bioapi/fingerprint reader (was Re: [ltp] r300 and x/mesa/drm CVS)

Kevin Fenzi linux-thinkpad@linux-thinkpad.org
Tue, 27 Sep 2005 10:03:07 -0600 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> - You want in your /etc/pam.d/test-pam_bioapi:
>> 
>> auth required pam_bioapi.so {5550454b-2054-464d-2f45-535320425350}
>> /etc/bioapi/
>> 
>> The stuff in the {} is the identifier for the fingerprint
>> reader. The example has the one for the regular password interface.
>> 
>> the /etc/bioapi dir is where I have it looking for the files (I
>> thought /etc/bioapi1.10/pam was a bit weird. ;)
>> 
>> - You want the pam_bioapi module in /etc/security/pam_bioapi.so
>> 
>> - You want to make a directory called:
>> 
>> /etc/bioapi/"{5550454b-2054-464d-2f45-535320425350}"
>> 
>> - You want to put the username.bir file you made with the bioapi
>> Sample executable for your user in that directory from the last
>> step.
>> 
>> - At this point it should work for root. Try
>> './test_verify-pam_bioapi username'
>> 
>> - In order to make it work for users, you have to do these things:
>> 
>> http://linuxbiometrics.com/modules/newbb/viewtopic.php?topic_id=80&forum=1&
>> viewmode=flat&order=ASC&start=10
>> 
>> It should work then. :) Good luck.
>> 
>> kevin

Torkild> Thanks for the help Kevin :-) PAM works more or less as it
Torkild> should now. Authentication can be done using the fingerprint
Torkild> reader, but it tells me that the user account has expired. I

I think I had that happen at one point to me, but not sure what the
fix was. Oh wait... yeah, that bioapi-pam verify test binary always
says that. I think it's a bug there. It works fine despite it... 

Torkild> remember seeing some posts describing this problem so I'll
Torkild> try digging them up.

Yeah, if you find a solution let me know. I think it can be safely
ignored as a bug in the test program. 

Torkild> Do you actually use this setup to log into you computer?  --

Yeah, I have it working for logins and (with the xscreensaver patch)
to unlock my screen. 

For logins, modify /etc/pam.d/login to comment the first system-auth,
and replace it with a pam_bioapi call:

#%PAM-1.0
auth       required     pam_securetty.so
#auth       required    pam_stack.so service=system-auth
auth       required     pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFDOW0+3imCezTjY0ERAqxcAJ97J557wqAgoDzenn+Eeb6f7YPouQCfb4E7
aPMow5UzbzM//G77xvjjo/8=
=caAh
-----END PGP SIGNATURE-----