Discussion:
[Thinkfinger-devel] Heads-up: ThinkFinger 0.2.3pre
Timo Hoenig
2007-02-13 19:52:10 UTC
Permalink
Hi everyone,

First of all: This is *not* an official release.

I have pushed a pre-release tar ball of ThinkFinger 0.2.3 to [1]. It is
solely for testing purpose. Don't consume before breakfast :-)

The major change regarding PAM is, that I am now using uinput to
generate a synthetic carriage return after a swipe. This makes the
second thread (stalled in pam_prompt) hopefully return. It is no longer
required that this thread is being killed in an unkindly manner.

That change hopefully increases the compatibility of PAM applications.
And, it hopefully does not break applications which worked before.
Unfortunately I already have reports that this is the case :-/

Anyway. I'm asking anyone to give it a try and report back. I need
both, positive and negative feedback to get a good picture in which
direction we need to push developers of PAM applications which are not
yet ready for fingerprint authentication.

I haven't lost you yet? Thanks for the attention :-)

Timo


[1] http://nouse.net//thinkfinger-0.2.3pre.tar.gz
Luca Capello
2007-02-13 22:57:55 UTC
Permalink
Hello!

I'm sorry, but I cannot test any ThinkFinger improvement for probably
the future 2/3 weeks, as per [1]. Thus I'll focus on the Debian
package ;-)
Post by Timo Hoenig
That change hopefully increases the compatibility of PAM
applications. And, it hopefully does not break applications which
worked before. Unfortunately I already have reports that this is
the case :-/
Could we setup a list of working/not-working applications somewhere?
Maybe something like NOTES or APPS, I don't know the best name...

Thx, bye,
Gismo / Luca

Footnotes:
[1] http://albatross.madduck.net/pipermail/debian-unizh/2007-February/000842.html
Timo Hoenig
2007-02-14 15:50:50 UTC
Permalink
Hi Luca,
Post by Luca Capello
I'm sorry, but I cannot test any ThinkFinger improvement for probably
the future 2/3 weeks, as per [1]. Thus I'll focus on the Debian
package ;-)
Oh, that's a pain. I hope you get along without your 'baby' within the
next weeks ;-)
Post by Luca Capello
Could we setup a list of working/not-working applications somewhere?
Maybe something like NOTES or APPS, I don't know the best name...
Hm, I'm not entirely sure how we should deal with that. It does not
only depend on the application (and its version number) but also on the
distribution (and its version number) and the PAM configuration being
used...

Timo
Sean McNamara
2007-02-16 13:51:09 UTC
Permalink
Post by Timo Hoenig
Hi everyone,
First of all: This is *not* an official release.
I have pushed a pre-release tar ball of ThinkFinger 0.2.3 to [1]. It is
solely for testing purpose. Don't consume before breakfast :-)
The major change regarding PAM is, that I am now using uinput to
generate a synthetic carriage return after a swipe. This makes the
second thread (stalled in pam_prompt) hopefully return. It is no longer
required that this thread is being killed in an unkindly manner.
That change hopefully increases the compatibility of PAM applications.
And, it hopefully does not break applications which worked before.
Unfortunately I already have reports that this is the case :-/
Anyway. I'm asking anyone to give it a try and report back. I need
both, positive and negative feedback to get a good picture in which
direction we need to push developers of PAM applications which are not
yet ready for fingerprint authentication.
I haven't lost you yet? Thanks for the attention :-)
Timo
[1] http://nouse.net//thinkfinger-0.2.3pre.tar.gz
Timo,

0.2.3-pre does not work at all for me. Where 0.2 works for gdm and su
and login, 0.2.3-pre works for nothing (that I've tested yet, anyway). I
am now testing on openSUSE 10.2 x86 because I was somewhat dissatisfied
with FC6. Same hardware as before (ThinkPad X60). Finger swipe and test
works fine; PAM module seems not to be doing anything. My
/etc/pam.d/common-auth is configured as recommended in the README.

