Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 162297 - sys-auth/thinkfinger an OSS replacement for sys-auth/tfm-fingerprint
Summary: sys-auth/thinkfinger an OSS replacement for sys-auth/tfm-fingerprint
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Tony Vroon (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-15 23:13 UTC by John Schember
Modified: 2007-03-05 09:34 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
preliminary ebuild (thinkfinger-0.2.ebuild,1.38 KB, text/plain)
2007-01-16 03:47 UTC, John Schember
Details
thinkfinger-0.2.ebuild (thinkfinger-0.2.ebuild,1.37 KB, text/plain)
2007-01-16 05:11 UTC, John Schember
Details
thinkfinger-0.2.1.ebuild (thinkfinger-0.2.1.ebuild,1.27 KB, text/plain)
2007-01-30 03:50 UTC, John Schember
Details
thinkfinger-0.2.2.ebuild (thinkfinger-0.2.2.ebuild,1.27 KB, text/plain)
2007-02-05 14:07 UTC, John Schember
Details
thinkfinger-0.2.2-r1.ebuild (thinkfinger-0.2.2-r1.ebuild,1.29 KB, text/plain)
2007-02-13 13:53 UTC, John Schember
Details
system-auth patch (system-auth.patch,562 bytes, patch)
2007-02-17 02:13 UTC, Anton Bolshakov
Details | Diff
an empty file to obsolute system-auth patch (empty,5 bytes, text/plain)
2007-02-18 20:25 UTC, Anton Bolshakov
Details
thinkfinger-0.2.2.ebuild (thinkfinger-0.2.2.ebuild,1.33 KB, text/plain)
2007-02-21 16:33 UTC, Tony Vroon (RETIRED)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Schember 2007-01-15 23:13:50 UTC
from their Source Forge page, http://sourceforge.net/projects/thinkfinger,
"ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in most IBM/Lenovo ThinkPads."

Instructions
1) Build and install the package with --with-securedir=/${lib_dir)/security --prefix=/usr.

2) Add (in /etc/pam.d/system-auth
auth            sufficient      pam_thinkfinger.so
password        sufficient      pam_thinkfinger.so

between

auth       required     pam_env.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok

Usage
1) tf-tool --acquire to read the finger print and create .bir file in /tmp
2) Move /tmp/test.bir to /etc/pam_thinkfinger/{user_name_for_print}.bir

Now all pam aware apps can use your finger print instead of a password. 

Reproducible: Always
Comment 1 John Schember 2007-01-16 03:47:39 UTC
Created attachment 107159 [details]
preliminary ebuild

Here is a preliminary ebuild for thinkfinger 0.2. There is one problem with it. I don't know of a good way to specify the security-dir location as it seems kinda messy to just use /lib on a multi lib machine.

get_libdir can't be used because it returns /usr/lib{64} when the pam module needs to be in /lib{64}. If anyone knows a solution that would be appreciated.
Comment 2 John Schember 2007-01-16 05:11:50 UTC
Created attachment 107161 [details]
thinkfinger-0.2.ebuild

Updated the ebuild to use the pam eclass taking care of the issue of which lib dir  the pam module should be installed into.
Comment 3 John Schember 2007-01-30 03:50:35 UTC
Created attachment 108570 [details]
thinkfinger-0.2.1.ebuild

Version bump to 0.2.1.
Comment 4 John Schember 2007-02-05 14:07:57 UTC
Created attachment 109232 [details]
thinkfinger-0.2.2.ebuild

New release. Now supports pam < 0.99.
Comment 5 cdep.illabout 2007-02-13 11:05:24 UTC
When emerging, I get an error during the ./configure stage:

checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for USB... configure: error: libusb missing

This is probably due to thinkfinger requiring >=libusb-0.1.12.

Maybe this should be added to the ebuild file?

After installing the correct version for libusb, this problem went away.

Thank You!
Comment 6 John Schember 2007-02-13 13:53:58 UTC
Created attachment 110057 [details]
thinkfinger-0.2.2-r1.ebuild

It does require libusb. Sorry for missing that. I've updated the ebuild to reflect that dependency. Thanks for finding that mistake.
Comment 7 Anton Bolshakov 2007-02-17 02:13:48 UTC
Created attachment 110437 [details, diff]
system-auth patch

I want to suggest to add 
IUSE="pam" support check and patch the system-auth automatically
Comment 8 Andrey A. Ugolnik 2007-02-18 14:07:16 UTC
Don't know how to configure KDE to use fingerprint. I make changes in /etc/pam.d/system-auth as follows:

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_thinkfinger.so
auth       required     pam_deny.so

and change in /etc/pam.d/kde

auth       include      system-auth

to  

auth       include      thinkfinger

but no success :(

Comment 9 John Schember 2007-02-18 16:13:32 UTC
> IUSE="pam" support
A pam use flag would be good but there is talk of moving the three parts into separate packages. Right now the only thing that uses the non pam parts are the pam parts. I don't want to invest the time in the ebuild until, something else uses the non pam parts, or a conclusion of how to release (one package or three) is reached.

