Attachment 251259 Details for Bug 341105 – files/...

files/...

Install-step-by-step.html (text/plain), 34.57 KB, created by Jan Buecken on 2010-10-19 14:17:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jan Buecken

Created: 2010-10-19 14:17:51 UTC

Size: 34.57 KB

patch

obsolete

><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML>
><HEAD>
>	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
>	<TITLE></TITLE>
>	<META NAME="GENERATOR" CONTENT="OpenOffice.org 3.2 (Unix)">
>	<META NAME="AUTHOR" CONTENT="Wolfgang Ullrich">
>	<META NAME="CREATED" CONTENT="20081021;15191700">
>	<META NAME="CHANGEDBY" CONTENT="Wolfgang Ullrich">
>	<META NAME="CHANGED" CONTENT="20100819;20523800">
>	<META NAME="Info 1" CONTENT="">
>	<META NAME="Info 2" CONTENT="">
>	<META NAME="Info 3" CONTENT="">
>	<META NAME="Info 4" CONTENT="">
>	<STYLE TYPE="text/css">
>	
>	</STYLE>
></HEAD>
><BODY LANG="en-US" DIR="LTR">
>Installing
>Step by Step
>(Version 0.15)
><DIV ID="Inhaltsverzeichnis1" DIR="LTR">
>	<DIV ID="Inhaltsverzeichnis1_Head" DIR="LTR">
>		Contents
>	</DIV>
>	 1 Installing Executables and
>	Libraries	2
>	 1.1 Installing
>	required Libraries	2
>	 1.2 Installing
>	executables	2
>	 1.3 Creating a
>	âplugdevâ group	3
>	 1.4 Uninstalling
>	other Fingerprint Solutions	3
>	 1.5 Special
>	preparations for Lubuntu	3
>	 2 Acquiring Fingerprints	3
>	 3 Setting up Fingerprint
>	Authentication	3
>	 3.1 Configuring
>	âsuâ	4
>	 3.2 Configuring
>	âloginâ	5
>	 3.3 Configuring
>	âsudoâ	5
>	 3.4 Configuring
>	âgdmâ	5
>	 3.5 Configuring
>	âgnome-screensaverâ	6
>	 4 Exporting Fingerprint Data and
>	Testing PAM Settings	6
>	 5 Password Store	6
>	 6 Troubleshooting	8
>	 6.1 Gdm Greeter
>	doesn't show the Fingerprint GUI Widget or needs a long time (up to
>	20 seconds) to show it	8
>	 6.2
>	Fingerprint-gui Error âCould not open fingerprint deviceâ	8
>	 6.3 Login on a
>	secure tty hangs with âOKâ Message	8
>	 6.4 You have a
>	fingerprint device from UPEK/SGS Thomson and get some âABSOpen()
>	failed...â error message in /var/log/auth.log	8
>	 6.5 Password can
>	not be saved to removable media	8
>	 7 Known Limitations	9
>	 7.1 Applications
>	that don't use PAM for prompting a password	9
>	 7.2 Missing
>	XAUTHORITY environment variable	9
>	 7.3 Other Linux
>	distributions	9
>	Debian 4.0	9
>	SuSE 11.1 (gnome
>	edition)	9
>	Slackware	9
></DIV>
> 
>
> 
>
>This HowTo
>describes the installation and setup of the âFingerprint GUIâ
>project. It was tested on Ubuntu 8.04, 8.10, 9.04, 9.10 and
>10.04 Desktop, Lubuntu 10.04 and Fedora
>10 and 12 (32bit versions) and Ubuntu 8.10 9.04 and
>10.04 Desktop (64bit version) each new installed with default
>settings. It is applicable for GDM/Gnome desktop systems only and can
>not be used as a HowTo for KDE systems. It
>should show the principles of installing and configuring the system
>and provide enough information needed for deployment in other Linux
>distributions. In the chapter &quot;Other Linux distributions&quot;,
>my experiences with these distributions are described. I didn't have
>the time to solve all those problems. That should be the
>responsibility of the distributors or of experienced users. Please
>contact me if you have the system installed properly to such a
>distribution or if you experience a bug.
