Aaron,
Thanks for sharing your experiences with the non-free driver. Have you
tried to use your patched kdesu with ThinkFinger? If so, what are the
results? If not, I can readily test any patches you have against the
kdesu source with my own (working) ThinkFinger 0.2 on Fedora6 x86_64.
As Timo has said before, no one really wants to have to patch tons of
applications across tons of distros to be compatible with ThinkFinger. I
don't disagree, but it seems like individual app patches are necessary
in cases where authors have only partially implemented PAM
authentication (perhaps by assuming password authentication only). An
effort by ThinkFinger enthusiasts to get e.g. KDE developers to enhance
kdesu, kdm, etc. to support ThinkFinger may also benefit future
projects, for other fingerprint readers, that decide to use PAM
authentication. Since I'm pretty active in the KDE testing community,
I'll start this off by talking with some of the KDE core team about it.
I will try to look at one of the simplest examples of incomplete PAM
support (kdesu may be just the right app to look at) and isolate where
the code does this. Hopefully this will motivate their desire to enhance
these apps, either for 3.5 or KDE4 or both.
On an unrelated note, it would be nice (but likely introduce even more
problems) if pam_thinkfinger had graphical support similar to what is
offered in the non-free driver. Not sure if this is being worked on
right now. The 0.2 release seems to be "functional" in the sense that it
gets the job done at the low level; anything on top of this is just
icing on the cake.
Luca,
Yes, gdm, login, and su are the main ones I've tested and which work
flawlessly with pam_thinkfinger. I think I understand the issues at hand
here - but since I'm really more of a power user/tester/enthusiast than
a master of PAM, I'm not well-equipped to provide patches to development
teams that have released apps with incomplete PAM support. I guess all I
can do (and what I intend to do) is to be as specific as possible when
speaking with maintainers of e.g. the KDE apps that use PAM
authentication, in telling them what I'd like to see improved. Before
doing this I am going to spend a weekend trying to build the latest
development nightly of KDE4 to see if any work has already been done on
this. Presently I am not *that* concerned with getting other utilities
(e.g. Fedora's system administration stack) to support ThinkFinger... I
am just going to focus on KDE apps for now, since kdesu is one of the
most frequent prompts for my password that I encounter on a daily basis.
Thanks,
Sean
Post by Aaron MulderMy experience with the non-free driver is that even once you set up
PAM for it, it requires a nontrivial amount of tweaking to get
everything working "just right", KDE included. What I can recall of
- You probably don't want to enable it for *everything* (such as, the
SSH daemon)
- KDM did not show a graphical prompt at first, but if I hit "enter"
in the password field and then swiped, it worked
- kdesu appeared to hang when invoked originally -- I think it wasn't
showing a graphical prompt but expected input to one nevertheless --
no amount of swiping helped. After a *long* timeout it did something
else
- su and sudo from the command prompt had different behavior -- I
think one gave a text prompt and the other a graphical prompt (but
both prompts for finger swipes)
- logging in at a text console gave a text prompt for a finger swipe
- I fixed most of the KDE problems by applying a hack to save certain
X data to environment variables and making the PAM module aware of
that. That made KDE and kdesu give visible graphical prompts, but it
broke either sudo or su and kdesu prompted twice always
- With some more hacking with PAM parameters I got the sudo/su
working again after the KDE change
- There was still the issue that kdesu prompted twice always
(Speculating once for user and once for password? Or once to cache a
password and again when it found the password wasn't cached?). I also
suppressed that by commenting out a big chunk of kdesu code and
rebuilding it.
For what it's worth, in SuSE there's a "common-auth" PAM file that
pretty much everything else uses, and putting the settings in there is
the best way to get everything to *try* to use the fingerprint reader.
Then you can back it out of the places you specifically don't want
it.
Thanks,
Aaron
Post by Luca CapelloHello!
Post by Sean McNamaraSo, after my experiences so far with ThinkFinger... I have noticed that
a TON of applications, between Fedora and KDE, have this habit of asking
for "Password for root". This may be a different PAM API call that is
not being hooked up to thinkfinger (just my intuition). These are mostly
system administration utilities, which pop up and ask you for the root
http://i56.photobucket.com/albums/g162/allquixotic/laptop/kdesu.png
I'm not a KDE user, but isn't this just a frontend to su?
Post by Sean McNamaraI would like for utilities like this to be supported by ThinkFinger.
/me too.
Post by Sean McNamaraDo any of you know whether this is a limitation of ThinkFinger, or a
limitation of the utility?
As Timo said, I think this is a limitation of the utility, otherwise
all the others wouldn't work.
Post by Sean McNamaraWhat would be required for the utility to automatically enter the
[...]
Post by Sean McNamaraIt's obvious that PAM is being used differently, where gdm and a
shell both ask you for a username then a password, but the other
applications ask you for "Password for root"
Well, GDM and login (which is what I guess you're referring as shell)
deal with authenticating every user on the system, while most of the
others let you become root through su, usually.
Post by Sean McNamaraIs this a limitation of the apps I'm using, like Timo said?
As I already said, I think so.
I'd go for an application by application approach, which I'm sorry as
Timo I'm not going to deal with, as I don't really have the time.
Thx, bye,
Gismo / Luca
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
