds_util.so (libc6) => /opt/bioapi/lib/libmds_util.so
           libbioapi100.so.0 (libc6) => /opt/bioapi/lib/libbioapi100.so.0
           libbioapi100.so (libc6) => /opt/bioapi/lib/libbioapi100.so
           libbioapi_mds300.so.0 (libc6) => /opt/bioapi/lib/libbioapi_mds300.so.0
           libbioapi_mds300.so (libc6) => /opt/bioapi/lib/libbioapi_mds300.so
           libbioapi_dummy100.so.0 (libc6) => /opt/bioapi/lib/libbioapi_dummy100.so.0
           libbioapi_dummy100.so (libc6) => /opt/bioapi/lib/libbioapi_dummy100.so

and the Sample program also works allowing me to enroll and test a fingerprint.

My system is SuSE 10 with the kernel of 2.6.13-15. Any ideas?

Thanks.

--Tyne 09:51, 12 Jan 2006 (CET)

xscreensaver 4.23+fingerprint.patch causes xscreensaver-gl to crash kernel

I've gotten bioapi and 'Sample' to allow me to enroll my fingerprint, and I've also experienced the 'two logon' issue.

I compiled xscreensaver 4.23 (though it seemed that apt came with 4.24) and applied the patch. My goal was to have the fingerprint prompt come up and to see the "bad image" of the fingerprint scan.

The first time I did this, xscreensaver-gl took a dump and was causing kernel crashes. So I went and got the newest xscreensaver source and patches, and applied the bioapi patch to those. It worked (meaning it didnt crash the kernel anymore ;b )

It would seem that there is a /etc/pam.d/xscreensaver, so I commented everything out of that except the bioapi line.

Locking xscreensaver, then attempting to unlock didnt show me any fingerprint requirements, and my password didnt work.

I'm wondering if theres something that was left out of the xscreensaver howto? or if theres anyone out there who's gotten the xscreensaver portion of this to work, who would be willing to help me out :)

--Viss 11:15am, 5 Feb 2006 (PST)

gdm hangs on kde logout

Hi.

I am using a Thinkpad t43, installed with gentoo. I run gdm as the login manager, with kde 3.4 and enlightenment dr16 as the window manager.

I followed the steps in the wiki, and the biometric scanner is now working fine, appart from the fact that when I close/end the session I just get a blank screen, in place of the gdm login screen.

Disabling the biometrics (by setting the pam.d file back to their originals), the session ends fine. I do this for a few times, and then set the biometrics back again, and it work fine for a few logouts, and then back to the blank screen again.

I can do ctrl+shift+f1 to get to a console window and from there I can issue a shutdown. Although this works ok, it is a bit of a pain.

Any ideas ?

'gksudo' Doesn't show biopam finger swipe prompt...

Hey all,

First off... this is an excellent how-to! I have no real interest in using fingerprint scanner with xscreensaver, but it was up and working with everything else on my system pretty much effortlessly.

I'm running Ubuntu Breezy Badger 5.10 on an IBM T43p (2678) and have run into two oddities: 1) /etc/pam.d/xscreensaver - as it is initially configured, if you have an xscreensaver session set to require password (or xlock with screensaver) then you get prompted for the normal text-password entry and then will be prompted to swipe your finger... This is easily fixed by commenting out the '@include common-auth' line in /etc/pam.d/xscreensaver and adding the line 'auth required pam_unix.so nullok_secure'. After that change it only prompts for the text-password entry challenge.

2) gksudo - This is more of a pain... I can use the fingerprint scanner with gksudo, but gksudo doesn't prompt with the (ugly-but-functional) finger swipe dialog the way that gdm does during login or xscreensaver does when configured as mentioned above (pre-fix). So, if I start a Gnome app launcher that is prepended with gksudo, nothing appears to happen until I swipe my finger and then the app gets launched. That's cool and all, but there are times (esp. when multi-tasking) when I forget to swipe and then go "what happened to xxxxx? oh yeah..."

Anyway... does anyone have an idea of what I can do to get the dialog to appear?

thanx

--JELaVallee 05:56, 20 February 2006 (CET)

The gksudo problem is a restriction from the X server. It doesn't allow to grab the display for other users than the logged-in one. And the pam_bioapi is invoked as root.

--Whoopie 13:10, 20 February 2006 (CET)

That makes sense... so, now I have to wonder, is there a patchable work-around like the xscreensaver one that could allow for this to work? Where should I research such? gksu's project or is this more an issue at the X11-level?

