from their Source Forge page, http://sourceforge.net/projects/thinkfinger, "ThinkFinger is a driver for the SGS Thomson Microelectronics fingerprint reader found in most IBM/Lenovo ThinkPads." Instructions 1) Build and install the package with --with-securedir=/${lib_dir)/security --prefix=/usr. 2) Add (in /etc/pam.d/system-auth auth sufficient pam_thinkfinger.so password sufficient pam_thinkfinger.so between auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok Usage 1) tf-tool --acquire to read the finger print and create .bir file in /tmp 2) Move /tmp/test.bir to /etc/pam_thinkfinger/{user_name_for_print}.bir Now all pam aware apps can use your finger print instead of a password. Reproducible: Always
Created attachment 107159 [details] preliminary ebuild Here is a preliminary ebuild for thinkfinger 0.2. There is one problem with it. I don't know of a good way to specify the security-dir location as it seems kinda messy to just use /lib on a multi lib machine. get_libdir can't be used because it returns /usr/lib{64} when the pam module needs to be in /lib{64}. If anyone knows a solution that would be appreciated.
Created attachment 107161 [details] thinkfinger-0.2.ebuild Updated the ebuild to use the pam eclass taking care of the issue of which lib dir the pam module should be installed into.
Created attachment 108570 [details] thinkfinger-0.2.1.ebuild Version bump to 0.2.1.
Created attachment 109232 [details] thinkfinger-0.2.2.ebuild New release. Now supports pam < 0.99.
When emerging, I get an error during the ./configure stage: checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for USB... configure: error: libusb missing This is probably due to thinkfinger requiring >=libusb-0.1.12. Maybe this should be added to the ebuild file? After installing the correct version for libusb, this problem went away. Thank You!
Created attachment 110057 [details] thinkfinger-0.2.2-r1.ebuild It does require libusb. Sorry for missing that. I've updated the ebuild to reflect that dependency. Thanks for finding that mistake.
Created attachment 110437 [details, diff] system-auth patch I want to suggest to add IUSE="pam" support check and patch the system-auth automatically
Don't know how to configure KDE to use fingerprint. I make changes in /etc/pam.d/system-auth as follows: auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_thinkfinger.so auth required pam_deny.so and change in /etc/pam.d/kde auth include system-auth to auth include thinkfinger but no success :(
> IUSE="pam" support A pam use flag would be good but there is talk of moving the three parts into separate packages. Right now the only thing that uses the non pam parts are the pam parts. I don't want to invest the time in the ebuild until, something else uses the non pam parts, or a conclusion of how to release (one package or three) is reached. > patch the system-auth automatically There is no way to know how a user has modified that file. It shouldn't be assumed that that file is the same as what was installed by pam. The thinkfinger line has to be in a specific place in the file. The ebuild could easily screw up someones system if it did. I would rather have the user add the needed line instead of possibly breaking their system. I will look/ask around if there is a safe way to handle this because it would be very nice if it is possible to do it safely. ---- > Don't know how to configure KDE to use fingerprint. In your /etc/pam.d/system-auth file auth sufficient pam_thinkfinger.so needs to come before auth sufficient pam_unix.so likeauth nullok Also, change your /etc/pam.d/kde back to how it was. Only applications that properly implement pam will work. The three known apps to work are GDM, login and su. If you want to use think finger you will have to use GDM for login instead of KDM and you won't be able to use kdesu.
> patch the system-auth automatically This can't be done. It would violate the sandbox because it would have to modify the live filesystem.
Created attachment 110581 [details] an empty file to obsolute system-auth patch Since this patch can't be done please create postinstall instructions. Can you also submit it to one of overlays (sunrise?) please? The ebuild works without any problem for me.
(In reply to comment #9) > > patch the system-auth automatically No way. Portgae still lacks that oraculum that knows what the user actually wants. > Only applications that properly implement pam will work. The three known apps > to work are GDM, login and su. If you want to use think finger you will have to > use GDM for login instead of KDM and you won't be able to use kdesu. Well, the "problem" with KDE is that is still asks for password and passes it to the kcheckpass. This means that if you follow upstream suggestions about how to configure PAM for this package, KDE stuff still asks for a password despite that it won't be actually used if the fingerprint matches, so it's usually enought to swipe your finger and press enter. The only way to fix this is to persuade KDE folks to support some kind of bioapi. I have no idea what their opinion about this is.
Created attachment 110842 [details] thinkfinger-0.2.2.ebuild
(In reply to comment #12) > No way. Portgae still lacks that oraculum that knows what the user actually > wants. I agree with that Jan. Instead the ebuild tells you what to do. (The PAM explanation is only displayed if that USE-flag is on) John, thank you for your suggestions and initial ebuild. I had already written an ebuild, but I have extended it with your suggestions and messages. Please report any problems with the ebuild in a new bug, and assign it to me.
> Well, the "problem" with KDE is that is still asks for password and passes it > to the kcheckpass. based on https://bugs.kde.org/show_bug.cgi?id=116682 KDM doesn't pass it to kcheckpass. They use kcheckpass for kscreensaver and may be for kdesu. [quote] ------- Additional Comment #1 From Oswald Buddenhagen 2005-11-19 04:02 ------- kdm & kdesktop_lock provide a plugin interface that allows supporting (almost?) arbitrary authentication methods. it's pretty obvious that kdm simply can't provide a frontend for every pam module out there; they have to be shipped with the modules themselves. [/quote]
I just made it work using the thinkfinger-0.2.2.ebuild on my IBM ThinkPad Z61p laptop. I'm using the amd64 arch (it's an Intel Core Duo 2 CPU). One shortcoming I found: pam was expecting pam_thinkfinger.so under /lib64/security, but the ebuild put it under /usr/lib64/security. Maybe the ebuild should be updated to put it under /lib64/security instead? anyway, I'd recommend adding the ~amd64 keyword into the ebuild.
(In reply to comment #16) > I just made it work using the thinkfinger-0.2.2.ebuild on my IBM ThinkPad Z61p > laptop. I'm using the amd64 arch (it's an Intel Core Duo 2 CPU). > > One shortcoming I found: pam was expecting pam_thinkfinger.so under > /lib64/security, but the ebuild put it under /usr/lib64/security. Maybe the > ebuild should be updated to put it under /lib64/security instead? > > anyway, I'd recommend adding the ~amd64 keyword into the ebuild. > Use the ebuild that is in portage. It puts the pam module in the proper location and has the ~amd64 keyword.
thanks for the tip, I tried and it works fine. one remark: the 2.2-r1 ebuild does not set the executable flag on /lib64/security/pam_thinkfinger.so - so I set it manually...