><OL>
>	<LI><H1 CLASS="western">Installing Executables and Libraries</H1>
></OL>
>After downloading the
>âfingerprint-gui-x.y-&lt;arch&gt;.tar.gzâ package please unpack
>it into some directory (tar
>-xzf fingerprint-gui-x.y-&lt;arch&gt;.tar.gz). Then
>change to this directory and become ârootâ. The command for
>installation is â./install.sh
>[--uninstall]â. If you have a device from UPEK Inc.
>or SGS Thomson you will need the proprietary driver library
>âlibbsapi.soâ from UPEK Inc. In this case you will be prompted
>for installing this library. If you chose âYesâ the âlibbsapi.soâ
>file (for your architecture) will be copied to â/usr/lib/â and
>âldconfigâ will be called then. If you have a device from other
>vendors you will not be prompted for installing âlibbsapi.soâ.
>Please have a look at the libfprint homepage
>(<A CLASS="western" HREF="http://reactivated.net/fprint/wiki/Main_Page">http://reactivated.net/fprint/wiki/Main_Page</A>)
>for a list of supported devices. 
>
><OL>
>	<OL>
>		<LI><H2 CLASS="western">Installing required Libraries</H2>
>	</OL>
></OL>
>When executing â./install.shâ as root it will
>probably print a list of missing libraries. Use your package manager
>to install the required packages and their dependencies. Below is a
>list of packages to install:
>Ubuntu 10.04 Desktop:
><UL>
>	<LI>libfakekey0 
>	
>	<LI>libfprint0 (IMPORTANT: Since
>	version 0.14 fingerprint-gui requires libfprint0 version
>	0.1.0~pre2-1 that is not part of the Ubuntu repository yet.
>	Please install this version from
>	<A CLASS="western" HREF="https://launchpad.net/~fingerprint/+archive/fprint">https://launchpad.net/~fingerprint/+archive/fprint</A>
>	.
>	<LI>libqca2
>	<LI>libqca2-plugin-ossl
>	<LI>libqt4-xml
></UL>
>Fedora 12:
><UL>
>	<LI>libfakekey-0.1.3 
>	
>	<LI>libfprint-0.1.0-14.pre2
>	<LI>qt-x11-1:4.6.2-16
>	<LI>qca2-2.0.2-2 
>	
></UL>
><UL>
>	<LI>qca-ossl-2.0.0-0.8.beta3
></UL>
><OL>
>	<OL START=2>
>		<LI><H2 CLASS="western">Installing executables</H2>
>	</OL>
></OL>
>If all required libraries are installed the
>â./install.shâ script will copy the executables and some other
>files to the following locations:
><UL>
>	<LI>âfingerprint-guiâ and
>	âfingerprint-identifierâ to /usr/local/bin/,
>	<LI>âfingerprint-suidâ, âfingerprint-helperâ
>	and âfingerprint-pluginâ to /usr/local/lib/fingerprint-gui/,
>	<LI>A âFingerprint GUIâ entry in the âSystem
>	Settingsâ menu,
>	<LI>The plugin âpam_fingerprint-gui.soâ to
>	/lib/security/ (/lib64/security/ in Fedora 64bit),
>	<LI>In case of a detected device from UPEK Inc.
>	or SGS Thomson your choice of âYesâ to the appropriate prompt
>	the library âlibbsapi.soâ to â/usr/libâ, a configuration
>	file âupek.cfgâ to â/etcâ, an udev-rules file
>	â91-fingerprint-gui-upek.rulesâ to â/etc/udev/rules.dâ and
>	create a directory â/var/upek_dataâ.
></UL>
><OL>
>	<OL START=3>
>		<LI><H2 CLASS="western">Creating a âplugdevâ group</H2>
>	</OL>
></OL>
>While installation the
> â./install.shâ script will check your â/etc/groupâ file for
>the existence of a group named âplugdevâ. If it doesn't exist
>you'll get a warning. In this case please create this group and make
>all desktop users being members of this group or make sure all users
>have r/w access to the fingerprint scanner device by a proper setup
>of your âudevâ configuration.
><OL>
>	<OL START=4>
>		<LI><H2 CLASS="western">Uninstalling other Fingerprint Solutions</H2>
>	</OL>
></OL>
>Because fingerprint-gui can conflict with other
>fingerprint PAM modules these must be uninstalled. Please make sure
>there is no âlibpam-fprintâ, âlibpam-fprintdâ or
>âlibpam-thinkfingerâ installed.