Will continue to try and troubleshoot and look for a workaround.

Thanks,

Sean
Timo Hoenig
2007-02-16 13:54:08 UTC
Permalink
Hi Sean,
Post by Sean McNamara
Timo,
0.2.3-pre does not work at all for me. Where 0.2 works for gdm and su
and login, 0.2.3-pre works for nothing (that I've tested yet, anyway). I
am now testing on openSUSE 10.2 x86 because I was somewhat dissatisfied
with FC6. Same hardware as before (ThinkPad X60). Finger swipe and test
works fine; PAM module seems not to be doing anything. My
/etc/pam.d/common-auth is configured as recommended in the README.
Do you get any errors in /var/log/messages?

Timo
Sean McNamara
2007-02-17 15:28:20 UTC
Permalink
Hi Timo,
Post by Timo Hoenig
Hi Sean,
Post by Sean McNamara
Timo,
0.2.3-pre does not work at all for me. Where 0.2 works for gdm and su
and login, 0.2.3-pre works for nothing (that I've tested yet, anyway). I
am now testing on openSUSE 10.2 x86 because I was somewhat dissatisfied
with FC6. Same hardware as before (ThinkPad X60). Finger swipe and test
works fine; PAM module seems not to be doing anything. My
/etc/pam.d/common-auth is configured as recommended in the README.
Do you get any errors in /var/log/messages?
Timo
Sorry for the delay in responding to you. Yes, /var/log/messages was
extremely helpful. As it turns out, openSUSE's pam expects /lib/security to
be *the* folder housing pam modules. My difficulty boiled down to
pam_thinkfinger.so being in the wrong folder, so I mv'ed it. Doh!

Now su, login, and gdm (again, the fab three) work properly with swiping my
finger - but I still have yet to discover another app(let) which does work.
So, your changes have not *broken* anything here.

Thanks,

Sean
Evgeni Golov
2007-02-18 08:44:53 UTC
Permalink
Post by Timo Hoenig
Post by Sean McNamara
0.2.3-pre does not work at all for me. Where 0.2 works for gdm and
su and login, 0.2.3-pre works for nothing (that I've tested yet,
anyway). I am now testing on openSUSE 10.2 x86 because I was
somewhat dissatisfied with FC6. Same hardware as before (ThinkPad
X60). Finger swipe and test works fine; PAM module seems not to be
doing anything. My /etc/pam.d/common-auth is configured as
recommended in the README.
Do you get any errors in /var/log/messages?
I don't know how, but I have the exactly same behavior on my Debian Sid
box and NOTHING in the logs :(
pam_thinkfinger is in /lib/security and works if it is version 0.2.2,
as far as I upgrade to 0.2.3pre no app asks me for my finger :(
It's pam 0.79-4 here, maybe you have a tip for me too?

Regards
Evgeni
--
^^^ | Evgeni -SargentD- Golov (***@die-welt.net)
d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C
Post by Timo Hoenig
-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
/ \ | http://www.die-welt.net - ***@jabber.ccc.de
Timo Hoenig
2007-02-21 08:51:22 UTC
Permalink
Hi Evgeni,

Sorry for the lag.
Post by Evgeni Golov
I don't know how, but I have the exactly same behavior on my Debian Sid
box and NOTHING in the logs :(
pam_thinkfinger is in /lib/security and works if it is version 0.2.2,
as far as I upgrade to 0.2.3pre no app asks me for my finger :(
It's pam 0.79-4 here, maybe you have a tip for me too?
This pretty much sounds like an configuration issue if 'tf-tool' works
for you, but PAM does not (and you do not get anything in syslog).

