Script for enabling the fingerprint reader with BioAPI

From ThinkWiki
Revision as of 19:37, 24 December 2005 by Thinker (Talk | contribs) (Ideas for improvement)
Jump to: navigation, search

The following script automates the installation of the fingerprint software for some Linux distributions. It covers most components (bioapi framework, driver, pam_bioapi, pam setup and enrolling), and handles all the downloading, patching and installation.

Everything is intalled into /opt/bioapi, so it doesn't pollute your filesystem. The only files affected outside /opt/bioapi are the ldconfig configuration, PAM configuration and a few symlinks in /lib/security.

For details, manual installation and hints for other distributions, see How to enable the fingerprint reader

Usage: just copy into a file and run.

Distributions supported by this script

If you add support for additional distributions, please update this script (using conditionals where necessary) instead of branching it.

The script

#!/bin/bash
# Install UPEK fingerprint reader driver and associated software on Linux systems.
# Source: http://thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader

set -e -E -x -u   # verbose, abort if anything fails

WHERE=/opt/bioapi
mkdir -p $WHERE

########################################
# Install bioapi:

wget -N http://www.qrivy.net/~michael/blua/bioapi/bioapi-1.2.2.tar.bz2
sha1sum --check <<EOF
932425e847449e9612c6894dcbaf44630aecfc13  bioapi-1.2.2.tar.bz2
EOF
tar xjf bioapi-1.2.2.tar.bz2
pushd bioapi-1.2.2
./configure --with-Qt-dir=no --prefix=$WHERE
make
make install
install -m644 include/bioapi_util.h $WHERE/include/bioapi_util.h
install -m644 include/installdefs.h $WHERE/include/installdefs.h
install -m644 imports/cdsa/v2_0/inc/cssmtype.h $WHERE/include/cssmtype.h
chmod o-w $WHERE/var/bioapi
popd

########################################
# Tell ldconfig about bioapi libraries:

[ -d /etc/ld.so.conf.d ] || { echo "Unsupported distribution: no /etc/ld.so.conf.d directory."; exit 1; }
echo $WHERE/lib > /etc/ld.so.conf.d/bioapi.conf
ldconfig
ldconfig -p | grep -q bioapi || { echo "ldconfig doesn't see bioapi"; exit 1; }

########################################
# Install UPEK driver:

wget -N http://www.upek.com/support/download/TFMESS_BSP_LIN_1.0.zip
sha1sum --check <<EOF
c73466b5c3b26415b300d5c5ffb76deaefadeb32  TFMESS_BSP_LIN_1.0.zip
EOF
mkdir -p driver
pushd driver
unzip ../TFMESS_BSP_LIN_1.0.zip
PATH="$PATH:$WHERE/bin" sh install.sh $WHERE/lib/
cd NonGUI_Sample
perl -i -pe 'print "#include <stdlib.h>\n//DISABLED: " if m!^#include "port/bioapi_port.h"$!'  main.c
gcc -o Sample main.c -I$WHERE/include -L$WHERE/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN
install Sample -m755 $WHERE/bin/upek-NonGUI_Sample
popd

SERIAL=`$WHERE/bin/BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`

########################################
# Install (patched) pam_bioapi:

wget -N http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-0.2.1.tar.bz2 
wget -N http://badcode.de/downloads/fingerprint.patch 
sha1sum --check <<EOF
a0bdf3436e55f7dc8b4795243f08a4c9b399dec8  pam_bioapi-0.2.1.tar.bz2
619254a5bcd3acb8bf1d72b15ea69bfe00f0f064  fingerprint.patch
EOF
tar xjvf pam_bioapi-0.2.1.tar.bz2 
pushd pam_bioapi-0.2.1 
patch -p0 < ../fingerprint.patch 
CPPFLAGS="-I$WHERE/include" LDFLAGS="-L$WHERE/lib" ./configure --prefix=$WHERE
make 
make install 
ln -vfs $WHERE/lib/security/pam_bioapi.so* /lib/security/
popd

########################################
# Configure pam to use pam_bioapi:

grep -q 'Fedora Core release 4' /etc/redhat-release || { echo -e "I don't know how to configure PAM on this distribution.\nSee: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Configuring_pam"; exit 1; }

PAMFILE=/etc/pam.d/system-auth
if ! grep -q pam_bioapi.so $PAMFILE; then
  perl -i -pe '
    if (!$a && m/^auth/) {$a=1; print 
      "auth        sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
    if (!$p && m/^password/) {$p=1; print
      "password    sufficient    pam_bioapi.so '$SERIAL' /etc/bioapi/pam/\n"}
    ' $PAMFILE
fi

########################################
# Enroll:

mkdir -p /etc/bioapi/pam/$SERIAL
pushd /etc/bioapi/pam/$SERIAL
read -p "Now enroll all relevant Unix accounts (press Enter to start)."
$WHERE/bin/upek-NonGUI_Sample
popd

echo "Success."

Ideas for improvement

  • Support more distributions
  • Minimize changes to /etc/pam.d/system-auth by creating a separate file (e.g., /etc/pam.d/bioapi-auth) and @include-ing it.
  • Do something about /etc/pam.d/sshd - it invokes /etc/pam.d/system-auth by stacking, so remote SSH logins now invoke the fingerprint reader... See related discussion in How_to_enable_the_fingerprint_reader.