>IMPORTANT: On Fedora 12 you need to
>uninstall âgdm-plugin-fingerprintâ and disable the
>fingerprint authentication in âsystem | administration |
>authenticationâ.
><OL>
>	<OL START=5>
>		<LI><H2 CLASS="western">Special preparations for Lubuntu</H2>
>	</OL>
></OL>
>The default display manager (lxdm) of Lubuntu
>doesn't work with fingerprint login. Please install âgdmâ and
>make it the default display manager. If you want to use the default
>screensaver (xscreensaver) of Lubuntu please change settings of file
>â/etc/pam.d/xscreensaverâ instead of
>â/etc/pam.d/gnome-screensaverâ below. The setup for an embedded 
>keyboard command is not required in this case.
><OL START=2>
>	<LI><H1 CLASS="western" STYLE="page-break-after: avoid">Acquiring
>	Fingerprints</H1>
></OL>
>Now you should be able to call âfingerprint-guiâ
>from the command line or use the âFingerprint GUIâ entry in the
>âSystem Settingsâ menu. Acquiring fingerprints should be
>self-explanatory in the âfingerprint-guiâ program. Your
>fingerprints are stored in a
>â/var/lib/fingerprint-gui/&lt;your_username&gt;/â directory,
>where only you have access to. If you give the â--debugâ argument
>to âfingerprint-guiâ a lot of debug output is given to syslog (or
>/var/log/auth.log).
>After some users have registered their
>fingerprints you can test the fingerprint identification by calling
>âfingerprint-identifierâ as root (execute âsudo
>fingerprint.identifier âdebugâ). This application can identify
>your users and print their login names to stdout.
><OL START=3>
>	<LI><H1 CLASS="western" STYLE="page-break-after: avoid">Setting up
>	Fingerprint Authentication</H1>
></OL>
>You need root permissions to make changes to your
>PAM configuration. First of all make a copy of your
>â/etc/pam.d/common-authâ file and name it
>â/etc/pam.d/common-auth.fingerprintâ. Edit this file like
>follows:
><UL>
>	<LI>insert a line âauth
>	 sufficient pam_fingerprint-gui.so --debugâ
>	as the first line;
>	<LI>find the line containing âpam_unix.soâ
>	and add the argument âtry_first_passâ to the call of
>	âpam_unix.soâ;
></UL>
>The distributions differ slightly with regard to
>the filenames and their contents:
>Ubuntu 10.04 Desktop:
>â/etc/pam.d/common-auth.fingerprintâ is a copy
>of â/etc/pam.d/common-authâ. The changed lines in question read:
>âauth	sufficient	pam_fingerprint-gui.so	--debugâ
>âauth	[success=1
>default=ignore]	pam_unix.so	try_first_pass nullok_secureâ
>Fedora 12:
>â/etc/pam.d/common-auth.fingerprintâ is a copy
>of â/etc/pam.d/system-auth-acâ. The changed lines in question
>read:
>âauth	sufficient	pam_fingerprint-gui.so
>--debugâ
>âauth	sufficient	pam_unix.so
>nullok try_first_passâ
>If you're finished setting up your
>âcommon-auth.fingerprintâ file you can setup the services for
>fingerprint authentication now. It is assumed you have at least one
>fingerprint registered for your user account and one for root. Also
>make sure there is set a password for root (sudo passwd root).
>The following settings will change the existing
>reference to âcommon-authâ (âsystem-authâ in Fedora) to the
>new âcommon-auth.fingerprintâ for the PAM services.
>IMPORTANT NOTE:
>The following settings can lock access to your system completely if
>something
>goes wrong. So please open a secure tty (ctrl-alt-F2) and login as
>root there. This way you're able to undo the changes made in
>â/etc/pam.d/â.
><OL>
>	<OL>
>		<LI><H2 CLASS="western">Configuring âsuâ</H2>
>	</OL>
></OL>
>Edit the file â/etc/pam.d/suâ and change the
>line â@include common-authâ to â@include
>common-auth.fingerprintâ (on Ubuntu) or âauth include
>system-authâ to âauth include common-auth.fingerprintâ (on
>Fedora).
><OL>
>	<OL>
>		Ubuntu:
>	</OL>
></OL>
>...
>#@include
>common-auth 
>
>@include
>common-auth.fingerprint 
>
>@include
>common-account 
>
>@include
>common-session 
>
><OL>
>	<OL>
>		
>	</OL>
></OL>
>Fedora:
>...