Probably there is someone on the list who is more familiar with PAM on
Debian than I am.
Post by Evgeni Golov
Regards
Evgeni
Thanks,

Timo
Evgeni Golov
2007-02-21 11:46:07 UTC
Permalink
Hi Timo, thinkfinger-list,
Post by Timo Hoenig
Post by Evgeni Golov
I don't know how, but I have the exactly same behavior on my Debian
Sid box and NOTHING in the logs :(
pam_thinkfinger is in /lib/security and works if it is version
0.2.2, as far as I upgrade to 0.2.3pre no app asks me for my
finger :( It's pam 0.79-4 here, maybe you have a tip for me too?
This pretty much sounds like an configuration issue if 'tf-tool' works
for you, but PAM does not (and you do not get anything in syslog).
Yes it does, but I don't understand why it should be one, becase
exactly the same configuration works with 0.2.2
Post by Timo Hoenig
Probably there is someone on the list who is more familiar with PAM on
Debian than I am.
Maybe Luca has some ideas, when he has finished recovering his data.
--
^^^ | Evgeni -SargentD- Golov (***@die-welt.net)
d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C
Post by Timo Hoenig
-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
/ \ | http://www.die-welt.net - ***@jabber.ccc.de
Jose Plans
2007-02-21 11:57:22 UTC
Permalink
Post by Evgeni Golov
Post by Evgeni Golov
0.2.2, as far as I upgrade to 0.2.3pre no app asks me for my
Post by Evgeni Golov
finger :( It's pam 0.79-4 here, maybe you have a tip for me too?
This pretty much sounds like an configuration issue if 'tf-tool' works
for you, but PAM does not (and you do not get anything in syslog).
Yes it does, but I don't understand why it should be one, becase
exactly the same configuration works with 0.2.2
Post by Evgeni Golov
Probably there is someone on the list who is more familiar with PAM on
Debian than I am.
Maybe Luca has some ideas, when he has finished recovering his data.
Luca,

Could you rebuild on one of these hosts Pam with --enable-debug and
provide the console logs ? This will dump you quite a lot of debugs on
the console and syslog, once it's gathered, just reverse to the previous
deb. (I would assume dmesg -c; dmesg > log would be sufficient)
I have just subscribed to the list and didn't check much of this pam
module, but maybe Timo added a debug option ?

Thanks,

Jose
Evgeni Golov
2007-02-21 13:10:01 UTC
Permalink
Post by Jose Plans
Could you rebuild on one of these hosts Pam with --enable-debug and
provide the console logs ? This will dump you quite a lot of debugs on
the console and syslog, once it's gathered, just reverse to the
previous deb.
Attached a log of 'su - username' produced by pam with --enable-debug,
it seems it finds the module but I'm not able to understand the rest.
Hope this helps someone who is more into pam.
--
^^^ | Evgeni -SargentD- Golov (***@die-welt.net)
d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C
Post by Jose Plans
-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
/ \ | http://www.die-welt.net - ***@jabber.ccc.de
Jose Plans
2007-02-21 14:02:25 UTC
Permalink
Post by Evgeni Golov
Post by Jose Plans
Could you rebuild on one of these hosts Pam with --enable-debug and
provide the console logs ? This will dump you quite a lot of debugs on
the console and syslog, once it's gathered, just reverse to the
previous deb.
Attached a log of 'su - username' produced by pam with --enable-debug,
it seems it finds the module but I'm not able to understand the rest.
Hope this helps someone who is more into pam.
OK it doesn't seem to do much indeed. It is seen but it is not handled.
Can you get me your stack configuration ? I mean the one you use to
authenticate with the pam_thinkfinger.so definitions. (Not sure which
one is used by debian for authentication, but should be called login or
in FC/RHEL system-auth).