> patch the system-auth automatically
There is no way to know how a user has modified that file. It shouldn't be assumed that that file is the same as what was installed by pam. The thinkfinger line has to be in a specific place in the file. The ebuild could easily screw up someones system if it did. I would rather have the user add the needed line instead of possibly breaking their system. I will look/ask around if there is a safe way to handle this because it would be very nice if it is possible to do it safely.

----

> Don't know how to configure KDE to use fingerprint.
In your /etc/pam.d/system-auth file
auth       sufficient   pam_thinkfinger.so
needs to come before
auth       sufficient   pam_unix.so likeauth nullok

Also, change your /etc/pam.d/kde back to how it was.

Only applications that properly implement pam will work. The three known apps to work are GDM, login and su. If you want to use think finger you will have to use GDM for login instead of KDM and you won't be able to use kdesu.

Comment 10 John Schember 2007-02-18 16:33:54 UTC
> patch the system-auth automatically
This can't be done. It would violate the sandbox because it would have to modify the live filesystem.
Comment 11 Anton Bolshakov 2007-02-18 20:25:31 UTC
Created attachment 110581 [details]
an empty file to obsolute system-auth patch

Since this patch can't be done please create postinstall instructions.
Can you also submit it to one of overlays (sunrise?) please?
The ebuild works without any problem for me.
Comment 12 Jan Kundrát (RETIRED) gentoo-dev 2007-02-18 20:43:12 UTC
(In reply to comment #9)
> > patch the system-auth automatically

No way. Portgae still lacks that oraculum that knows what the user actually wants.

> Only applications that properly implement pam will work. The three known apps
> to work are GDM, login and su. If you want to use think finger you will have to
> use GDM for login instead of KDM and you won't be able to use kdesu.

Well, the "problem" with KDE is that is still asks for password and passes it to the kcheckpass. This means that if you follow upstream suggestions about how to configure PAM for this package, KDE stuff still asks for a password despite that it won't be actually used if the fingerprint matches, so it's usually enought to swipe your finger and press enter.

The only way to fix this is to persuade KDE folks to support some kind of bioapi. I have no idea what their opinion about this is.
Comment 13 Tony Vroon (RETIRED) gentoo-dev 2007-02-21 16:33:16 UTC
Created attachment 110842 [details]
thinkfinger-0.2.2.ebuild
Comment 14 Tony Vroon (RETIRED) gentoo-dev 2007-02-21 16:40:33 UTC
(In reply to comment #12)
> No way. Portgae still lacks that oraculum that knows what the user actually
> wants.

I agree with that Jan. Instead the ebuild tells you what to do. (The PAM explanation is only displayed if that USE-flag is on)

John, thank you for your suggestions and initial ebuild. I had already written an ebuild, but I have extended it with your suggestions and messages. Please report any problems with the ebuild in a new bug, and assign it to me.
Comment 15 Anton Bolshakov 2007-02-23 23:04:08 UTC
> Well, the "problem" with KDE is that is still asks for password and passes it
> to the kcheckpass.

based on https://bugs.kde.org/show_bug.cgi?id=116682 KDM doesn't pass it to kcheckpass. They use kcheckpass for kscreensaver and may be for kdesu.

[quote]
------- Additional Comment #1 From Oswald Buddenhagen 2005-11-19 04:02 -------  
kdm & kdesktop_lock provide a plugin interface that allows supporting (almost?) arbitrary authentication methods. it's pretty obvious that kdm simply can't provide a frontend for every pam module out there; they have to be shipped with the modules themselves.
[/quote]
Comment 16 Ákos Maróy 2007-03-03 15:24:57 UTC
I just made it work using the thinkfinger-0.2.2.ebuild on my IBM ThinkPad Z61p laptop. I'm using the amd64 arch (it's an Intel Core Duo 2 CPU).

One shortcoming I found: pam was expecting pam_thinkfinger.so under /lib64/security, but the ebuild put it under /usr/lib64/security. Maybe the ebuild should be updated to put it under /lib64/security instead?

anyway, I'd recommend adding the ~amd64 keyword into the ebuild.
Comment 17 John Schember 2007-03-03 15:48:03 UTC
(In reply to comment #16)
> I just made it work using the thinkfinger-0.2.2.ebuild on my IBM ThinkPad Z61p
> laptop. I'm using the amd64 arch (it's an Intel Core Duo 2 CPU).
> 
> One shortcoming I found: pam was expecting pam_thinkfinger.so under
> /lib64/security, but the ebuild put it under /usr/lib64/security. Maybe the
> ebuild should be updated to put it under /lib64/security instead?
> 
> anyway, I'd recommend adding the ~amd64 keyword into the ebuild.
> 

Use the ebuild that is in portage. It puts the pam module in the proper location and has the ~amd64 keyword.
Comment 18 Ákos Maróy 2007-03-05 09:34:47 UTC
thanks for the tip, I tried and it works fine.

one remark: the 2.2-r1 ebuild does not set the executable flag on /lib64/security/pam_thinkfinger.so - so I set it manually...