>#auth
> required pam_wheel.so use_uid 
>
>auth
> include common-auth.fingerprint 
>
>#auth
> include system-auth 
>
>account
> sufficient pam_succeed_if.so uid = 0 use_uid quiet
>...
>
> 
>
>Then open a terminal window and call âsuâ. A
>password prompt should appear in the terminal and
>the system should open a GUI widget requesting a finger swipe with
>the message âAuthenticating rootâ
>in it's status bar. If you can become root by swiping the finger
>registered for root it works. You should
>also be able to become root by ignoring this GUI widget and typing
>root's password at the prompt.
><OL>
>	<OL START=2>
>		<LI><H2 CLASS="western">Configuring âloginâ</H2>
>	</OL>
></OL>
>IMPORTANT: On Fedora 12 SELinux
>denies access to the user's fingerprint data in
>â/var/lib/fingerprint-gui/...â while login. Currently I'm not
>able to setup a SELinux policy for fingerprint-gui. If you can be of
>assistance about this please contact me. If not, set your SELinux
>mode to âpermissiveâ at least while testing login.
>Edit the file â/etc/pam.d/loginâ and change
>the line â@include common-authâ to â@include
>common-auth.fingerprintâ (on Ubuntu) or âauth include
>system-authâ to âauth include common-auth.fingerprintâ (on
>Fedora). Then change to a secure tty (e.g. ctrl-alt-F3), type the
>username and press enter. The password prompt should appear along
>with a message âType your password or swipe your fingerâ. You
>should be able to login with a finger swipe and with typing the
>password as well.
><OL>
>	<OL START=3>
>		<LI><H2 CLASS="western">Configuring âsudoâ</H2>
>	</OL>
></OL>
>Edit the file â/etc/pam.d/sudoâ and change the
>line â@common-authâ to â@common-auth.fingerprintâ (on Ubuntu)
>or âauth include system-authâ to âauth include
>common-auth.fingerprintâ (on Fedora). Make sure your login name is
>in the sudoers file. Then open a terminal window and call âsudo
>gnome-terminalâ. After swiping your finger the gnome-terminal
>should open with root permissions.
><OL>
>	<OL START=4>
>		<LI><H2 CLASS="western">Configuring âgdmâ</H2>
>	</OL>
></OL>
>In order to be able to login into a desktop
>session you need to configure your gdm (probably with gdmsetup).
>Disable âautologinâ, âtimed loginâ and âuserlistâ. Use
>the command (this is one line!) to disable the userlist:
>sudo
>gconftool-2 --direct --config-source
>xml:readwrite:/etc/gconf/gconf.xml.defaults --type bool --set
>/apps/gdm/simple-greeter/disable_user_list true
>Then double check you have a root session on a
>secure tty open (for undoing the changes if something goes wrong). 
>
>On Ubuntu edit the file â/etc/pam.d/gdmâ
>and change the line â@include common-authâ to â@include
>common-auth.fingerprintâ.
>On Kubuntu edit the file â/etc/pam.d/kdmâ
>and change the line â@include common-authâ to â@include
>common-auth.fingerprintâ and move this line to the beginning of the
>file. Then start âSystem settings | Advanced&quot; and open the
>âConvenienceâ tab. Disable âEnable Auto-loginâ and âFocus
>passwordâ and set âPreviousâ as the default user for login. You
>can then login with your fingerprint after pressing &lt;enter&gt; in
>the kdm greeter.
>On Fedora edit the file
>â/etc/pam.d/gdm-passwordâ and change the line âauth substack
>system-authâ to âauth substack common-auth.fingerprintâ. 
>
>If there is a line reading âauth requisite 
>pam_nologin.soâ comment this line out or remove it. Now
>logout from your gnome session. The gdm greeter should show a login
>prompt and the GUI widget requesting a finger swipe below. You
>should be able to login with fingerprint and with name/password as
>well.
><OL>
>	<OL START=5>
>		<LI><H2 CLASS="western">Configuring âgnome-screensaverâ</H2>
>	</OL>
></OL>
>Gnome-screensaver needs a plugin to display the
>fingerprint GUI widget to the user while unlocking. To start this
>plugin with the gnome-screensaver-dialog open the gconf-editor, find
>the âapps | gnome-screensaverâ entry and enable the
>âembedded_keyboard_enabledâ item. Then invoke the string
>â/usr/local/lib/fingerprint-gui/fingerprint-plugin -dâ as the
>â/apps/gnome-screensaver/embedded_keyboard_commandâ and close
>gconf-editor. This step needs to be taken by every user who wants
>to unlock his/her gnome-screensaver by fingerprint on that machine!
