Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 251259 Details for
Bug 341105
fingerprint-gui (new package)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
files/...
Install-step-by-step.html (text/plain), 34.57 KB, created by
Jan Buecken
on 2010-10-19 14:17:51 UTC
(
hide
)
Description:
files/...
Filename:
MIME Type:
Creator:
Jan Buecken
Created:
2010-10-19 14:17:51 UTC
Size:
34.57 KB
patch
obsolete
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ><HTML> ><HEAD> > <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8"> > <TITLE></TITLE> > <META NAME="GENERATOR" CONTENT="OpenOffice.org 3.2 (Unix)"> > <META NAME="AUTHOR" CONTENT="Wolfgang Ullrich"> > <META NAME="CREATED" CONTENT="20081021;15191700"> > <META NAME="CHANGEDBY" CONTENT="Wolfgang Ullrich"> > <META NAME="CHANGED" CONTENT="20100819;20523800"> > <META NAME="Info 1" CONTENT=""> > <META NAME="Info 2" CONTENT=""> > <META NAME="Info 3" CONTENT=""> > <META NAME="Info 4" CONTENT=""> > <STYLE TYPE="text/css"> > <!-- > @page { margin: 2cm } > P { margin-bottom: 0.21cm; page-break-before: auto } > P.cjk { font-size: 10pt } > H1 { margin-bottom: 0.21cm; page-break-before: auto } > H1.western { font-family: "Arial", sans-serif; font-size: 16pt } > H1.cjk { font-family: "DejaVu Sans"; font-size: 16pt } > H1.ctl { font-family: "DejaVu Sans"; font-size: 16pt } > H2 { margin-bottom: 0.21cm; page-break-before: auto } > H2.western { font-family: "Arial", sans-serif; font-size: 14pt; font-style: italic } > H2.cjk { font-size: 14pt; font-style: italic } > H2.ctl { font-size: 14pt; font-style: italic } > H3 { margin-bottom: 0.21cm; page-break-before: auto } > H3.western { font-family: "Arial", sans-serif } > A.western:visited { so-language: en-US } > A.cjk:visited { so-language: zxx } > A.ctl:visited { so-language: zxx } > --> > </STYLE> ></HEAD> ><BODY LANG="en-US" DIR="LTR"> ><P ALIGN=CENTER STYLE="margin-top: 0.42cm; page-break-after: avoid"><FONT FACE="Arial, sans-serif"><FONT SIZE=4><B>Installing >Step by Step</B></FONT></FONT></P> ><P CLASS="western" ALIGN=CENTER><FONT SIZE=2>(Version 0.15)</FONT></P> ><DIV ID="Inhaltsverzeichnis1" DIR="LTR"> > <DIV ID="Inhaltsverzeichnis1_Head" DIR="LTR"> > <P STYLE="margin-top: 0.42cm; page-break-after: avoid"><FONT FACE="Arial, sans-serif"><FONT SIZE=4 STYLE="font-size: 16pt"><B>Contents</B></FONT></FONT></P> > </DIV> > <P STYLE="margin-bottom: 0cm"> 1 Installing Executables and > Libraries 2</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 1.1 Installing > required Libraries 2</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 1.2 Installing > executables 2</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 1.3 Creating a > âplugdevâ group 3</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 1.4 Uninstalling > other Fingerprint Solutions 3</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 1.5 Special > preparations for Lubuntu 3</P> > <P STYLE="margin-bottom: 0cm"> 2 Acquiring Fingerprints 3</P> > <P STYLE="margin-bottom: 0cm"> 3 Setting up Fingerprint > Authentication 3</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 3.1 Configuring > âsuâ 4</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 3.2 Configuring > âloginâ 5</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 3.3 Configuring > âsudoâ 5</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 3.4 Configuring > âgdmâ 5</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 3.5 Configuring > âgnome-screensaverâ 6</P> > <P STYLE="margin-bottom: 0cm"> 4 Exporting Fingerprint Data and > Testing PAM Settings 6</P> > <P STYLE="margin-bottom: 0cm"> 5 Password Store 6</P> > <P STYLE="margin-bottom: 0cm"> 6 Troubleshooting 8</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 6.1 Gdm Greeter > doesn't show the Fingerprint GUI Widget or needs a long time (up to > 20 seconds) to show it 8</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 6.2 > Fingerprint-gui Error âCould not open fingerprint deviceâ 8</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 6.3 Login on a > secure tty hangs with âOKâ Message 8</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 6.4 You have a > fingerprint device from UPEK/SGS Thomson and get some âABSOpen() > failed...