[Thinkfinger-devel] Release: ThinkFinger 0.3

Discussion:

Timo Hoenig

2007-03-30 10:16:15 UTC

Hi,

It's been a while since the last release, but I'm pretty sure it was
worth waiting. ThinkFinger 0.3 is out!

Download (Tarball):
===================

* http://sf.net/project/showfiles.php?group_id=179573

Major changes (0.2.2 to 0.3):
=============================

* support for any device which is working with the binary driver
* avoid fingerprint device from heating up
* new debugging option '--enable-usb-debug' (see INSTALL)
* PAM debug support (see INSTALL)
* compatibility to biometric identification records of the
binary driver

For details please have a look at the complete ChangeLog:

* http://thinkfinger.svn.sf.net/viewvc/*checkout*/thinkfinger/ChangeLog?revision=108

Contributions
=============

Jose Plans <***@redhat.com>:
Debug support for PAM module, fix return value for the PAM
module, be more persistent when looking for uinput,
documentation.

Satoru SATOH <***@users.sourceforge.net>:
Avoid buffer overflow (sf.net tracker #1654013).

Stephan Berberig <***@arcor.de>:
HAVE_OLD_PAM: Drop requirement for '--with-securedir' if PAM is
disabled, fix documentation (typos).

Thanks
======

Everyone testing the SVN snapshots and reporting issues. Big thanks to
Evgeni Golov <***@die-welt.net> and Anton Bolshakov
<***@bolshakov.name> for testing the temperature issues.

Enjoy,

Timo

Sean McNamara

2007-03-30 14:54:14 UTC

Permalink

Post by Timo Hoenig
Hi,
It's been a while since the last release, but I'm pretty sure it was
worth waiting. ThinkFinger 0.3 is out!

*snip*

Thanks for the great progress, Timo and all! I've just installed
ThinkFinger 0.3 and rebooted, and here are the results of my tests. But
first, a list of my hw/sw configuration.

Hardware: ThinkPad X60 (Core 2 Duo 2.0ghz w/ 2gb RAM - otherwise the
same as any other X60)

Software:
openSUSE 10.2, Most packages from stable openSUSE 10.2 or security
patched from ftp.ale.org. Some packages taken from the development
version of openSUSE (factory), but NOT kde, NOT pam, NOT Xorg. I AM
using an experimental kernel - my kernel is 2.6.20-9-default i686, an
early build of the coming 10.3 kernel. Stability is overall very good
and weirdness is overall very low with this kernel.

Questions:
Heat coming off the UPEK device does seem to be a little less extreme
than it was before, but that could be because I'm running on battery
power right now :) Does this have the potential to increase my battery
life? How are you doing this? Is there a way to shut down the biometric
coprocessor using e.g. an ACPI call? Because I haven't found a way, but
would love to shut it down completely (as well as the entire USB
controller) when I am neither using the fingerprint reader nor the USB
and I want to conserve energy. My battery life on Linux is *half* of
that on Windows, and I'm not using a composited desktop, my LCD
brightness is at a minimum, and I got 802.11 power conservation and
"Powersave" CPU frequency scaling working. I can only assume the USB/Bio
coprocessor/fingerprint reader, generating all the heat they do, are
responsible for a substantial energy draw.

Tests of swiping finger and using password with various programs,
ThinkFinger 0.3 and PAM module (program name listed first):

login Password OK Thinkfinger OK

su Password OK Thinkfinger OK

gdm Password OK Thinkfinger OK

kdesktop_lock Password Broken Thinkfinger Broken. Explanation: I have to
drop to a console, login as root, and kill the process - it gives me an
error saying the authentication system is broken or something to that
effect (can post entire error message if desired). This app used to
permit password unlocking but has never worked with any build of
thinkfinger - now it's totally broken with 0.3.

kdesu Password OK Thinkfinger Broken. Explanation: When swiping my
finger it says "Incorrect password; try again." in a popup. It may be
that sending the return character is hitting the default OK button in
the dialog with an empty password (since the dialog does NOT say
"Password or swipe finger:" like other TF-compatible programs do).

kdm Password OK Thinkfinger Broken. Same crash as another user reported
with kdm, no need to belabor the point..

