Difference between revisions of "Script for enabling the fingerprint reader with BioAPI"

From ThinkWiki
Jump to: navigation, search
(enabled functionality)
 
(36 intermediate revisions by 11 users not shown)
Line 1: Line 1:
The following script automates the installation of the fingerprint software for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, pam setup and enrolling), and handles all the downloading, patching and installation.
+
Using the [[Integrated Fingerprint Reader|integrated fingerprint reader]] under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.
  
Usage: just copy into a file and run.
+
Usage: just copy into a file and run as root.
  
 
After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:
 
After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:
* KDE's KDM login
+
* KDE's KDM login (enter an empty password, then swipe finger)
 +
* KDE's screensaver (enter an empty password, then swipe finger)
 
* Gnome's GDM login
 
* Gnome's GDM login
 
* <tt>su</tt>  
 
* <tt>su</tt>  
 
* <tt>sudo</tt>
 
* <tt>sudo</tt>
  
Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only files affected outside {{path|/opt/bioapi}} are the ldconfig configuration, PAM configuration and a few symlinks in {{path|/lib/security}}.
+
Everything is intalled into {{path|/opt/bioapi}}, so it doesn't pollute your filesystem. The only effects outside {{path|/opt/bioapi}} are one-line changes to the ldconfig configuration, PAM configuration and {{path|/etc/rc.local}}, and a few symlinks in {{path|/lib/security}}.
 
 
For details, manual installation and hints for other distributions, see [[How to enable the fingerprint reader]]
 
  
 
===Distributions supported by this script===
 
===Distributions supported by this script===
* {{Fedora}} 4
+
* {{Fedora}} 4, 5, 6
 +
* Red Hat Enterprise Linux 4
  
 
If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.
 
If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.
  
 
==The script==
 
==The script==
 +
{{CodeRef|enable-fingerprint-reader}}
  
<pre>
+
The patch has been moved to http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/Attic/bioapi-c++.patch?rev=1.3. However in CVS it has been marked as obsolete.
#!/bin/bash
 
# Install UPEK fingerprint reader driver and associated software on Linux systems.
 
# Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader
 
 
 
set -e -E -x -u  # verbose, abort if anything fails
 
 
 
WHERE=/opt/bioapi
 
mkdir -p $WHERE
 
 
 
########################################
 
# Install bioapi:
 
 
 
wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.tar.bz2
 
sha1sum --check <<EOF
 
932425e847449e9612c6894dcbaf44630aecfc13  bioapi-1.2.2.tar.bz2
 
EOF
 
tar xjf bioapi-1.2.2.tar.bz2
 
pushd bioapi-1.2.2
 
./configure --with-Qt-dir=no --prefix=$WHERE
 
make
 
make install
 
install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
 
install -m644 include/installdefs.h $WHERE/include/installdefs.h
 
install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
 
chmod o-w $WHERE/var/bioapi
 
popd
 
 
 
########################################
 
# Tell ldconfig about bioapi libraries:
 
 
 
[ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
 
echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
 
ldconfig
 
ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }
 
 
 
########################################
 
# Install UPEK driver:
 
 
 
wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
 
sha1sum --check <<EOF
 
c73466b5c3b26415b300d5c5ffb76deaefadeb32  TFMESS_BSP_LIN_1.0.zip
 
EOF
 
mkdir -p driver
 
pushd driver
 
unzip ../TFMESS_BSP_LIN_1.0.zip
 
PATH="$PATH:$WHERE/bin" sh install.sh $WHERE/lib/
 
cd NonGUI_Sample
 
perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!'  main.c
 
gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
 
install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
 
popd
 
 
 
SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
 
 
 
########################################
 
# Install (patched) pam_bioapi:
 
 
 
wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-0.2.1.tar.bz2
 
wget -N http://badcode.de/downloads/fingerprint.patch  
 
sha1sum --check <<EOF
 
a0bdf3436e55f7dc8b4795243f08a4c9b399dec8  pam_bioapi-0.2.1.tar.bz2
 
619254a5bcd3acb8bf1d72b15ea69bfe00f0f064  fingerprint.patch
 
EOF
 
tar xjvf pam_bioapi-0.2.1.tar.bz2
 
pushd pam_bioapi-0.2.1
 
patch -p0 < ../fingerprint.patch
 
CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
 
make
 
make install
 
ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
 
popd
 
 
 