â error message in /var/log/auth.log 8</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 6.5 Password can > not be saved to removable media 8</P> > <P STYLE="margin-bottom: 0cm"> 7 Known Limitations 9</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 7.1 Applications > that don't use PAM for prompting a password 9</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 7.2 Missing > XAUTHORITY environment variable 9</P> > <P STYLE="margin-left: 0.5cm; margin-bottom: 0cm"> 7.3 Other Linux > distributions 9</P> > <P STYLE="margin-left: 1cm; margin-bottom: 0cm">Debian 4.0 9</P> > <P STYLE="margin-left: 1cm; margin-bottom: 0cm">SuSE 11.1 (gnome > edition) 9</P> > <P STYLE="margin-left: 1cm; margin-bottom: 0cm">Slackware 9</P> ></DIV> ><P CLASS="western" ALIGN=CENTER><BR><BR> ></P> ><P CLASS="western"><BR><BR> ></P> ><P CLASS="western" STYLE="page-break-before: always">This HowTo >describes the installation and setup of the âFingerprint GUIâ >project. It was tested on <I><U>Ubuntu 8.04, 8.10, 9.04, 9.10 and >10.04 Desktop</U></I>, <I><U>Lubuntu 10.04</U></I> and <I><U>Fedora >10 and 12</U></I> (32bit versions) and <I><U>Ubuntu 8.10 9.04 and >10.04 Desktop</U></I> (64bit version) each new installed with default >settings. It is applicable for GDM/Gnome desktop systems only and <B>can ></B><U><B>not</B></U><B> be used as a HowTo for KDE systems</B>. It >should show the principles of installing and configuring the system >and provide enough information needed for deployment in other Linux >distributions. In the chapter <B>"Other Linux distributions"</B>, >my experiences with these distributions are described. I didn't have >the time to solve all those problems. That should be the >responsibility of the distributors or of experienced users. Please >contact me if you have the system installed properly to such a >distribution or if you experience a bug.</P> ><OL> > <LI><H1 CLASS="western">Installing Executables and Libraries</H1> ></OL> ><P CLASS="western">After downloading the >âfingerprint-gui-x.y-<arch>.tar.gzâ package please unpack >it into some directory (<FONT FACE="Courier 10 Pitch"><FONT SIZE=2>tar >-xzf fingerprint-gui-x.y-<arch>.tar.gz</FONT></FONT>). Then >change to this directory and become ârootâ. The command for >installation is â<FONT FACE="Courier 10 Pitch"><FONT SIZE=2>./install.sh >[--uninstall]</FONT></FONT>â. If you have a device from UPEK Inc. >or SGS Thomson you will need the proprietary driver library >âlibbsapi.soâ from UPEK Inc. In this case you will be prompted >for installing this library. If you chose âYesâ the âlibbsapi.soâ >file (for your architecture) will be copied to â/usr/lib/â and >âldconfigâ will be called then. If you have a device from other >vendors you will not be prompted for installing âlibbsapi.soâ. >Please have a look at the libfprint homepage >(<A CLASS="western" HREF="http://reactivated.net/fprint/wiki/Main_Page">http://reactivated.net/fprint/wiki/Main_Page</A>) >for a list of supported devices. ></P> ><OL> > <OL> > <LI><H2 CLASS="western">Installing required Libraries</H2> > </OL> ></OL> ><P CLASS="western">When executing â./install.shâ as root it will >probably print a list of missing libraries. Use your package manager >to install the required packages and their dependencies. Below is a >list of packages to install:</P> ><P CLASS="western"><U>Ubuntu 10.04 Desktop:</U></P> ><UL> > <LI><P CLASS="western">libfakekey0 > </P> > <LI><P CLASS="western">libfprint0 (<U><B>IMPORTANT</B></U>: Since > version 0.14 fingerprint-gui requires libfprint0 version > 0.1.0~pre2-1 that is <U>not</U> part of the Ubuntu repository yet. > Please install this version from > <A CLASS="western" HREF="https://launchpad.net/~fingerprint/+archive/fprint">https://launchpad.net/~fingerprint/+archive/fprint</A> > .</P> > <LI><P CLASS="western">libqca2</P> > <LI><P CLASS="western">libqca2-plugin-ossl</P> > <LI><P CLASS="western">libqt4-xml</P> ></UL> ><P CLASS="western"><U>Fedora 12:</U></P> ><UL> > <LI><P CLASS="western">libfakekey-0.1.3 > </P> > <LI><P CLASS="western">libfprint-0.1.0-14.pre2</P> > <LI><P CLASS="western">qt-x11-1:4.6.2-16</P> > <LI><P CLASS="western">qca2-2.0.2-2 > </P> ></UL> ><UL> > <LI><P CLASS="western">qca-ossl-2.0.0-0.8.beta3</P> ></UL> ><OL> > <OL START=2> > <LI><H2 CLASS="western">Installing executables</H2> > </OL> ></OL> ><P CLASS="western">If all required libraries are installed the >â./install.shâ script will copy the executables and some other >files to the following locations:</P> ><UL> > <LI><P CLASS="western">âfingerprint-guiâ and > âfingerprint-identifierâ to /usr/local/bin/,</P> > <LI><P CLASS="western">âfingerprint-suidâ, âfingerprint-helperâ > and âfingerprint-pluginâ to /usr/local/lib/fingerprint-gui/,</P> > <LI><P CLASS="western">A âFingerprint GUIâ entry in the âSystem > Settingsâ menu,</P> > <LI><P CLASS="western">The plugin âpam_fingerprint-gui.soâ to > /lib/security/ (/lib64/security/ in Fedora 64bit),</P> > <LI><P CLASS="western">In case of a detected device from UPEK Inc. > or SGS Thomson your choice of âYesâ to the appropriate prompt > the library âlibbsapi.soâ to â/usr/libâ, a configuration > file âupek.cfgâ to â/etcâ, an udev-rules file > â91-fingerprint-gui-upek.rulesâ to â/etc/udev/rules.dâ and > create a directory â/var/upek_dataâ.