How to get the Fingerprint reader on IBM Thinkpads (T42P, T43P) to workwith OpenSUSE 10

Novell Cool Solutions: Trench
By Hicham Mourad

Digg This - Slashdot This Posted: 17 Jan 2006

How to get the Fingerprint reader on IBM Thinkpads (T42P, T43P) to workwith OpenSUSE 10

There is a lot of information on how to do this on the Internet, which is where I got a lot of this information. However, my intention was to put together a set of instructions that are specific to OpenSUSE 10. I hope you find them helpful.

The steps to achieve this are as follows:

1. Prerequisites

2. Installing the Biometric Api (bioapi) framework

3. Installing and configuring the driver

4. Testing the driver and enrolling fingerprint(s)

5. Configuring PAM for authentication using the Fingerprint reader

6. Common Behavior of Applications after implementation

PREREQUISITES

• Using YAST make sure that the C/C++ Compiler and Tools is installed.

• Determine what version of the pam RPM that you have is, and install the pam-devel RPM. I couldn't find this RPM on the Media that I had for Open SUSE 10 so I had to download it from this directory. Please make sure that the version of the pam-devel RPM that you install is the same as the pam RPM.

• pam-devel-0.80-6.i586.rpm

• Perform all the steps below as Super User

• Create a directory called /root/fingerprint

INSTALLING THE BIOMETRIC API (BIOAPI) FRAMEWORK

• Get the bioapi source from the following location: http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.bz2 and save it to /root/fingerprint Please do the following as root from a terminal prompt:

#  cd /root/fingerprint
#  tar xjf bioapi-latest.tar.bz2
#  cd bioapi-1.2.2
#  ./configure --with-Qt-dir=no
#  make
#  export LD_LIBRARY_PATH=/usr/local/lib
#  make install
#  cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include

INSTALLING AND CONFIGURING THE DRIVER

• Create a folder called /root/fingerprint/driver

# mkdir -p /root/fingerprint/driver

• Download TFMESS_BSP_LIN_1.0.zip from the UPEK support site http://www.upek.com/support/dl_linux_bsp.asp and unzip it into /root/fingerprint/driver

• Change to that folder and do as root:

#  unzip TFMESS_BSP_LIN_1.0.zip
#  sh install.sh

TESTING THE DRIVER AND ENROLLING FINGERPRINT(S)

• Go to the folder where you extracted TFMESS_BSP_LIN_1.0.zip and do:

# cd NonGUI_Sample

• Edit main.c and remove the line #include "port/bioapi_port.h"

# gcc -o Sample main.c -L/usr/local/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN

• Run the Sample tool. This allows you to enroll fingerprints for the different users. You will want to do this for root and your userid. This captures the fingerprints and saves them to a <username>.bir file that will be used later.

# ./Sample "e"nroll (to record a fingerprint for both root and your userid) and then "v"erify (to test a fingerprint against the one it expects for an account).

CONFIGURING PAM FOR AUTHENTICATION USING THE FINGERPRINT READER

Installing the PAM modules for bioapi

• Get and compile the pam_bioapi module from the following location: http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2 Save this to the /root/fingerprint/ directory

#  cd /root/fingerprint/
#  tar xjf pam_bioapi-latest.tar.bz2
#  cd pam_bioapi-0.2.1
#  wget http://badcode.de/downloads/fingerprint.patch
#  patch -p0 < fingerprint.patch
#  ./configure && make
#  make install
#  cp /usr/local/lib/security/* /lib/security/


#  SERIAL=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`

#  echo $SERIAL should print something like {5550454b-2054-464d-2f45-535320425350} now.   IF IT DOES, do: 

#  mkdir -p /etc/bioapi/pam/$SERIAL

IF IT DOES NOT, do:

# SERIAL={5550454b-2054-464d-2f45-535320425350}

as this value is hard coded into the UPEK docs, then type

# mkdir -p /etc/bioapi/pam/$SERIAL

Copy the <username>.bir file(s) that you generated one section above to this newly created directory. # cp /root/fingerprint/driver/NonGUI_Sample/*.bir /etc/bioapi/pam/$SERIAL

Configuring PAM

Modify the /etc/pam.d/common-auth file to reflect the AFTER sample below.

BEFORE

#

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth   required        pam_env.so
auth   required        pam_unix2.so

AFTER

#

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth       sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password   sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth       required     pam_unix2.so nullok_secure
#auth   required        pam_env.so
#auth   required        pam_unix2.so

At this point reboot your system. After entering your username a little window will pop-up to swipe your finger. You will be prompted to swipe your finger for any applications or tools that require authentication.

NOTE: Three failed attempts will then cause PAM to authenticate against the local password.

Another NOTE: If you ever want to discontinue using the Fingerprint Reader simply return the file /etc/pam.d/common-auth to it's original state.

COMMON BEHAVIOR OF APPLICATIONS AFTER IMPLEMENTATION

The implementation of fingerprint scanning support varies in different applications.

Here is the behaviour of the most common ones:

• When using the Gnome Display Manager gdm, it will pop up an image to swipe your finger. You can login without a password.

• When using the KDE Display Manager kdm, it doesn't give any visual indication, other than that the cursor stops blinking. Just swipe your finger and you will be logged in.

• The KDE screen saver in SUSE 10 requires you to enter an empty password (or select the correct user and then enter an empty password(Just hit <enter>)) in order to get the fingerprint prompt. Just swipe your finger and you will be logged in.

• The GNOME screen saver in SUSE 10 requires you to enter an empty password (Just hit <enter>) in order to get the fingerprint prompt. Just swipe your finger and you will be logged in.

• When using KDE as the desktop environment, I have noticed that some applications require you to swipe your finger twice.

• Logged in as a regular user, any applications launched that require authentication, you will be prompted to swipe your finger.

Have fun!!!!

Reader Comments

• Oh this is way cool. Those select few of us with t43p's thank you!
• Great article - worked first time!
• Superb article, well written, and works like a charm ! !

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com