>Then edit the file â/etc/pam.d/gnome-screensaverâ
>change the line â@include common-authâ to â@include
>common-auth.fingerprintâ (on Ubuntu) or âauth include
>system-authâ to âauth include common-auth.fingerprintâ (on
>Fedora). Double check you have a root session on a secure tty open
>(for undoing the changes if something goes wrong) before testing. You
>can now lock your screen and should be able to unlock it with a
>fingerswipe or with your password.
>For setting up the screensaver in Lubuntu please
>refer to âSpecial preparations for Lubuntuâ above.
><OL START=4>
>	<LI><H1 CLASS="western" STYLE="page-break-after: avoid">Exporting
>	Fingerprint Data and Testing PAM Settings</H1>
></OL>
>With âfingerprint-guiâ (âSettingsâ Tab)
>users can export their fingerprint data (bir files) and test the PAM
>settings of the current machine for proper setup for fingerprint
>authentication.
>With the âExport nowâ button all data stored
>for this user (in /var/lib/fingerprint-gui/&lt;username&gt;/) are
>exported to a file âFingerprints.tar.gzâ in the user's home
>directory.
>To test for proper PAM settings the âTestâ
>button can be used. First chose the PAM service to be tested then
>click the âTestâ button. In case of proper settings the
>fingerprint-helper widget will appear and after a finger swipe the
>message âAuthentication successfulâ will appear in the text field
>below. If nothing happens the PAM settings might be invalid. You can
>press &lt;enter&gt; to abort the test in this case.
><OL START=5>
>	<LI><H1 CLASS="western">Password Store</H1>
></OL>
>There are applications that need a password for
>encrypting or decrypting something on your system. Probably
>gnome-keyring is the most widespread of such applications. Also an
>encrypted home directory needs a password to decrypt when a
>user logs in. These applications sometimes get their key for
>decrypting (e.g. for the password safe) by querying the PAM session
>environment for the password given by the user at login. But when the
>user was logged in with a fingerprint there is no password stored in
>the PAM session environment. So the application will prompt the user
>for a password when needed (e.g. if a wireless WPA connection has to
>be established by the Gnome Network Manager or if you want to access
>your email account with Evolution) even if the user was logged in
>already.
>Since
>version 0.11 of Fingerprint GUI there is a solution: You
>can use some removable media (USB stick) to save your (encrypted)
>password there. If the media is connected to your machine while you
>login with your fingerprint the âpam_fingerprint-gui.soâ module
>can decrypt the password and send it to the PAM session environment. 
>
>PLEASE READ
>CAREFULLY NOW AND USE THIS FEATURE ONLY IF YOU UNDESTAND HOW IT
>WORKS!
>If you use the
>âPasswordâ tab of âfingerprint-guiâ you can chose a directory
>on some removable media, then type your login password twice and
>click the âSaveâ button. The removable media must be mounted and
>you must have write permission there. This is where âfingerprint-guiâ
>creates a subdirectory â.fingerprintsâ and writes a file
>â&lt;<A CLASS="western" HREF="mailto:username@machinename.xml">username&gt;@&lt;machinename&gt;.xml</A>â
>containing the encrypted password. The key for decrypting this
>password, the path for the â&lt;<A CLASS="western" HREF="mailto:username@machinename.xml">username&gt;@&lt;machinename&gt;.xml</A>â
>file and the UUID of the removable media are saved in a file
>â/var/lib/fingerprint-gui/&lt;username&gt;/config.xmlâ (probably
>on your local HDD).
>When you login using
>your fingerprint the âpam_fingerprint-gui.soâ module reads the
>â/var/lib/fingerprint-gui/&lt;username&gt;/config.xmlâ file,
>finds the â&lt;<A CLASS="western" HREF="mailto:username@machinename.xml">username&gt;@&lt;machinename&gt;.xml</A>â
>file on the removable media (if it is connected and has the given
>UUID), mounts it, decrypts the password and saves it to the PAM
>session environment where gnome-keyring or other permitted
>applications can read it. This avoids your system asking for the
>password again. 
