Linux has always supported Thinkpads pretty well, though the onboard modems and sound are chronic trouble spots. In this article, Carla Schroder focuses on her Lenovo T61's integrated fingerprint reader, to see what is involved in getting it to work on Linux.
Linux has always supported Thinkpads pretty well, though the onboard modems and sound are chronic trouble spots. In fact, these days the modem is the sound chip. Two troubles for the price of one! But, as always, Linux coders make these things work despite the best efforts of all those innovative proprietary vendors to thwart them. I have a Lenovo T61 with an integrated fingerprint reader, and finally got around to seeing if I could make it work. Thanks to the fine folks at ThinkWiki.org
, I had it up and working in no time. ThinkWiki is an essential resource for Linux Thinkpad owners, and don't forget to contribute your own tips and success stories.
A word of warning first: biometrics is all sexy and hawt and touted as the final security solution. Unfortunately, it's not. Perhaps you recall when grocery stores started using fingerprint scanners, and people couldn't get into this new unproven system quickly enough. Why is it they will not trust a lawyer's or accountant's advice, but will blindly trust a retail store with their fingerprints? I remember when Thriftway rolled this out in Seattle some years ago; the Seattle P-I tells the tale:
"The main thing is, it's fast, it's easy, and it's secure," says Paul Kapioski, West Seattle Thriftway owner."..."It takes about one minute to enroll,"...Employees underwent 15 or 20 minutes of training in the system this week."
This could be made into a party game--how many holes can you poke in this "security" scheme in 30 seconds? Ready? Start:
- How hard do they work to verify identity when customers sign up the first time?
- It's easy to forge a fingerprint
- Once it's compromised, how many more fingers can you grow?
- What sort of ninjas are storing and protecting the scans?
- Overworked, underpaid, undertrained retail clerks are just the people you want on the security front lines
- The bad guys will cut off your fingers
I'm sure you can think of more. As a security device it's weak, and it's ineffective against someone swiping your whole laptop. But it's convenient and it's there, so let's make it go.
It's perfectly safe to try as long as you do not disable password logins. There are packages for several Linux distributions, with instructions here
. I'll run through a source installation; don't worry, it's easy. In addition to your usual build environment, you need the development libraries for USB and PAM. Install these first, then grab the latest tarball from ThinkFinger
, and unpack it thusly:
$ tar zxvf thinkfinger-0.3.tar.gz
Then run these commands to compile and install it:
$ ./configure --with-securedir=/lib/security \
# make install
# modprobe uinput
Now you can test it. Run this command:
# tf-tool --acquire
Please swipe your finger (successful swipes 0/3, failed swipes: 0)...
Snug your finger into the little indent above the scanner, and slowly draw your finger across the scanner. You need three successful scans. The scan will be stored in /tmp/test.bir. Now you can test it- run this command, and swipe your finger, again slowly:
# tf-tool --verify
Result: Fingerprint does match
Now you need to edit your PAM (Pluggable Authentication Modules) configuration so you can log in to your computer with either your usual password, or with your fingerprint:
# mkdir /etc/pam_thinkfinger
# tf-tool --add-user carla
ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
Copyright (C) 2006, 2007 Timo Hoenig
Please swipe your finger (successful swipes 3/3, failed swipes: 6)... done.
Storing data (/etc/pam_thinkfinger/carla.bir)... done.
Configuring PAM is always a heap o' fun. On Debian, the Buntu family, and most Linuxes, add these lines to /etc/pam.d/common_auth
before any other pam_unix
auth sufficient pam_thinkfinger.so
auth required pam_unix.so try_first_pass
For Fedora, PCLinuxOS, and the rest of the Red Hat extended family, add them to /etc/pam.d/system-auth
. SUSE goes its own way entirely. Add uinput
, or whatever your system needs to load modules at boot, and reboot.
Now what happens? My T61 runs PCLinuxOS, and the graphical login manager has absolutely no clue about fingerprint readers. kdesu doesn't know what to do with it, either. So I can't login to a graphical session with my fingerprint. However, at the console prompt I got this:
PCLinuxOS release 2007 for i586
Kernel 188.8.131.52.tex1 on a Dual-processor i686 /tty4
ripley login: carla
Password or swipe finger:
Hurrah! And it worked. It's still a baby and has lot of growing up to do, so please visit Resources for more help and updates. ThinkFinger needs more PAM modules to make it work with different types of authentication and applications, so if you're looking for a FOSS project to support that would be a good one.
Carla Schroder is the author of the Linux Cookbook and the newly-released Linux Networking Cookbook, and is a regular contributor to LinuxPlanet.
This article was first published on LinuxPlanet.com.
Please enter your content here.