Tue, 22 Jan 2008
Fingerprint Reader
I have got a cheap fingerprint reader (thanks Juraj!) and I have played a bit with it:
(image from this digitaltechnews.com article). It is an USB device, and it works surprisingly well with Linux. There is a comprehensive HOWTO available, but I will try to summarize steps needed for Fedora Linux:
- Run "
yum install thinkfinger". This is a set of user-space tools and a PAM module for this reader. - If you do not have a distribution kernel, compile the
uinputmodule in (underCONFIG_INPUT_MISC,CONFIG_INPUT_UINPUT). - Make sure your root filesystem is mounted with the
acloption (if not, run "mount -o remount,acl /"). - Now you can play with
tf-tool --acquireandtf-tool --verifyand see whether the scanned fingerprint matches. From time to time I see theusb_bulk_readerror mentioned here, usually runningtf-toolviastrace(1)helps. - Using "
tf-add --add-user logname" add your fingerprint to the system database. - Configure PAM. I have added the boldface text into
/etc/pam.d/system-auth:...
auth sufficient /lib/security/$ISA/pam_thinkfinger.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok try_first_pass
... - Run "
modprobe uinput" as root. - Restart your display manager using
init 3, wait few seconds, and theninit 5. - And that's it: user which has been added using
tf-tool --add-usershould be able to login with his finger now! In Fedora, HAL manages access control lists of devices, so a separate groupfingerprintas described in the HOWTO above is not necessary.
So far I think this technology is interesting, even though it is not always
100 % reliable. It is however usable for
local logins only. It would be nice if more local apps such as ssh-askpass or Revelation
can use it.
7 replies for this story:
dan wrote: thinkfinger
I have the same fingerprint reader integrated in my notebook (or at least it uses the same driver). It is very addictive to just swipe the finger instead of writing the long password :-). Unfortunately it doesn't work with KDM (i.e. when unlocking the screen, I have to type the password), only with GDM. However I think I've read it will be (or is?) solved in KDE 4, so no big deal.
Vasek Stodulka wrote:
Interesting. With this I should type "su" and use some finger on my leg to login as root. :-)
Honza wrote: IBM TP R60 fingerprint reader
I'm using fingerprint reader integrated to my notebook for more than a year now. Works great with KDM (KDE) and local logins. It took me a couple of days to get used to (position of finger, the length of swipe etc.), but I'm so close to 100% reliability that it is a surprise when it fails. I did not thoroughly tested the other type of error (somebody else being able to log in), but I tested a couple of other people (and other fingers) without any error.
Milan Zamazal wrote:
If I understand it well, such devices don't store the passwords, so they are indeed useful only for local logins in office environments or so. This is not of any benefit to me. What I'd like to have is a password manager (preferably a hardware device) for tons of my remote passwords. I looked recently at several software password managers and unless I've missed something they are all enough inconvenient to use that it is actually easier to remember (and especially to type in) the passwords. Do you know about any tool that can be used for handling remote passwords reasonably?
wrote:
I think it could theoretically be possible to use it for unlocking a local keyring (GNOME Revelation), GPG key, SSH passphrase, etc. Which is close enough to your "remote passwords" requirement, I think.
Spes wrote:
Wow, I tried the Revelation and I like it.
Milan Zamazal wrote:
I can't see any benefit in using a simple fingerprint reader for unlocking local keyrings storing remote passwords. As my fingerprint is not a secret information, I could simply use passwordless keyrings instead.