>
>In case of a
>fingerprint login to a session with an encrypted user home a message
>â!!!ERROR: FOUND ENCRYPTED HOMEDIR BUT NO PASSWORD!!!&quot; will
>appear in the gdm greeter and the login by fingerprint will fail,
>when the external media keeping the encrypted password could not be
>found.
>PLEASE NOTE THE
>FOLLOWING RESTRICTIONS:
><UL>
>	<LI>Do not use
>	this feature if someone other then you has root permissions on this
>	machine. This is because root can connect to the machine via telnet,
>	ssh or something like this, mount the external media, find the
>	â&lt;<A CLASS="western" HREF="mailto:username@machinename.xml">username&gt;@&lt;machinename&gt;.xml</A>â
>	file, read the â/var/lib/fingerprint-gui/&lt;username&gt;/config.xmlâ
>	file and decrypt your password.
>	<LI>Do not
>	connect the removable media if it isn't needed. The
>	âpam_fingerprint-gui.soâ module only needs it while login is in
>	progress. It mounts the partition with the given UUID containing the
>	â&lt;<A CLASS="western" HREF="mailto:username@machinename.xml">username&gt;@&lt;machinename&gt;.xml</A>â
>	file and unmounts it immediately after it has read the file.
>	<LI>Do never
>	leave the removable media and the computer at the same location
>	unattended. Someone could copy both files and decrypt your password
>	later.
>	<LI>You don't need to
>	type your password any more so you can use a very long and strong
>	password now. But do not forget your password! You would not
>	be able to unlock your login-keyring any more if your removable
>	media gets lost or corrupted.
>	<LI>If you change your
>	login password on this machine you need to use âfingerprint-guiâ
>	again and save the new password to the removable media.
></UL>
>This is how I use
>this feature for myself:
>My USB stick has 3
>partitions: One âvfatâ (/dev/sdb1) to keep files to be
>transferred to other machines, one âluks_cryptoâ (/dev/sdb2)
>partition to keep my secret data and a very small (3MB) âext2â
>(/dev/sdb3) partition to hold the â&lt;<A CLASS="western" HREF="mailto:username@machinename.xml">username&gt;@&lt;machinename&gt;.xml</A>â
>file. Corresponding entries in /etc/fstab ensure that the partitions
>sdb2 and sdb3 are not automatic mounted. Needless to say that I'm the
>only person who has root access to my notebook.
>While booting my
>notebook I connect the USB stick until I'm logged in with my
>fingerprint, then remove the stick immediately and reconnect it only
>(and only as long as needed!) if I want to copy something from or to
>it. Because I don't need to invoke my password any more I use a very
>strong and cryptic login password.
><OL START=6>
>	<LI><H1 CLASS="western">Troubleshooting</H1>
>	<OL>
>		<LI><H2 CLASS="western">Gdm Greeter
>		doesn't show the Fingerprint GUI Widget or needs a long time (up to
>		20 seconds) to show it</H2>
>	</OL>
></OL>
>This behavior was seen
>on Fedora 12 with SELinux set to âenforcingâ. Please set the
>system default of SELinux to âpermissiveâ (or help me setting up
>SELinux rules that can be installed with Fingerprint GUI).
><OL>
>	<OL START=2>
>		<LI><H2 CLASS="western">Fingerprint-gui
>		Error âCould not open fingerprint deviceâ</H2>
>	</OL>
></OL>
>On some systems the file
>â/etc/udev/rules.d/40-libfprint0.rulesâ (or something like this
>in â/lib/udev/rules.dâ) installed by the âlibfprintâ package
>doesn't work properly. It should help to rename this file so it is
>invoked at a later time. In all known cases renaming it to
>â91-libfprint0.rulesâ solved the problem. You should also make
>sure your fingerprint scanner hardware has an entry in this file.
><OL>
>	<OL START=3>
>		<LI><H2 CLASS="western"><A NAME="DDE_LINK"></A>Login
>		on a secure tty hangs with âOKâ Message</H2>
>	</OL>
></OL>
>If you try to login on a secure tty the prompt
>âSwipe your finger or type your passwordâ appears. If you swipe
>the finger the message âOKâ appears and then nothing happens. In
>this case the âuinputâ device doesn't work. Make sure the
>âuinputâ module is loaded (âlsmod | grep uinputâ), the device
>exists in â/dev/input/uinputâ, â/dev/misc/uinputâ or
>â/dev/uinputâ and you have write permission to it. On Ubuntu add
>a line âuinputâ to the file â/etc/modulesâ and restart.