Thanks,

Jose
Evgeni Golov
2007-02-21 15:11:14 UTC
Permalink
Post by Jose Plans
Can you get me your stack configuration ?
You mean the files in /etc/pam.d/?

gdm:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 \
envfile=/etc/default/locale
@include common-auth
@include common-account
session required pam_limits.so
@include common-session
@include common-password

su:
auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 \
envfile=/etc/default/locale
session optional pam_mail.so nopen
@include common-auth
@include common-account
@include common-session

and common-auth which is included by the both above:
auth sufficient pam_thinkfinger.so
auth required pam_unix.so nullok_secure try_first_pass
--
^^^ | Evgeni -SargentD- Golov (***@die-welt.net)
d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C
Post by Jose Plans
-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
/ \ | http://www.die-welt.net - ***@jabber.ccc.de
Evgeni Golov
2007-02-25 19:13:39 UTC
Permalink
On Wed, 21 Feb 2007 16:11:14 +0100 Evgeni Golov wrote:

[ 0.2.3 not working ]

I hate typos, had wrong birdir and didn't notice that.
Only after debug said:
pam_thinkfinger: user zhenech is unknown.
I checked it.

Damn and sorry for all ;)
--
^^^ | Evgeni -SargentD- Golov (***@die-welt.net)
d(O_o)b | GPG/PGP-Key-ID: 0xAC15B50C
Post by Timo Hoenig
-|-< | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
/ \ | http://www.die-welt.net - ***@jabber.ccc.de
Jose Plans
2007-02-25 19:16:19 UTC
Permalink
Post by Evgeni Golov
[ 0.2.3 not working ]
I hate typos, had wrong birdir and didn't notice that.
pam_thinkfinger: user zhenech is unknown.
I checked it.
Damn and sorry for all ;)
Glad it works now Evgeni! :-)

Jose
Timo Hoenig
2007-02-27 10:35:45 UTC
Permalink
Post by Evgeni Golov
I hate typos, had wrong birdir and didn't notice that.
pam_thinkfinger: user zhenech is unknown.
I checked it.
Typos are common mitsakes I'd say :-)
Post by Evgeni Golov
Damn and sorry for all ;)
No worries.

Timo
Timo Hoenig
2007-02-21 14:58:43 UTC
Permalink
Hi Jose,
Post by Jose Plans
I have just subscribed to the list and didn't check much of this pam
module, but maybe Timo added a debug option ?
Yes, we definitely need that.

Especially if we stick to the uinput approach we now have quite a few
dependencies which might cause pam_thinkfinger to fail.

Thanks,

Timo
Jose Plans
2007-02-22 14:21:10 UTC
Permalink
Post by Timo Hoenig
Hi Jose,
Post by Jose Plans
I have just subscribed to the list and didn't check much of this pam
module, but maybe Timo added a debug option ?
Yes, we definitely need that.
This could be a _draft_ start, seeing that the pam module itself it's
quite simple (just pam_sm_authenticate).
Post by Timo Hoenig
Especially if we stick to the uinput approach we now have quite a few
dependencies which might cause pam_thinkfinger to fail.
Hum.. One idea could be to add for libthinkfinger '--enable-debug' so by
default it is silent, otherwise, if needed we could get more from the
device.

Jose
Timo Hoenig
2007-02-22 14:33:47 UTC
Permalink
Post by Jose Plans
This could be a _draft_ start, seeing that the pam module itself it's
quite simple (just pam_sm_authenticate).
There are enough pitfalls (uinput, USB communication not running with
the correct privileges and such) which might be easier debugged if the
PAM module if more verbose.
Post by Jose Plans
Hum.. One idea could be to add for libthinkfinger '--enable-debug' so by
default it is silent, otherwise, if needed we could get more from the
device.
Yes, if I am about to add something it will either be a compile time
option or something which reads an environment variable which is
respected by libthinkfinger.

Thanks,

Timo
Anton
2007-02-22 16:12:07 UTC
Permalink
Post by Timo Hoenig
Post by Jose Plans
Hum.. One idea could be to add for libthinkfinger '--enable-debug' so by
Yes, if I am about to add something it will either be a compile time
talking about parameters... could you add more or less standart
parameter for PAM support, like --enable-pam (or --with-pam)
It would help to simplify ebuild writing under gentoo, for example.