</P> ></UL> ><OL> > <OL START=3> > <LI><H2 CLASS="western">Creating a âplugdevâ group</H2> > </OL> ></OL> ><P CLASS="western">While installation <SPAN STYLE="background: transparent">the</SPAN> > â./install.shâ script will check your â/etc/groupâ file for >the existence of a group named âplugdevâ. If it doesn't exist >you'll get a warning. In this case please create this group and make >all desktop users being members of this group or make sure all users >have r/w access to the fingerprint scanner device by a proper setup >of your âudevâ configuration.</P> ><OL> > <OL START=4> > <LI><H2 CLASS="western">Uninstalling other Fingerprint Solutions</H2> > </OL> ></OL> ><P CLASS="western">Because fingerprint-gui can conflict with other >fingerprint PAM modules these must be uninstalled. Please make sure >there is no âlibpam-fprintâ, âlibpam-fprintdâ or >âlibpam-thinkfingerâ installed.</P> ><P CLASS="western"><U><B>IMPORTANT:</B></U> On Fedora 12 you need to ><U>uninstall</U> âgdm-plugin-fingerprintâ and disable the >fingerprint authentication in âsystem | administration | >authenticationâ.</P> ><OL> > <OL START=5> > <LI><H2 CLASS="western">Special preparations for Lubuntu</H2> > </OL> ></OL> ><P CLASS="western">The default display manager (lxdm) of Lubuntu >doesn't work with fingerprint login. Please install âgdmâ and >make it the default display manager. If you want to use the default >screensaver (xscreensaver) of Lubuntu please change settings of file >â/etc/pam.d/xscreensaverâ instead of >â/etc/pam.d/gnome-screensaverâ below. The setup for an embedded >keyboard command is <U>not</U> required in this case.</P> ><OL START=2> > <LI><H1 CLASS="western" STYLE="page-break-after: avoid"><FONT FACE="Arial, sans-serif">Acquiring > Fingerprints</FONT></H1> ></OL> ><P CLASS="western">Now you should be able to call âfingerprint-guiâ >from the command line or use the âFingerprint GUIâ entry in the >âSystem Settingsâ menu. Acquiring fingerprints should be >self-explanatory in the âfingerprint-guiâ program. Your >fingerprints are stored in a >â/var/lib/fingerprint-gui/<your_username>/â directory, >where only you have access to. If you give the â--debugâ argument >to âfingerprint-guiâ a lot of debug output is given to syslog (or >/var/log/auth.log).</P> ><P CLASS="western">After some users have registered their >fingerprints you can test the fingerprint identification by calling >âfingerprint-identifierâ <U>as root</U> (execute âsudo >fingerprint.identifier âdebugâ). This application can identify >your users and print their login names to stdout.</P> ><OL START=3> > <LI><H1 CLASS="western" STYLE="page-break-after: avoid">Setting up > Fingerprint Authentication</H1> ></OL> ><P CLASS="western">You need root permissions to make changes to your >PAM configuration. First of all make a copy of your >â/etc/pam.d/common-authâ file and name it >â/etc/pam.d/common-auth.fingerprintâ. Edit this file like >follows:</P> ><UL> > <LI><P CLASS="western">insert a line <FONT FACE="Courier New, monospace"><FONT SIZE=2><SPAN STYLE="text-decoration: none">âauth > sufficient pam_fingerprint-gui.so --debugâ</SPAN></FONT></FONT> > <B>as the first </B><B>line</B>;</P> > <LI><P CLASS="western">find the line containing âpam_unix.soâ > and add the argument âtry_first_passâ to the call of > âpam_unix.soâ;</P> ></UL> ><P CLASS="western">The distributions differ slightly with regard to >the filenames and their contents:</P> ><P CLASS="western"><U>Ubuntu 10.04 Desktop:</U></P> ><P CLASS="western">â/etc/pam.d/common-auth.fingerprintâ is a copy >of â/etc/pam.d/common-authâ. The changed lines in question read:</P> ><P CLASS="western" STYLE="text-decoration: none">â<FONT FACE="Courier New, monospace"><FONT SIZE=2>auth sufficient pam_fingerprint-gui.so --debugâ</FONT></FONT></P> ><P CLASS="western" STYLE="text-decoration: none">â<FONT FACE="Courier New, monospace"><FONT SIZE=2>auth [success=1 >default=ignore] pam_unix.so try_first_pass nullok_secureâ</FONT></FONT></P> ><P CLASS="western"><U>Fedora 12:</U></P> ><P CLASS="western">â/etc/pam.d/common-auth.fingerprintâ is a copy >of â/etc/pam.d/system-auth-acâ. The changed lines in question >read:</P> ><P CLASS="western" STYLE="text-decoration: none">â<FONT FACE="Courier New, monospace"><FONT SIZE=2>auth sufficient pam_fingerprint-gui.so >--debugâ</FONT></FONT></P> ><P CLASS="western" STYLE="text-decoration: none">â<FONT FACE="Courier New, monospace"><FONT SIZE=2>auth sufficient pam_unix.so >nullok try_first_passâ</FONT></FONT></P> ><P CLASS="western">If you're finished setting up your >âcommon-auth.fingerprintâ file you can setup the services for >fingerprint authentication now. It is assumed you have at least one >fingerprint registered for your user account and one for root. Also >make sure there is set a password for root (sudo passwd root).</P> ><P CLASS="western">The following settings will change the existing >reference to âcommon-authâ (âsystem-authâ in Fedora) to the >new âcommon-auth.fingerprintâ for the PAM services.</P> ><P CLASS="western"><U><B>IMPORTANT NOTE:</B></U><SPAN STYLE="text-decoration: none"><SPAN STYLE="font-weight: normal"> >The following settings can lock access to your system completely if ></SPAN></SPAN><SPAN STYLE="text-decoration: none"><SPAN STYLE="font-weight: normal">something >goes wrong. So please open a secure tty (ctrl-alt-F2) and login as >root there. This way you're able to undo the changes made in >â/etc/pam.d/â.</SPAN></SPAN></P> ><OL> > <OL> > <LI><H2 CLASS="western">Configuring âsuâ</H2> > </OL> ></OL> ><P CLASS="western">Edit the file â/etc/pam.d/suâ and change the >line â@include common-authâ to â@include >common-auth.fingerprintâ (on Ubuntu) or âauth include >system-authâ to âauth include common-auth.fingerprintâ (on >Fedora).</P> ><OL> > <OL> > <P CLASS="western"><U>Ubuntu:</U></P> > </OL> ></OL> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">...</P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">#@include >common-auth ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">@include >common-auth.fingerprint ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">@include >common-account ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">@include >common-session ></P> ><OL> > <OL> > <P CLASS="western" STYLE="margin-bottom: 0cm"></P> > </OL> ></OL> ><P CLASS="western" STYLE="margin-left: 1.25cm"><U>Fedora:</U></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">...</P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">#auth > required pam_wheel.so use_uid ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">auth > include common-auth.fingerprint ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">#auth > include system-auth ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">account > sufficient pam_succeed_if.so uid = 0 use_uid quiet</P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm">... ></P> ><P CLASS="western" STYLE="margin-left: 1.25cm; margin-bottom: 0cm"><BR> ></P> ><P CLASS="western">Then open a terminal window and call âsuâ. A >password prompt should appear in the terminal <U><B>and</B></U><SPAN STYLE="text-decoration: none"><SPAN STYLE="font-weight: normal"> >the system should open a GUI widget requesting a finger swipe with >the message âAuthenticating </SPAN></SPAN><SPAN STYLE="text-decoration: none"><SPAN STYLE="font-weight: normal">rootâ >in it's status bar. If you can become root by swiping the finger >registered for root it works. You </SPAN></SPAN><SPAN STYLE="text-decoration: none"><SPAN STYLE="font-weight: normal">should >also be able to become root by ignoring this GUI widget and typing >root's password at the prompt.</SPAN></SPAN></P> ><OL> > <OL START=2> > <LI><H2 CLASS="western">Configuring âloginâ</H2> > </OL> ></OL> ><P CLASS="western"><U><B>IMPORTANT:</B></U> On Fedora 12 SELinux >denies access to the user's fingerprint data in >â/var/lib/fingerprint-gui/...â while login. Currently I'm not >able to setup a SELinux policy for fingerprint-gui. If you can be of >assistance about this please contact me. If not, set your SELinux >mode to âpermissiveâ at least while testing login.