><OL>
>	<OL START=4>
>		<LI><H2 CLASS="western">You have a fingerprint device from UPEK/SGS
>		Thomson and get some âABSOpen()
>		failed...â error message in /var/log/auth.log</H2>
>	</OL>
></OL>
>This is probably a problem with the proprietary
>UPEK driver (libbsapi.so). Maybe your device needs the &quot;NVM
>emulation&quot;. Please have a look into this document:
> <A CLASS="western" HREF="http://www.n-view.net/Appliance//fingerprint/BSAPIUsageonLinux.pdf">http://www.n-view.net/Appliance//fingerprint/BSAPIUsageonLinux.pdf</A>
> and try to setup the emulation for your device. 
>
><OL>
>	<OL START=5>
>		<LI><H2 CLASS="western"><A NAME="DDE_LINK2"></A>Password
>		can not be saved to removable media</H2>
>	</OL>
></OL>
>If you find an entry reading:
>&quot;AES128-CBC
>not supported! Provider (libqca-ossl.so) not installed?&quot;
>in the log files, the plugin library for
>encryption is missing. Install the âlibqca2-plugin-osslâ package
>(Ubuntu) or a similar encryption plugin.
>In other cases make sure the media is removable,
>contains a valid partition and is mounted with read/write permission.
><OL START=7>
>	<LI><H1 CLASS="western">Known Limitations</H1>
>	<OL>
>		<LI><H2 CLASS="western">Applications that don't use PAM for
>		prompting a password</H2>
>	</OL>
></OL>
>The normal way to use PAM for authentication is to
>let the PAM system prompt the user for a username and/or a password.
>PAM uses then a callback function of the calling application for
>prompting something in it's own style. If called back by PAM the
>application can decide how it wants to prompt for name or password;
>if not called back, PAM has performed the authentication in another
>way (fingerprint, smart card, iris scanner or whatever). Maybe they
>didn't understand that or had another reason not to use that
>mechanism, the developers of some applications decided to prompt for
>password or username before calling PAM. In this case the
>âpam_fingerprint-gui.soâ plugin is called at a time where the
>password is already known by the PAM stack and therefore exits
>immediately. Fingerprint authentication is not possible then.
><OL>
>	<OL START=2>
>		<LI><H2 CLASS="western">Missing XAUTHORITY environment variable</H2>
>	</OL>
></OL>
>When calling PAM some applications don't have a
>XAUTHORITY variable in their environment. âpam_fingerprint-gui.soâ
>tries hard to find the âMIT Magic Cookieâ to be used to connect
>to the current display but in some cases it fails. I guess this is in
>several KDE applications the reason for not being able to show the
>fingerprint widget. Maybe I'll find some better solution in a later
>version.
><OL>
>	<OL START=3>
>		<LI><H2 CLASS="western" STYLE="page-break-after: avoid">Other Linux
>		distributions</H2>
>	</OL>
></OL>
><H3 CLASS="western">Debian 4.0</H3>
>I didn't find any way to install libfprint. There
>is neither a package available nor do the sources compile without
>errors. Didn't want to waste more time with it.
><H3 CLASS="western">SuSE 11.1 (gnome edition)</H3>
>The gdm used in SuSE behaves totally strange. It
>doesn't allow to show the fingerprint widget. Maybe it's only some
>setting to be changed or the original source installation of gdm to
>be used. Neither found any useful documentation about it nor had the
>time to try a fresh compiled gdm from sources. I gave up!
><H3 CLASS="western">Slackware</H3>
>Slackware might need someone who has enough spare
>time to make it âPAM awareâ. Not me!
> 
>
>So if you are interested to bring Fingerprint
>GUI to work on some other distributions first read the âHackingâ
>document of this project for hints about how it works. If you need
>further information about it contact me. If you managed to make it up
>and running write a HowTo and let me know.
> 
>
>
>Ubuntu and Fedora users should have no serious problems; so have
>fun with it!
> 
>
></BODY>
></HTML>

Actions: View

Attachments on bug 341105: 250683 | 251075 | 251257 | 251259 | 251261 | 259752 | 260981 | 261226 | 261228 | 274389 | 274395 | 300287 | 300475 | 300479