These are the only ones I've tested so far, but if there are any other
programs you'd like me to test against, please let me know!

P.S. - I will soon be trying a bold and perhaps foolish attempt to build
and use the latest KDE 4 pre-release. There's always the chance that
during their intensive development to port code to Qt4, they'll round
out their support for PAM.

Thanks,

Sean

Anton

2007-03-30 15:33:11 UTC

Permalink

I'll try to answer.
Here is my observations. Sorry for offtopic.

Post by Sean McNamara
power right now :) Does this have the potential to increase my battery
life? How are you doing this? Is there a way to shut down the biometric
coprocessor using e.g. an ACPI call? Because I haven't found a way, but
would love to shut it down completely (as well as the entire USB

fingerprint is normally off, overwise its getting hot.
Yes, you should shut down USB controller to save a battery life.
Make sure you have CONFIG_USB_SUSPEND=y (kernel 2.6.18 supports it too)
Note: you need special software to do actual suspend.
I think laptop-mode-tools can help.

Post by Sean McNamara
kdesktop_lock Password Broken Thinkfinger Broken. Explanation: I have to
drop to a console, login as root, and kill the process - it gives me an

it's a problem of KDE. kdesktop_lock passes result to command line kcheckpass.
So to make it work try the following:
1. Lock the screen
2. Leave the password field empty and press enter.
3. It will stop responding but you just go on and swap your finger.
4. KDE will be unlocked.

Post by Sean McNamara
error saying the authentication system is broken or something to that
kdesu Password OK Thinkfinger Broken. Explanation: When swiping my

it doesn't work for me either. It's the same problem as with kde lock.

Post by Sean McNamara
kdm Password OK Thinkfinger Broken. Same crash as another user reported
with kdm, no need to belabor the point..

kdm doesn't use kcheckpass and the problem is somewhere else.

Post by Sean McNamara
P.S. - I will soon be trying a bold and perhaps foolish attempt to build
and use the latest KDE 4 pre-release. There's always the chance that

I don't think kde4 will help because the bug
https://bugs.kde.org/show_bug.cgi?id=116682
is still opened.
I guess, the only way is make it work today is to find somebody's
unofficial patches if any.

Post by Sean McNamara
These are the only ones I've tested so far, but if there are any other
programs you'd like me to test against, please let me know!

The other programs should be 'fingerprint aware" and support pam to
work properly.
Let's make it happen ;)

Anton

Ian Redfern

2007-04-03 10:20:19 UTC

Permalink

I've just compiled and installed thinkfinger-0.3 on a ThinkPad X60
running Ubuntu Feisty.

I then changed /etc/pam.d/common-auth to read:

auth sufficient pam_thinkfinger.so
auth required pam_unix.so nullok_secure try_first_pass

Console login, gdm and sudo work with the fingerprint reader but hang if
a password is entered; in this state the fingerprint reader gets hot and
logins in another console or window are successful when the password is
used ("swipe finger" isn't offered, and pam_thinkfinger logs "Could not
claim USB device."). This used to work with 0.2.

Remote login via SSH using a password is no longer possible - swiping
the finger doesn't work, and entering a password hangs sshd. However,
once one sshd is hanging, subsequent SSH logins work OK, as above.

gnome-screensaver doesn't mention "or swipe finger" and ignores any
attempts to do so; ordinary passwords still work, and no pam_thinkfinger
log messages appear.

gksu doesn't put up a dialogue box, but waits for the finger to be
swiped then works as normal; there is no way to enter a password. This
is the same as 0.2.

/etc/pam.d/gnome-screensaver is unchanged and consists solely of the
line

@include common-auth

Am I doing something wrong?