--JELaVallee 19:38, 27 February 2006 (CET)

I got it working. Grab out the newer pam-bioapi from CVS (http://savannah.nongnu.org/cvs/?group=pam-bioapi). This version supports "multi-finger" when using the sqlite3 database. And it supports defining the used display. Change your line in your /etc/pam.d/ files like this:

auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/bioshadow.db :0

--Whoopie 14:27, 1 March 2006 (CET)

Very cool... Did you run into any issues rebuilding/installing this? I'll give it a shot this evening... THANKS!

--JELaVallee 21:07, 1 March 2006 (CET)

Invoke 'xhost +local:' should be able to let gksudo work. Or just blindly sweap the finger. ;)

--YChao 21:25, 7 March 2006 (CET)

Multifinger

Wow, theres a new version of pam_bioapi which supports multifinger enrollment and user identification. I'll break my system with that this evening :)


Yes, but I'm searching the patch for xdm. The download page from Josef Hajas (http://nax.hn.org/pub/bioapi/) is down. Does anybody have it?

Update: The patch can be found here: http://www.qrivy.net/~michael/blua/xdm_bio.patch

--Whoopie 17:43, 1 March 2006 (CET)

Tried the newest pam-bioapi from CVS (http://savannah.nongnu.org/cvs/?group=pam-bioapi) on FC3. Failed on enrolling fingerprints: (/var/log/secure)

Mar 9 15:30:40 localhost pam_bioapi[32407]: Can't open database: library routine called out of sequence

Could anyone help?

--Ychao 00:38, 10 March 2006 (CET)

I don't know how to solve it. It seems to be a problem with sqlite3. Which version do you use? Under Ubuntu Breezy, it's 3.2.1.

--Whoopie 12:27, 10 March 2006 (CET)


Did anybody tried multifinger with BioAPI? I am interested in multifinger at all, not only PAM.

Updated:

succesfully installed pam_bioapi with multifinger support, some info:

use: auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/bioshadow.db :0 in pam.d, the bioshadow column is path to bioapi sqlite database.

if authentication doesn't work, edit /etc/syslog.conf and write line *.alert /var/log/syslog, so you see pam_bioapi messages in /var/log/syslog most common error is missing biodata table, newest pam_bioapi version should create it automatically, but if it doesn't, go to /etc/bioapi/pam/ and run command sqlite3 bioshadow.db, then insert this:

CREATE TABLE biodata (id INTEGER PRIMARY KEY,uid INTEGER,uuid TEXT,header BLOB,data BLOB,signature BLOB,type INTEGER,other BLOB);

you must then enroll at least one fingerprint to the database, do it using test_enroll-pam_bioapi from pam_bioapi distribution. note that you must have root user enrolled in order to use su command.

--MeBa 16:58, 22 March 2006 (CET)

GNOME Screensaver support

Did anybody try to port the xscreensaver patch to gnome-screensaver? Since Ubuntu Dapper will be shiped with it, it would be nice to have it working then with the fingerprint reader.

Update: Initial support can be found in gnome-screensaver CVS. See bugreport.

--Whoopie 12:36, 16 March 2006 (CET)

No sources for bioapi 1.2.3

There doesn't seem to be any sources available for the recommended Debian package bioapi-1.2.3. That's rather distressing since this is security-related software. A google search doesn't seem to be turning up anything, either. Anybody have a lead on where to find sources?

--TedTso 7:47, 29 Apri 2006 (EDT)

Strange issue on GDM login

I successfully have the fingerprint reader running. Everything is working nicely, except when I try to login with GDM for the first time. The login seems to work fine (the PAM_BIOAPI seems to return true) but GDM hangs then. This issue does not occur when I already logged in using password and logged out again or if I kill GDM when it hangs after the first attempt. Anyone an idea on this?

--dotxp 22:54, 2 May 2006 (CEST)

Don't ask for finger scan when lid closed

When using an external CRT+keyboard+mouse with the LD lid closed, it's quiet annoying to have to reach over and open the lid in order to do a finger scan. Any idea how to make PAM use the fingerprint reader when the lid is open, but skip it when the lid is closed?

--Thinker 13:30, 7 May 2006 (CEST)


Unable to initialize Bioapi framework, BioAPI error #:3

I see some other discussion on this page about the dreaded "Unable to initialize Bioapi framework, BioAPI error #:3" error, but the only solution i can see seems really complicated -- adding users to groups when they log in, etc. Is that really the simplest way to make xscreensaver work? I'm the only user of my laptop -- the only account who will ever log in, the only fingerprint in the database, the only person who will ever run xscreensaver. Is there some quick easy way to make xscreensaver unlock when i swipe my finger?

-- Mike Schiraldi 19:52, 16 May 2006 (CEST)

Security level

UPEK PerfectMatch Algorithm According to this link, highest security level is 0 which is opposite to 5 mentioned in the article. What is correct?

Update: Well,TFMESS_BSP_LIN.pdf, i downloaded somewhere stated 5 as highest security level. So, ?