</P> ><P CLASS="western">Edit the file â/etc/pam.d/loginâ and change >the line â@include common-authâ to â@include >common-auth.fingerprintâ (on Ubuntu) or âauth include >system-authâ to âauth include common-auth.fingerprintâ (on >Fedora). Then change to a secure tty (e.g. ctrl-alt-F3), type the >username and press enter. The password prompt should appear along >with a message âType your password or swipe your fingerâ. You >should be able to login with a finger swipe and with typing the >password as well.</P> ><OL> > <OL START=3> > <LI><H2 CLASS="western">Configuring âsudoâ</H2> > </OL> ></OL> ><P CLASS="western">Edit the file â/etc/pam.d/sudoâ and change the >line â@common-authâ to â@common-auth.fingerprintâ (on Ubuntu) >or âauth include system-authâ to âauth include >common-auth.fingerprintâ (on Fedora). Make sure your login name is >in the sudoers file. Then open a terminal window and call âsudo >gnome-terminalâ. After swiping your finger the gnome-terminal >should open with root permissions.</P> ><OL> > <OL START=4> > <LI><H2 CLASS="western">Configuring âgdmâ</H2> > </OL> ></OL> ><P CLASS="western">In order to be able to login into a desktop >session you need to configure your gdm (probably with gdmsetup). >Disable âautologinâ, âtimed loginâ and âuserlistâ. Use >the command (this is one line!) to disable the userlist:</P> ><P CLASS="western"><FONT FACE="Courier 10 Pitch"><FONT SIZE=2>sudo >gconftool-2 --direct --config-source >xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set >/apps/gdm/simple-greeter/disable_user_list true</FONT></FONT></P> ><P CLASS="western">Then double check you have a root session on a >secure tty open (for undoing the changes if something goes wrong). ></P> ><P CLASS="western"><U>On Ubuntu</U> edit the file â/etc/pam.d/gdmâ >and change the line â@include common-authâ to â@include >common-auth.fingerprintâ.</P> ><P CLASS="western"><U>On Kubuntu</U> edit the file â/etc/pam.d/kdmâ >and change the line â@include common-authâ to â@include >common-auth.fingerprintâ and move this line to the beginning of the >file. Then start âSystem settings | Advanced" and open the >âConvenienceâ tab. Disable âEnable Auto-loginâ and âFocus >passwordâ and set âPreviousâ as the default user for login. You >can then login with your fingerprint after pressing <enter> in >the kdm greeter.</P> ><P CLASS="western"><U>On Fedora</U> edit the file >â/etc/pam.d/gdm-passwordâ and change the line âauth substack >system-authâ to âauth substack common-auth.fingerprintâ. ></P> ><P CLASS="western">If there is a line reading âauth requisite >pam_nologin.soâ <B>comment this line out or remove it</B>. Now >logout from your gnome session. The gdm greeter should show a login >prompt <B>and</B> the GUI widget requesting a finger swipe below. You >should be able to login with fingerprint and with name/password as >well.</P> ><OL> > <OL START=5> > <LI><H2 CLASS="western">Configuring âgnome-screensaverâ</H2> > </OL> ></OL> ><P CLASS="western">Gnome-screensaver needs a plugin to display the >fingerprint GUI widget to the user while unlocking. To start this >plugin with the gnome-screensaver-dialog open the gconf-editor, find >the âapps | gnome-screensaverâ entry and <B>enable</B> the >âembedded_keyboard_enabledâ item. Then invoke the string >â/usr/local/lib/fingerprint-gui/fingerprint-plugin -dâ as the >â/apps/gnome-screensaver/embedded_keyboard_commandâ and close >gconf-editor. <B>This step needs to be taken by every user who wants >to unlock his/her gnome-screensaver by fingerprint on that machine!</B></P> ><P CLASS="western">Then edit the file â/etc/pam.d/gnome-screensaverâ >change the line â@include common-authâ to â@include >common-auth.fingerprintâ (on Ubuntu) or âauth include >system-authâ to âauth include common-auth.fingerprintâ (on >Fedora). Double check you have a root session on a secure tty open >(for undoing the changes if something goes wrong) before testing. You >can now lock your screen and should be able to unlock it with a >fingerswipe or with your password.</P> ><P CLASS="western">For setting up the screensaver in Lubuntu please >refer to âSpecial preparations for Lubuntuâ above.</P> ><OL START=4> > <LI><H1 CLASS="western" STYLE="page-break-after: avoid">Exporting > Fingerprint Data and Testing PAM Settings</H1> ></OL> ><P CLASS="western">With âfingerprint-guiâ (âSettingsâ Tab) >users can export their fingerprint data (bir files) and test the PAM >settings of the current machine for proper setup for fingerprint >authentication.