Getting an IBM Fingerprint Reader working in Ubuntu
Posted by: Ross Del Duca in Debian/{*}Ubuntu Diversions..., Security Forum
The fingerprint reader on my IBM X41 Laptop (now running Ubuntu 8.04 LTS Desktop Edition) has been staring at me from between my palms for years now. Time to finally get that sucka working…
First off, I’m not generally a big fan of “package managed” distributions - at least not on my own, personal experimental laptop. However, the extremely light weight (about 3 lbs or 1.5 kg, according to Lenovo), coupled with it’s durable titanium frame made it a perfect candidate for my travel computer. I chose Ubuntu as my distro of choice in this capacity.
So, starting down the road of info gathering, lsusb showed me this:
ross@peloton:~$ lsusb
Bus 005 Device 001: ID 0000:0000
Bus 004 Device 001: ID 0000:0000
Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
Bus 003 Device 002: ID 0a5c:201e Broadcom Corp.
Bus 003 Device 001: ID 0000:0000
Bus 002 Device 004: ID 1199:0120 Sierra Wireless, Inc.
Bus 002 Device 001: ID 0000:0000
Bus 001 Device 001: ID 0000:0000
ross@peloton:~$ Cool. It’s a USB device.
As I’m intentionally trying to stick to the packaging system in use on this system. Trying to track down dependencies in my compiled-from-source software is one thing. Trying to track down how my compiled-from-source software broke some pre-compiled package installed in a way I didn’t realize is quite another.
So, I skipped the RTFG step (that’s ‘G’ for Google) and went straight to Synaptic Package Manager, and threw in a quick search for ‘fingerprint’. I ended up installing the following packages. Hopefully, by the end of this article, I’ll trim this list down:
libpam-thinkfinger
libthinkfinger0
libthinkginger-doc just in case
thinkfinger-tools
nmap
OK. So nmap has nothing to do with the fingerprint reader. But, it happened to turn up in my search results, and I know I’ll need it later, so I picked it to!
The details of the packages lead me to check out the binary tf-tool:
ross@peloton:/proc$ which tf-tool
/usr/sbin/tf-tool
ross@peloton:/proc$ tf-tool --help
ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>
Usage: tf-tool [--acquire | --verify] [--verbose] [bir_file]
where --verbose and bir_file are optional.
--verbose defaults to unspecified
bir_file defaults to ~/.thinkfinger.bir.
ross@peloton:/proc$ Not so helpful in my opinion. However, ‘man tf-tool’ was helpful, check it out. Let’s give it a test run:
ross@peloton:/proc$ sudo tf-tool --acquire
ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>
Initializing... done.
Please swipe your finger (successful swipes 3/3, failed swipes: 1)... done.
Storing data (/home/ross/.thinkfinger.bir)... done.
ross@peloton:/proc$
Note that I ran it under sudo (my standard user account is not yet able to access the USB device) but it keyed off of my real UID, and stored the output in my home directory (/home/ross instead of /root). Cool.
And then see if we can match it:
ross@peloton:/proc$ sudo tf-tool --verify
ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>
Initializing... done.
Please swipe your finger (successful swipes 1/1, failed swipes: 0)... done.
Result: Fingerprint does match.
ross@peloton:/proc$
And what happens if I swipe a different finger?
ross@peloton:/proc$ sudo tf-tool --verify
ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig <thoenig@suse.de>
Initializing... done.
Please swipe your finger (successful swipes 1/1, failed swipes: 0)... done.
Result: Fingerprint does *not* match.
ross@peloton:/proc$
So far, all looks promising.
The man page for lib_thinkfinger indicates that you need a specific device at a specific path in the dev tree, provided by the module ‘uinput.’ Looks like Ubuntu already took care of all of that for me:
ross@peloton:~$ lsmod | grep uinput
uinput 10240 1
ross@peloton:~$ ls -al /dev/input/uinput
crw-rw----+ 1 root root 10, 223 2008-05-13 20:50 /dev/input/uinput
ross@peloton:~$
Could I possible be ready to use this for authentication? Oh - wait, the pam configuration. Going back on my past pam experience, I take a stab at it by adding a line for the pam_thinkfinger module (already installed in /lib/security by the package) to the file /etc/pam.d/common-auth. This makes my final file (along with the Ubuntu installed default comments) as:
ross@peloton:/lib/security$ sudo cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_thinkfinger.so
auth requisite pam_unix.so nullok_secure
auth optional pam_smbpass.so migrate
Now for the test run. Let’s try something simple like an ’su’ to my own user:
ross@peloton:/lib/security$ su - ross
Password or swipe finger:
ross@peloton:~$ “Password or swipe finger:” Wow. Very good sign. And it worked!
But wait - the manpage for lib_thinkfinger clearly said that I needed to copy my fingerprint data file into /etc/pam_thingfinger - but I didn’t. Turns out it’ll also look for the file .thinkfinger.bir in the user’s home directory. This just happens to be the file that tf-tool created by default with the –acquire we did above.
Of course, this is only the print for a single finger. I’ve yet to test out if I can authenticate by storing multiple files in /etc/pam_thinkfinger. But for now all is good.
And the final confirmation is when I saw the “…or swipe finger” text displayed at the password prompt of gdm when I logged into my gnome desktop. Ahh how sweet to simply swipe my finger. Who needs stinkin passwords!
As you can see, setting this up was super simple and straightforward. Let me know what does and does not work for you in these steps.
It is important to note, however, that all of this works only within the context of the operating system. The above still does not enable fingerprints to be used in the BIOS controlled hard disk access password, or administrator password for accessing the system BIOS config. Hopefully, I’ll get time to work out how to use the stored fingerprint data in those areas. Until then …
…happy finger swiping
References & Links
Entries (RSS)