Back to article
The Bad Guys Will Hack Off Your Fingers
Middlin' Security, Strong Convenience
December 31, 2008
LinuxPlanet Classics: Getting the fingerprint reader working hasn't advanced much since this article was first run, so here we go again, with some updated references. Please note that fingerprint readers, like all biometric devices, are easy to foil and do not provide strong security; but they are convenient.
Linux has always supported Thinkpads pretty well, though the onboard modems and sound are chronic trouble spots. In fact, these days the modem is the sound chip. Two troubles for the price of one! But, as always, Linux coders make these things work despite the best efforts of all those innovative proprietary vendors to thwart them. I have a Lenovo T61 with an integrated fingerprint reader, and finally got around to seeing if I could make it work. Thanks to the fine folks at ThinkWiki.org and Thinkfinger, I had it up and working in no time. ThinkWiki is an essential resource for Linux Thinkpad owners, and don't forget to contribute your own tips and success stories.
A word of warning first: biometrics is all sexy and hawt and touted as the final security solution. Unfortunately, it's not. Perhaps you recall when grocery stores started using fingerprint scanners, and people couldn't get into this new unproven system quickly enough. Why is it they will not trust a lawyer's or accountant's advice, but will blindly trust a retail store with their fingerprints? I remember when Thriftway rolled this out in Seattle some years ago; the Seattle P-I tells the tale:
"The main thing is, it's fast, it's easy, and it's secure," says Paul Kapioski, West Seattle Thriftway owner."..."It takes about one minute to enroll,"...Employees underwent 15 or 20 minutes of training in the system this week."This could be made into a party game- how many holes can you poke in this "security" scheme in 30 seconds? Ready? Start:
Getting the SoftwareIt's perfectly safe to try as long as you do not disable password logins. There are packages for several Linux distributions, with instructions here. I'll run through a source installation; don't worry, it's easy. In addition to your usual build environment, you need the development libraries for USB and PAM. Install these first, then grab the latest tarball from ThinkFinger, and unpack it thusly:
$ tar zxvf thinkfinger-0.3.tar.gz
Then run these commands to compile and install it:
$ ./configure --with-securedir=/lib/security \ --with-birdir=/etc/pam_thinkfinger $ make # make install # modprobe uinputNow you can test it. Run this command:
# tf-tool --acquire [...] Please swipe your finger (successful swipes 0/3, failed swipes: 0)...Snug your finger into the little indent above the scanner, and slowly draw your finger across the scanner. You need three successful scans. The scan will be stored in /tmp/test.bir. Now you can test it- run this command, and swipe your finger, again slowly:
# tf-tool --verify Result: Fingerprint does match
Logging In With Your FingerprintNow you need to edit your PAM (Pluggable Authentication Modules) configuration so you can log in to your computer with either your usual password, or with your fingerprint:
# mkdir /etc/pam_thinkfinger # tf-tool --add-user carla ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/) Copyright (C) 2006, 2007 Timo HoenigConfiguring PAM is always a heap o' fun. On Debian, the Buntu family, and most Linuxes, add these lines to /etc/pam.d/common_auth before any other pam_unix lines:
auth sufficient pam_thinkfinger.so auth required pam_unix.so try_first_passFor Fedora, PCLinuxOS, and the rest of the Red Hat extended family, add them to /etc/pam.d/system-auth. SUSE goes its own way entirely. Add uinput to /etc/modules, or whatever your system needs to load modules at boot, and reboot.
Now what happens? My T61 runs PCLinuxOS, and the graphical login manager has absolutely no clue about fingerprint readers. kdesu doesn't know what to do with it, either. So I can't login to a graphical session with my fingerprint. However, at the console prompt I got this:
PCLinuxOS release 2007 for i586 Kernel 126.96.36.199.tex1 on a Dual-processor i686 /tty4 ripley login: carla Password or swipe finger:Hurrah! And it worked. It's still a baby and has lot of growing up to do, so please visit Resources for more help and updates. ThinkFinger needs more PAM modules to make it work with different types of authentication and applications, so if you're looking for a FOSS project to support that would be a good one.