As you might know the ebuild has been included to the gentoo's portage
yesterday and it currently fails to compile without pam support:

thinkfinger-0.2.2-r1.ebuild, line 24: Called econf '--disable-pam'
'--with-securedir=/lib/security'
ebuild.sh, line 577: Called die

I'm not sure if it's design to compile without it at all, just my .5 cents.
thanks.
Timo Hoenig
2007-02-22 17:06:31 UTC
Permalink
Post by Anton
talking about parameters... could you add more or less standart
parameter for PAM support, like --enable-pam (or --with-pam)
It would help to simplify ebuild writing under gentoo, for example.
As you might know the ebuild has been included to the gentoo's portage
thinkfinger-0.2.2-r1.ebuild, line 24: Called econf '--disable-pam'
'--with-securedir=/lib/security'
ebuild.sh, line 577: Called die
I'm not sure if it's design to compile without it at all, just my .5 cents.
thanks.
I think it is a sane to build the PAM module by default. Why doesn't
portage like the --disable-pam parameter?

Also, if you run './configure' with '--disable-pam' there is no need to
pass '--with-securedir'.

Timo
Anton
2007-02-23 00:58:46 UTC
Permalink
Post by Timo Hoenig
I think it is a sane to build the PAM module by default. Why doesn't
portage like the --disable-pam parameter?
Also, if you run './configure' with '--disable-pam' there is no need to
pass '--with-securedir'.
Apparently, that's the problem of thinkfinger.
Here is the output:
./configure --disable-pam
[skip]
checking whether to build the pluggable authentication module (PAM)... no
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for USB... yes
checking for doxygen... no

ThinkFinger 0.2.2
=================

+ prefix: /usr/local
+ libdir: /usr/local/lib
+ bindir: /usr/local/bin
+ sbindir: /usr/local/sbin
+ mandir: /usr/local/share/man

+ cflags: -g -O2 -Wall -fno-common -fPIC
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes
-Wnested-externs -Wpointer-arith -Wcast-align -Wsign-compare
-Wdeclaration-after-statement
+ libusb: -lusb

configure: error: conditional "HAVE_OLD_PAM" was never defined.
Usually this means the macro was only invoked conditionally.

Can you have a look on it?..

Anton
Timo Hoenig
2007-02-23 10:20:09 UTC
Permalink
Post by Anton
configure: error: conditional "HAVE_OLD_PAM" was never defined.
Usually this means the macro was only invoked conditionally.
Can you have a look on it?..
Stephan, Luca: May I pass this on to you? Otherwise it will take some
days until I will have time for that.

Thanks,

Timo
Luca Capello
2007-02-23 11:19:19 UTC
Permalink
Hello!
Post by Timo Hoenig
Post by Anton
configure: error: conditional "HAVE_OLD_PAM" was never defined.
Usually this means the macro was only invoked conditionally.
Can you have a look on it?..
Stephan, Luca: May I pass this on to you? Otherwise it will take
some days until I will have time for that.
Sure, but be advised that I'm a bit busy until Sunday evening (real
life, sorry...) and so maybe Stephan will correct it before me ;-)

Thx, bye,
Gismo / Luca
Timo Hoenig
2007-02-23 11:27:52 UTC
Permalink
Hey Luca,
Post by Luca Capello
Sure, but be advised that I'm a bit busy until Sunday evening (real
life, sorry...) and so maybe Stephan will correct it before me ;-)
No worries, we're everything but in a rush :-)

Timo
Stephan Berberig
2007-02-23 13:54:56 UTC
Permalink
Hi,

attached the patch for that problem.

Best regards,
Stephan
Post by Timo Hoenig
Hey Luca,
Post by Luca Capello
Sure, but be advised that I'm a bit busy until Sunday evening (real
life, sorry...) and so maybe Stephan will correct it before me ;-)
No worries, we're everything but in a rush :-)
Timo
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Anton
2007-02-23 14:22:22 UTC
Permalink
It didn't help for some reason.
./configure script fails with the same error:

+ cflags: -g -O2 -Wall -fno-common -fPIC
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes
-Wnested-externs -Wpointer-arith -Wcast-align -Wsign-compare
-Wdeclaration-after-statement
+ libusb: -lusb

configure: error: conditional "HAVE_OLD_PAM" was never defined.
Usually this means the macro was only invoked conditionally.