Thanks,
Ian Redfern.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Timo Hoenig

2007-04-03 10:42:13 UTC

Permalink

Hi Ian,

Post by Ian Redfern
I've just compiled and installed thinkfinger-0.3 on a ThinkPad X60
running Ubuntu Feisty.
auth sufficient pam_thinkfinger.so
auth required pam_unix.so nullok_secure try_first_pass
Console login, gdm and sudo work with the fingerprint reader but hang
if a password is entered; in this state the fingerprint reader gets
hot and logins in another console or window are successful when the
password is used ("swipe finger" isn't offered, and pam_thinkfinger
logs "Could not claim USB device."). This used to work with 0.2.

That's because pam_thinkfinger of the previous run still has claimed the
USB device. Can you please investigate why it hangs when you enter a
password?

Just add 'debug' to common-auth:

auth sufficient pam_thinkfinger.so debug

and login using the password and send the messages showing up
in /var/log/messages.

Post by Ian Redfern
Remote login via SSH using a password is no longer possible - swiping
the finger doesn't work, and entering a password hangs sshd. However,
once one sshd is hanging, subsequent SSH logins work OK, as above.

That should be the same as above: The first pam_thinkfinger instance
has claimed the USB device and the second run works as it is not able to
claim the USB device.

Post by Ian Redfern
gnome-screensaver doesn't mention "or swipe finger" and ignores any
attempts to do so; ordinary passwords still work, and no
pam_thinkfinger log messages appear.

g-s issue. It does not respect the pam_prompt message ("Password or
swipe finger").

Post by Ian Redfern
gksu doesn't put up a dialogue box, but waits for the finger to be
swiped then works as normal; there is no way to enter a password. This
is the same as 0.2.

Sorry, I have no experience with gksu.

Post by Ian Redfern
/etc/pam.d/gnome-screensaver is unchanged and consists solely of the
line
@include common-auth
Am I doing something wrong?

g-s is supposed to work with Jon's patches (see list archive).
Unfortunately I still didn't find to review them.

Timo

Ian Redfern

2007-04-03 12:12:07 UTC

Permalink

Hi Timo - looks like I had part of an old 0.2 release still hanging
around - apologies for the confusion. Having replaced it, I see:

login, gdm and sudo work fine with password or swipe finger.

sshd dies with a segfault after the password is entered. All the
debugging I get is:

Apr 3 12:43:23 betty ssh[19809]: pam_thinkfinger(ssh):
pam_sm_authenticate called.
Apr 3 12:43:23 betty ssh[19809]: pam_thinkfinger(ssh):
thinkfinger_thread called.

gnome-screensaver ignores pam_thinkfinger completely:

Apr 3 12:45:31 betty gnome-screensaver[20052]:
pam_thinkfinger(gnome-screensaver): pam_sm_authenticate called.
Apr 3 12:45:31 betty gnome-screensaver[20052]:
pam_thinkfinger(gnome-screensaver): Could not open
'/etc/pam_thinkfinger/redferni.bir': (Permission denied).
Apr 3 12:45:31 betty gnome-screensaver[20052]:
pam_thinkfinger(gnome-screensaver): User 'redferni' is unknown.
Apr 3 12:45:31 betty gnome-screensaver[20052]:
pam_thinkfinger(gnome-screensaver): pam_sm_authenticate returning '10':
User not known to the underlying authentication module.

If I change the file perms, I get:

Apr 3 13:06:41 betty gnome-screensaver[22358]:
pam_thinkfinger(gnome-screensaver): pam_sm_authenticate called.
Apr 3 13:06:41 betty gnome-screensaver[22358]:
pam_thinkfinger(gnome-screensaver): Initializing uinput failed: No such
file or directory.
Apr 3 13:06:41 betty gnome-screensaver[22358]:
pam_thinkfinger(gnome-screensaver): pam_sm_authenticate returning '9':
Authentication service cannot retrieve authentication info..

and in both cases I can still authenticate with a password.

gksu doesn't show its usual dialogue box, waits for a swipe, then a
newline is received by the currently focused window, and gksu hangs. If
it is sent a SIGTERM after swiping, the gksu'ed application launches
successfully.

Thanks,
Ian Redfern.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.