LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Authentication via the integrated fingerprint reader in newer Thinkpads (http://www.linuxquestions.org/questions/slackware-14/authentication-via-the-integrated-fingerprint-reader-in-newer-thinkpads-918929/)

sinic 12-15-2011 01:18 PM

Authentication via the integrated fingerprint reader in newer Thinkpads
 
This is not really a LinuxQuestion, rather a LinuxHeadsUp :)

If you have a newer Thinkpad model (e.g. a X201s) with an integrated fingerprint scanner, you may be interested in using that device for logging in at a virtual terminal. In the past you needed to install PAM for this to work, now there's a much less intrusive way: I've thrown together a patch for the shadow tool suite's login to make it prompt a specified user for the fingerprint instead of asking for the password. The scanning itself is done by libfprint.

I have created packages of the patched shadow tool suite as well as libfprint for Slackware64 13.37, whereas the latter only contains a driver for upeke2 devices. If you need one of the other drivers instead, don't lose hope just yet! You can easily change the included driver in my build and recompile the package:

Code:

tar xjf libfprint-0.4.0.tar.bz2
cd libfprint
wget http://people.freedesktop.org/~hadess/libfprint-0.4.0.tar.bz2
sed -i "s/upeke2/$DRIVER/" libfprint.SlackBuild
./libfprint.SlackBuild

The reason I deactivated the other drivers is that I only have access to a upeke2 device and didn't want to release security critical software without having a chance to test it. Better be safe than sorry... I would like to hear from people for whom it works with other drivers, however. After installing the packages and enrolling your fingerprint, you only need to specify your user as the FPRINT_USER in /etc/login.defs and restart the login process (or simply reboot). The next time you enter your user at login, you'll have to swipe your finger to authenticate.

A few caveats:
  • as said, only tested with upek2 for now (though it probably works with other drivers too)
  • only one user can be the FPRINT_USER at the moment
  • enrollment has to be done elsewhere, e.g. with fprint_demo (no need to install it, just compile, run and delete it after installing my libfprint package)

Update: I briefly tested a upekts device today and it seems to work fine. An updated package with both upekts and upeke2 is available.

Update: As written in my next post, it is now possible to have multiple users authenticate with their fingerprints. These users should be members of both plugdev (for accessing the device) and fpauth (so the login process knows whether to prompt them for their password or their fingerprint), FPRINT_USER is no longer used. Links in this post already lead to the new variant, just download and install it as you did before:
Code:

upgradepkg --reinstall shadow-4.1.4.3-x86_64-2_sinic.txz
You'll have to enroll your fingerprints a second time, now as a regular user instead of root. Read my next post for details.

Update: Yet another update to my login patch... Furthermore I've patched vlock to make it unlock the screen upon scanning the right fingerprint. The preconditions described above must be met: Your user should be a member of the groups plugdev and must be a member fpauth. Locking the screen with vlock also requires you to be a member of vlock. A package is available, as always, at my Slackware page.

vehn 12-18-2011 02:58 PM

Hm.. very interesting. I have sensor on Thinkpad w520 (supported by upeksonly driver, related to http://www.freedesktop.org/wiki/Soft...rint/upeksonly). Greet job, thank you!

sinic 12-18-2011 04:26 PM

I've uploaded a new shadow package that includes an updated patch. Now it should be possible to have multiple users authenticating via their fingerprints. Instead of specifying the user in /etc/login.defs, you now only have to add the users to a group named fpauth (that you have to create on your own).

The prints are now read from the respective user's home directory, not /root. This is something I probably should have explained in more detail in my previous post: It is critical that you enroll the fingerprints as the right user. Previously that would have been root (since that is the login process's user), now it is the user to be authenticated later.

Also note that the user should be a member of the group plugdev to access the fingerprint device. That's not an issue when logging in, since that process runs as root anyways. It is important when enrolling the fingerprint with fprint_demo, however.

VisionIncision 12-07-2012 04:40 AM

Has anybody tried this out with Slackware64 14?


All times are GMT -5. The time now is 03:58 AM.