Anton
Post by Stephan Berberig
Hi,
attached the patch for that problem.
Best regards,
Stephan
Post by Timo Hoenig
Hey Luca,
Post by Luca Capello
Sure, but be advised that I'm a bit busy until Sunday evening (real
life, sorry...) and so maybe Stephan will correct it before me ;-)
No worries, we're everything but in a rush :-)
Timo
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
Stephan Berberig
2007-02-23 14:26:03 UTC
Permalink
Did you re-execute autogen.sh?
Post by Anton
It didn't help for some reason.
+ cflags: -g -O2 -Wall -fno-common -fPIC
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes
-Wnested-externs -Wpointer-arith -Wcast-align -Wsign-compare
-Wdeclaration-after-statement
+ libusb: -lusb
configure: error: conditional "HAVE_OLD_PAM" was never defined.
Usually this means the macro was only invoked conditionally.
Anton
Post by Stephan Berberig
Hi,
attached the patch for that problem.
Best regards,
Stephan
Post by Timo Hoenig
Hey Luca,
Post by Luca Capello
Sure, but be advised that I'm a bit busy until Sunday evening (real
life, sorry...) and so maybe Stephan will correct it before me ;-)
No worries, we're everything but in a rush :-)
Timo
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Anton Bolshakov
2007-02-23 14:32:47 UTC
Permalink
No, I didn't, sorry

Just tried to check out svn version and apply the patch and
everything works fine.
Thanks.

Please submit it to svn.

Anton
Post by Stephan Berberig
Did you re-execute autogen.sh?
Post by Anton
It didn't help for some reason.
+ cflags: -g -O2 -Wall -fno-common -fPIC
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes
-Wnested-externs -Wpointer-arith -Wcast-align -Wsign-compare
-Wdeclaration-after-statement
+ libusb: -lusb
configure: error: conditional "HAVE_OLD_PAM" was never defined.
Usually this means the macro was only invoked conditionally.
Anton
Post by Stephan Berberig
Hi,
attached the patch for that problem.
Best regards,
Stephan
Post by Timo Hoenig
Hey Luca,
Post by Luca Capello
Sure, but be advised that I'm a bit busy until Sunday evening (real
life, sorry...) and so maybe Stephan will correct it before me ;-)
No worries, we're everything but in a rush :-)
Timo
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Thinkfinger-devel mailing list
https://lists.sourceforge.net/lists/listinfo/thinkfinger-devel
Timo Hoenig
2007-02-27 10:54:59 UTC
Permalink
Hi Stephan,
Post by Stephan Berberig
attached the patch for that problem.
Looks good to me. Will apply that to SVN.

Thanks for taking care of that issue,

Timo

Jose Plans
2007-02-22 16:19:32 UTC
Permalink
Hi Timo,
Post by Timo Hoenig
Post by Jose Plans
This could be a _draft_ start, seeing that the pam module itself it's
quite simple (just pam_sm_authenticate).
There are enough pitfalls (uinput, USB communication not running with
the correct privileges and such) which might be easier debugged if the
PAM module if more verbose.
Well the idea was to get a "debug" parameter to the pam_thinkfinger.so
to follow what all other modules do. I do believe it should be added as
the first reaction people will have is to add 'debug' to it if things go
wrong as :

auth sufficient /lib/security/pam_thinkfinger.so debug

To be fair, that was my first reaction ;-) For the other caveats, yep
that should be done too in addition to "debug". I'm going to read
through and see what could be done if you agree. Also, do you have a
TODO list ? Is there any freenode channel to refer to ?
Post by Timo Hoenig
Post by Jose Plans
Hum.. One idea could be to add for libthinkfinger '--enable-debug' so by
default it is silent, otherwise, if needed we could get more from the
device.
Yes, if I am about to add something it will either be a compile time
option or something which reads an environment variable which is
respected by libthinkfinger.
totally agreed, the library should have it's own debug build.