</P> ><P CLASS="western">With the âExport nowâ button all data stored >for this user (in /var/lib/fingerprint-gui/<username>/) are >exported to a file âFingerprints.tar.gzâ in the user's home >directory.</P> ><P CLASS="western">To test for proper PAM settings the âTestâ >button can be used. First chose the PAM service to be tested then >click the âTestâ button. In case of proper settings the >fingerprint-helper widget will appear and after a finger swipe the >message âAuthentication successfulâ will appear in the text field >below. If nothing happens the PAM settings might be invalid. You can >press <enter> to abort the test in this case.</P> ><OL START=5> > <LI><H1 CLASS="western">Password Store</H1> ></OL> ><P CLASS="western">There are applications that need a password for >encrypting or decrypting something on your system. Probably >gnome-keyring is the most widespread of such applications. Also an ><B>encrypted home directory</B> needs a password to decrypt when a >user logs in. These applications sometimes get their key for >decrypting (e.g. for the password safe) by querying the PAM session >environment for the password given by the user at login. But when the >user was logged in with a fingerprint there is no password stored in >the PAM session environment. So the application will prompt the user >for a password when needed (e.g. if a wireless WPA connection has to >be established by the Gnome Network Manager or if you want to access >your email account with Evolution) even if the user was logged in >already.</P> ><P CLASS="western" STYLE="margin-top: 0.42cm"><SPAN STYLE="text-decoration: none"><B>Since >version 0.11 of Fingerprint GUI there is a solution:</B></SPAN> You >can use some removable media (USB stick) to save your (encrypted) >password there. If the media is connected to your machine while you >login with your fingerprint the âpam_fingerprint-gui.soâ module >can decrypt the password and send it to the PAM session environment. ></P> ><P CLASS="western" STYLE="margin-top: 0.42cm"><B>PLEASE READ >CAREFULLY NOW AND USE THIS FEATURE ONLY IF YOU UNDESTAND HOW IT >WORKS!</B></P> ><P CLASS="western" STYLE="margin-top: 0.42cm">If you use the >âPasswordâ tab of âfingerprint-guiâ you can chose a directory >on some removable media, then type your login password twice and >click the âSaveâ button. The removable media must be mounted and >you must have write permission there. This is where âfingerprint-guiâ >creates a subdirectory â.fingerprintsâ and writes a file >â<<A CLASS="western" HREF="mailto:username@machinename.xml">username>@<machinename>.xml</A>â >containing the encrypted password. The key for decrypting this >password, the path for the â<<A CLASS="western" HREF="mailto:username@machinename.xml">username>@<machinename>.xml</A>â >file and the UUID of the removable media are saved in a file >â/var/lib/fingerprint-gui/<username>/config.xmlâ (probably >on your local HDD).</P> ><P CLASS="western" STYLE="margin-top: 0.42cm">When you login using >your fingerprint the âpam_fingerprint-gui.soâ module reads the >â/var/lib/fingerprint-gui/<username>/config.xmlâ file, >finds the â<<A CLASS="western" HREF="mailto:username@machinename.xml">username>@<machinename>.xml</A>â >file on the removable media (if it is connected and has the given >UUID), mounts it, decrypts the password and saves it to the PAM >session environment where gnome-keyring or other permitted >applications can read it. This avoids your system asking for the >password again. ></P> ><P CLASS="western" STYLE="margin-top: 0.42cm">In case of a >fingerprint login to a session with an encrypted user home a message >â!!!ERROR: FOUND ENCRYPTED HOMEDIR BUT NO PASSWORD!!!" will >appear in the gdm greeter and the login by fingerprint will fail, >when the external media keeping the encrypted password could not be >found.</P> ><P CLASS="western" STYLE="margin-top: 0.42cm"><B>PLEASE NOTE THE >FOLLOWING RESTRICTIONS:</B></P> ><UL> > <LI><P CLASS="western" STYLE="margin-top: 0.42cm">Do <U>not</U> use > this feature if someone other then you has root permissions on this > machine. This is because root can connect to the machine via telnet, > ssh or something like this, mount the external media, find the > â<<A CLASS="western" HREF="mailto:username@machinename.xml">username>@<machinename>.xml</A>â > file, read the â/var/lib/fingerprint-gui/<username>/config.xmlâ > file and decrypt your password.