September 19, 2014
 
 
RSSRSS feed

The Bad Guys Will Hack Off Your Fingers

Middlin' Security, Strong Convenience

  • December 31, 2008
  • By Carla Schroder
LinuxPlanet Classics: Getting the fingerprint reader working hasn't advanced much since this article was first run, so here we go again, with some updated references. Please note that fingerprint readers, like all biometric devices, are easy to foil and do not provide strong security; but they are convenient.

Linux has always supported Thinkpads pretty well, though the onboard modems and sound are chronic trouble spots. In fact, these days the modem is the sound chip. Two troubles for the price of one! But, as always, Linux coders make these things work despite the best efforts of all those innovative proprietary vendors to thwart them. I have a Lenovo T61 with an integrated fingerprint reader, and finally got around to seeing if I could make it work. Thanks to the fine folks at ThinkWiki.org and Thinkfinger, I had it up and working in no time. ThinkWiki is an essential resource for Linux Thinkpad owners, and don't forget to contribute your own tips and success stories.

A word of warning first: biometrics is all sexy and hawt and touted as the final security solution. Unfortunately, it's not. Perhaps you recall when grocery stores started using fingerprint scanners, and people couldn't get into this new unproven system quickly enough. Why is it they will not trust a lawyer's or accountant's advice, but will blindly trust a retail store with their fingerprints? I remember when Thriftway rolled this out in Seattle some years ago; the Seattle P-I tells the tale:

"The main thing is, it's fast, it's easy, and it's secure," says Paul Kapioski, West Seattle Thriftway owner."..."It takes about one minute to enroll,"...Employees underwent 15 or 20 minutes of training in the system this week."
This could be made into a party game- how many holes can you poke in this "security" scheme in 30 seconds? Ready? Start:
  1. How hard do they work to verify identity when customers sign up the first time?
  2. It's easy to forge a fingerprint
  3. Once it's compromised, how many more fingers can you grow?
  4. What sort of ninjas are storing and protecting the scans?
  5. Overworked, underpaid, undertrained retail clerks are just the people you want on the security front lines
  6. The bad guys will cut off your fingers
I'm sure you can think of more. As a security device it's weak, and it's ineffective against someone swiping your whole laptop. But it's convenient and it's there, so let's make it go.

Getting the Software

It's perfectly safe to try as long as you do not disable password logins. There are packages for several Linux distributions, with instructions here. I'll run through a source installation; don't worry, it's easy. In addition to your usual build environment, you need the development libraries for USB and PAM. Install these first, then grab the latest tarball from ThinkFinger, and unpack it thusly:

$ tar zxvf thinkfinger-0.3.tar.gz

Then run these commands to compile and install it:

$ ./configure  --with-securedir=/lib/security \
  --with-birdir=/etc/pam_thinkfinger
$ make
# make install
# modprobe uinput
Now you can test it. Run this command:
# tf-tool --acquire
[...]
Please swipe your finger (successful swipes 0/3, failed swipes: 0)...
Snug your finger into the little indent above the scanner, and slowly draw your finger across the scanner. You need three successful scans. The scan will be stored in /tmp/test.bir. Now you can test it- run this command, and swipe your finger, again slowly:
# tf-tool --verify
Result: Fingerprint does match

Logging In With Your Fingerprint

Now you need to edit your PAM (Pluggable Authentication Modules) configuration so you can log in to your computer with either your usual password, or with your fingerprint:
# mkdir /etc/pam_thinkfinger
#  tf-tool --add-user carla

ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig 

Initializing... done.
Please swipe your finger (successful swipes 3/3, failed swipes: 6)... done.
Storing data (/etc/pam_thinkfinger/carla.bir)... done.
Configuring PAM is always a heap o' fun. On Debian, the Buntu family, and most Linuxes, add these lines to /etc/pam.d/common_auth before any other pam_unix lines:
auth    sufficient      pam_thinkfinger.so
auth    required        pam_unix.so  try_first_pass
For Fedora, PCLinuxOS, and the rest of the Red Hat extended family, add them to /etc/pam.d/system-auth. SUSE goes its own way entirely. Add uinput to /etc/modules, or whatever your system needs to load modules at boot, and reboot.

Now what happens? My T61 runs PCLinuxOS, and the graphical login manager has absolutely no clue about fingerprint readers. kdesu doesn't know what to do with it, either. So I can't login to a graphical session with my fingerprint. However, at the console prompt I got this:

PCLinuxOS release 2007 for i586
Kernel 2.6.22.10.tex1 on a Dual-processor i686 /tty4
ripley login: carla
Password or swipe finger:
Hurrah! And it worked. It's still a baby and has lot of growing up to do, so please visit Resources for more help and updates. ThinkFinger needs more PAM modules to make it work with different types of authentication and applications, so if you're looking for a FOSS project to support that would be a good one.

Resources

Carla Schroder is the author of the Linux Cookbook and the Linux Networking Cookbook, and is the managing editor of LinuxPlanet.

Sitemap | Contact Us