Jose
Jose Plans
2007-02-22 16:29:37 UTC
Permalink
Post by Sean McNamara
Hi Timo,
Post by Timo Hoenig
Post by Jose Plans
This could be a _draft_ start, seeing that the pam module itself it's
quite simple (just pam_sm_authenticate).
There are enough pitfalls (uinput, USB communication not running with
the correct privileges and such) which might be easier debugged if the
PAM module if more verbose.
Well the idea was to get a "debug" parameter to the pam_thinkfinger.so
to follow what all other modules do. I do believe it should be added as
the first reaction people will have is to add 'debug' to it if things go
auth sufficient /lib/security/pam_thinkfinger.so debug
Just to add that the successful log debug is :
//--
login: pam_unix(login:session): session closed for user jmp
login: pam_thinkfinger(login:auth): debug enabled.
login: pam_thinkfinger(login:auth): pam_sm_authenticated called.
login: pam_thinkfinger(login:auth): thinkfinger_thread() called.
login: pam_thinkfinger(login:auth): jmp authenticated (biometric
identification record matched)
login: pam_thinkfinger(login:auth): thinkfinger_thread() finished.
login: pam_thinkfinger(login:auth): pam_sm_authenticate returning 0
(success)
login: pam_unix(login:session): session opened for user jmp by
LOGIN(uid=0)
login: LOGIN ON tty4 BY jmp
login: pam_unix(login:session): session closed for user jmp
//--

And a failing one when I did by mistake set "use_first_pass" instead of
"try_first_pass" and allowed me to fix it:
//--
login: pam_thinkfinger(login:auth): debug enabled.
login: pam_thinkfinger(login:auth): pam_sm_authenticated called.
login: pam_thinkfinger(login:auth): user root is unknown.
login: pam_thinkfinger(login:auth): pam_sm_authenticate returning 10
(User not known to the underlying authentication module)
login: pam_unix(login:auth): auth could not identify password for [root]
login: FAILED LOGIN 3 FROM (null) FOR root, Authentication failure
//--
Timo Hoenig
2007-02-22 17:42:48 UTC
Permalink
Post by Jose Plans
//--
login: pam_unix(login:session): session closed for user jmp
login: pam_thinkfinger(login:auth): debug enabled.
login: pam_thinkfinger(login:auth): pam_sm_authenticated called.
login: pam_thinkfinger(login:auth): thinkfinger_thread() called.
login: pam_thinkfinger(login:auth): jmp authenticated (biometric
identification record matched)
login: pam_thinkfinger(login:auth): thinkfinger_thread() finished.
login: pam_thinkfinger(login:auth): pam_sm_authenticate returning 0
(success)
login: pam_unix(login:session): session opened for user jmp by
LOGIN(uid=0)
login: LOGIN ON tty4 BY jmp
login: pam_unix(login:session): session closed for user jmp
//--
And a failing one when I did by mistake set "use_first_pass" instead of
//--
login: pam_thinkfinger(login:auth): debug enabled.
login: pam_thinkfinger(login:auth): pam_sm_authenticated called.
login: pam_thinkfinger(login:auth): user root is unknown.
login: pam_thinkfinger(login:auth): pam_sm_authenticate returning 10
(User not known to the underlying authentication module)
login: pam_unix(login:auth): auth could not identify password for [root]
login: FAILED LOGIN 3 FROM (null) FOR root, Authentication failure
//--
So you already have a patch lurking around? Pass it over :-)

Timo
Timo Hoenig
2007-02-22 17:12:03 UTC
Permalink
Hi Jose,
Post by Jose Plans
Well the idea was to get a "debug" parameter to the pam_thinkfinger.so
to follow what all other modules do. I do believe it should be added as
the first reaction people will have is to add 'debug' to it if things go
auth sufficient /lib/security/pam_thinkfinger.so debug
To be fair, that was my first reaction ;-) For the other caveats, yep
that should be done too in addition to "debug". I'm going to read
through and see what could be done if you agree. Also, do you have a
TODO list ? Is there any freenode channel to refer to ?
So be it. The above proposal sounds very good.