</P> > <LI><P CLASS="western" STYLE="margin-top: 0.42cm">Do <U>not</U> > connect the removable media if it isn't needed. The > âpam_fingerprint-gui.soâ module only needs it while login is in > progress. It mounts the partition with the given UUID containing the > â<<A CLASS="western" HREF="mailto:username@machinename.xml">username>@<machinename>.xml</A>â > file and unmounts it immediately after it has read the file.</P> > <LI><P CLASS="western" STYLE="margin-top: 0.42cm">Do <U>never</U> > leave the removable media and the computer at the same location > unattended. Someone could copy both files and decrypt your password > later.</P> > <LI><P CLASS="western" STYLE="margin-top: 0.42cm">You don't need to > type your password any more so you can use a very long and strong > password now. But do <U>not</U> forget your password! You would not > be able to unlock your login-keyring any more if your removable > media gets lost or corrupted.</P> > <LI><P CLASS="western" STYLE="margin-top: 0.42cm">If you change your > login password on this machine you need to use âfingerprint-guiâ > again and save the new password to the removable media.</P> ></UL> ><P CLASS="western" STYLE="margin-top: 0.42cm"><U>This is how I use >this feature for myself:</U></P> ><P CLASS="western" STYLE="margin-top: 0.42cm">My USB stick has 3 >partitions: One âvfatâ (/dev/sdb1) to keep files to be >transferred to other machines, one âluks_cryptoâ (/dev/sdb2) >partition to keep my secret data and a very small (3MB) âext2â >(/dev/sdb3) partition to hold the â<<A CLASS="western" HREF="mailto:username@machinename.xml">username>@<machinename>.xml</A>â >file. Corresponding entries in /etc/fstab ensure that the partitions >sdb2 and sdb3 are not automatic mounted. Needless to say that I'm the >only person who has root access to my notebook.</P> ><P CLASS="western" STYLE="margin-top: 0.42cm">While booting my >notebook I connect the USB stick until I'm logged in with my >fingerprint, then remove the stick immediately and reconnect it only >(and only as long as needed!) if I want to copy something from or to >it. Because I don't need to invoke my password any more I use a very >strong and cryptic login password.</P> ><OL START=6> > <LI><H1 CLASS="western">Troubleshooting</H1> > <OL> > <LI><H2 CLASS="western"><FONT FACE="Arial, sans-serif">Gdm Greeter > doesn't show the Fingerprint GUI Widget or needs a long time (up to > 20 seconds) to show it</FONT></H2> > </OL> ></OL> ><P CLASS="western" STYLE="margin-top: 0.42cm">This behavior was seen >on Fedora 12 with SELinux set to âenforcingâ. Please set the >system default of SELinux to âpermissiveâ (or help me setting up >SELinux rules that can be installed with Fingerprint GUI).</P> ><OL> > <OL START=2> > <LI><H2 CLASS="western"><FONT FACE="Arial, sans-serif">Fingerprint-gui > Error âCould not open fingerprint deviceâ</FONT></H2> > </OL> ></OL> ><P CLASS="western">On some systems the file >â/etc/udev/rules.d/40-libfprint0.rulesâ (or something like this >in â/lib/udev/rules.dâ) installed by the âlibfprintâ package >doesn't work properly. It should help to rename this file so it is >invoked at a later time. In all known cases renaming it to >â91-libfprint0.rulesâ solved the problem. <B>You should also make >sure your fingerprint scanner hardware has an entry in this file</B>.</P> ><OL> > <OL START=3> > <LI><H2 CLASS="western"><A NAME="DDE_LINK"></A><FONT FACE="Arial, sans-serif">Login > </FONT>on a secure tty hangs with âOKâ Message</H2> > </OL> ></OL> ><P CLASS="western">If you try to login on a secure tty the prompt >âSwipe your finger or type your passwordâ appears. If you swipe >the finger the message âOKâ appears and then nothing happens. In >this case the âuinputâ device doesn't work. Make sure the >âuinputâ module is loaded (âlsmod | grep uinputâ), the device >exists in â/dev/input/uinputâ, â/dev/misc/uinputâ or >â/dev/uinputâ and you have write permission to it. On Ubuntu add >a line âuinputâ to the file â/etc/modulesâ and restart.</P> ><OL> > <OL START=4> > <LI><H2 CLASS="western">You have a fingerprint device from UPEK/SGS > Thomson and get some <FONT FACE="Courier New, monospace"><FONT SIZE=2>âABSOpen() > failed...