########################################
 
# Configure pam to use pam_bioapi:
 
 
 
grep -q 'Fedora Core release 4' /etc/redhat-release || { echo -e "I don't know how to configure PAM on this distribution.\nSee: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam"; exit 1; }
 
 
 
PAMFILE=/etc/pam.d/system-auth
 
if ! grep -q pam_bioapi.so $PAMFILE; then
 
  perl -i -pe '
 
    if (!$a && m/^auth/) {$a=1; print
 
      "auth        sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
 
    if (!$p && m/^password/) {$p=1; print
 
      "password    sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
 
    ' $PAMFILE
 
fi
 
 
 
########################################
 
# Enroll:
 
 
 
mkdir -p /etc/bioapi/pam/$SERIAL
 
pushd /etc/bioapi/pam/$SERIAL
 
read -p "Now enroll all relevant Unix accounts (press Enter to start)."
 
$WHERE/bin/upek-NonGUI_Sample
 
popd
 
 
 
echo "Success."
 
</pre>
 
  
 
==Ideas for improvement==
 
==Ideas for improvement==
Line 125: Line 28:
 
* Do something about {{path|/etc/pam.d/sshd}} - it invokes {{path|/etc/pam.d/system-auth}} by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in [[How_to_enable_the_fingerprint_reader]].
 
* Do something about {{path|/etc/pam.d/sshd}} - it invokes {{path|/etc/pam.d/system-auth}} by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in [[How_to_enable_the_fingerprint_reader]].
 
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
 
* Install and configure a patched xscreensaver (as explained in [[How_to_enable_the_fingerprint_reader]]).
 +
* Add "<tt>OnResume 10 /opt/bioapi/bin/set_fingerprint_perms</tt>" to [[Software Suspend 2|suspend2]]'s {{path|/etc/hibernate/hibernate.conf}}?
 +
 +
* The script ends with:
 +
+ wget -N http://badcode.de/downloads/fingerprint.patch
 +
--13:03:23--  http://badcode.de/downloads/fingerprint.patch
 +
          => `fingerprint.patch'
 +
Connecting to XXX.XXX.XXX.XXX:80... connected.
 +
Proxy request sent, awaiting response... 401 Authorization Required
 +
Authorization failed.
 +
 +
(proxy don't need authorization)
 +
the file is under authorization
 +
 +
[[Category:Scripts]]

Latest revision as of 17:25, 5 August 2011

Using the integrated fingerprint reader under Linux is currently a fairly complicated process. The following script automates the installation of the fingerprint software, for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, PAM setup, USB device permissions pamtester and enrolling), and handles all the downloading, patching and installation.

Usage: just copy into a file and run as root.

After installation, all PAM-enabled system functions will use the fingerprint reader (and if it fails, default to the usual password entry). This includes:

  • KDE's KDM login (enter an empty password, then swipe finger)
  • KDE's screensaver (enter an empty password, then swipe finger)
  • Gnome's GDM login
  • su
  • sudo

Everything is intalled into /opt/bioapi, so it doesn't pollute your filesystem. The only effects outside /opt/bioapi are one-line changes to the ldconfig configuration, PAM configuration and /etc/rc.local, and a few symlinks in /lib/security.

Distributions supported by this script

  • Fedora 4, 5, 6
  • Red Hat Enterprise Linux 4

If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.

The script

enable-fingerprint-reader (download)

The patch has been moved to http://cvs.pld-linux.org/cgi-bin/cvsweb/SOURCES/Attic/bioapi-c++.patch?rev=1.3. However in CVS it has been marked as obsolete.

Ideas for improvement

  • Support more distributions
  • Minimize changes to /etc/pam.d/system-auth by creating a separate file (e.g., /etc/pam.d/bioapi-auth) and @include-ing it.
  • Do something about /etc/pam.d/sshd - it invokes /etc/pam.d/system-auth by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in How_to_enable_the_fingerprint_reader.
  • Install and configure a patched xscreensaver (as explained in How_to_enable_the_fingerprint_reader).
  • Add "OnResume 10 /opt/bioapi/bin/set_fingerprint_perms" to suspend2's /etc/hibernate/hibernate.conf?
  • The script ends with:

+ wget -N http://badcode.de/downloads/fingerprint.patch --13:03:23-- http://badcode.de/downloads/fingerprint.patch

          => `fingerprint.patch'

Connecting to XXX.XXX.XXX.XXX:80... connected. Proxy request sent, awaiting response... 401 Authorization Required Authorization failed.

(proxy don't need authorization) the file is under authorization