â</FONT></FONT> error message in /var/log/auth.log</H2> > </OL> ></OL> ><P CLASS="western">This is probably a problem with the proprietary >UPEK driver (libbsapi.so). Maybe your device needs the "NVM >emulation". Please have a look into this document: ><BR><A CLASS="western" HREF="http://www.n-view.net/Appliance//fingerprint/BSAPIUsageonLinux.pdf">http://www.n-view.net/Appliance//fingerprint/BSAPIUsageonLinux.pdf</A> ><BR>and try to setup the emulation for your device. ></P> ><OL> > <OL START=5> > <LI><H2 CLASS="western"><A NAME="DDE_LINK2"></A><FONT FACE="Arial, sans-serif">P</FONT><FONT FACE="Arial, sans-serif">assword > can not be saved to removable media</FONT></H2> > </OL> ></OL> ><P CLASS="western">If you find an entry reading:</P> ><P CLASS="western" STYLE="margin-top: 0.42cm"><FONT FACE="Courier New, monospace"><FONT SIZE=2>"AES128-CBC >not supported! Provider (libqca-ossl.so) not installed?"</FONT></FONT></P> ><P CLASS="western">in the log files, the plugin library for >encryption is missing. Install the âlibqca2-plugin-osslâ package >(Ubuntu) or a similar encryption plugin.</P> ><P CLASS="western">In other cases make sure the media is removable, >contains a valid partition and is mounted with read/write permission.</P> ><OL START=7> > <LI><H1 CLASS="western">Known Limitations</H1> > <OL> > <LI><H2 CLASS="western">Applications that don't use PAM for > prompting a password</H2> > </OL> ></OL> ><P CLASS="western">The normal way to use PAM for authentication is to >let the PAM system prompt the user for a username and/or a password. >PAM uses then a callback function of the calling application for >prompting something in it's own style. If called back by PAM the >application can decide how it wants to prompt for name or password; >if not called back, PAM has performed the authentication in another >way (fingerprint, smart card, iris scanner or whatever). Maybe they >didn't understand that or had another reason not to use that >mechanism, the developers of some applications decided to prompt for >password or username <U>before</U> calling PAM. In this case the >âpam_fingerprint-gui.soâ plugin is called at a time where the >password is already known by the PAM stack and therefore exits >immediately. Fingerprint authentication is not possible then.</P> ><OL> > <OL START=2> > <LI><H2 CLASS="western">Missing XAUTHORITY environment variable</H2> > </OL> ></OL> ><P CLASS="western">When calling PAM some applications don't have a >XAUTHORITY variable in their environment. âpam_fingerprint-gui.soâ >tries hard to find the âMIT Magic Cookieâ to be used to connect >to the current display but in some cases it fails. I guess this is in >several KDE applications the reason for not being able to show the >fingerprint widget. Maybe I'll find some better solution in a later >version.</P> ><OL> > <OL START=3> > <LI><H2 CLASS="western" STYLE="page-break-after: avoid">Other <FONT FACE="Arial, sans-serif">Linux</FONT> > distributions</H2> > </OL> ></OL> ><H3 CLASS="western">Debian 4.0</H3> ><P CLASS="western">I didn't find any way to install libfprint. There >is neither a package available nor do the sources compile without >errors. Didn't want to waste more time with it.</P> ><H3 CLASS="western">SuSE 11.1 (gnome edition)</H3> ><P CLASS="western">The gdm used in SuSE behaves totally strange. It >doesn't allow to show the fingerprint widget. Maybe it's only some >setting to be changed or the original source installation of gdm to >be used. Neither found any useful documentation about it nor had the >time to try a fresh compiled gdm from sources. I gave up!</P> ><H3 CLASS="western">Slackware</H3> ><P CLASS="western">Slackware might need someone who has enough spare >time to make it âPAM awareâ. Not me!</P> ><P CLASS="western"><BR><BR> ></P> ><P CLASS="western"><B>So if you are interested to bring Fingerprint >GUI to work on some other distributions first read the âHackingâ >document of this project for hints about how it works. If you need >further information about it contact me. If you managed to make it up >and running write a HowTo and let me know.</B></P> ><P CLASS="western"><BR><BR> ></P> ><P CLASS="western" STYLE="border-top: none; border-bottom: 1.00pt solid #000000; border-left: none; border-right: none; padding-top: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm"> ><B>Ubuntu and Fedora users should have no serious problems; so have >fun with it!</B></P> ><P CLASS="western"><BR><BR> ></P> ></BODY> ></HTML>
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 341105
:
250683
|
251075
|
251257
|
251259
|
251261
|
259752
|
260981
|
261226
|
261228
|
274389
|
274395
|
300287
|
300475
|
300479