There's no TODO list (yet). If some 'large' feature shows up which will
take time for implementation it makes sense to introduce such a list.
Something like 'add debug options for PAM module' does not sound worthy
enough for a TODO as it is just a small addition.

If you have patches, please pass them along. Otherwise I'll have a look
at it in the next weeks.

Thanks,

Timo
Timo Hoenig
2007-02-22 17:44:09 UTC
Permalink
Post by Jose Plans
Is there any freenode channel to refer to ?
Sorry, I missed that before. There is no official channel, but the
ThinkFinger related things are usually discussed in #linuxbiometric .

Timo
Stephan Berberig
2007-02-22 18:10:01 UTC
Permalink
Timo,

the IRC channel is #linuxbiometrics

You missed a "s". ;)

Best regards,
Stephan
Post by Timo Hoenig
Post by Jose Plans
Is there any freenode channel to refer to ?
Sorry, I missed that before. There is no official channel, but the
ThinkFinger related things are usually discussed in #linuxbiometric .
Timo
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Timo Hoenig
2007-02-22 18:24:23 UTC
Permalink
Hey Stephan,
Post by Stephan Berberig
the IRC channel is #linuxbiometrics
OK. That's it. But that time it is irssi I want to blame -- not my
unacceptable lack of concentration :-)
Post by Stephan Berberig
You missed a "s". ;)
The following truncation asks for c'n'p errors...

[19:22][thoenig +i][6:#linuxbiometrics +ns][Act: 2,4,13,15]
[#linuxbiometric]


But I'm sure there is an irssi option somewhere :-)

Thanks!

Timo
Timo Hoenig
2007-02-22 17:48:36 UTC
Permalink
Post by Jose Plans
This could be a _draft_ start, seeing that the pam module itself it's
quite simple (just pam_sm_authenticate).
And I even missed the patch attached to your mail. My still too amazed
about my new W880i to concentrate on ThinkFinger I suppose :-)

On a quick look the patch looks good to me.

Thanks,

Timo
Timo Hoenig
2007-02-22 18:09:23 UTC
Permalink
Hi Jose,
Post by Jose Plans
This could be a _draft_ start, seeing that the pam module itself it's
quite simple (just pam_sm_authenticate).
One remark:

It would be good to have a function

static void pam_thinkfinger_log (const char *format, ...)

That function could check whether debug is set or not and then decide
depending on the result whether pam_syslog should be executed or not.

That will eliminate the repetitive checks within the rest of the code.

Additionally we could even add the log level to the list of parameters.

What do you think?

Thanks,

Timo
Jose Plans
2007-02-22 18:14:32 UTC
Permalink
Post by Timo Hoenig
Hi Jose,
It would be good to have a function
static void pam_thinkfinger_log (const char *format, ...)
That function could check whether debug is set or not and then decide
depending on the result whether pam_syslog should be executed or not.
That will eliminate the repetitive checks within the rest of the code.
Additionally we could even add the log level to the list of parameters.
What do you think?
;-) I was adding that after reading the patch once sent. Do you mind if
I finish it and send over ? or did you started one ? (Dont mind!)

Jose
Timo Hoenig
2007-02-22 18:20:26 UTC
Permalink
Post by Jose Plans
;-) I was adding that after reading the patch once sent. Do you mind if
I finish it and send over ? or did you started one ? (Dont mind!)
Very well :) No, I haven't started. Take your time and pass it over
once you're happy with the result.

Also, we should make that option clear in the man page/documentation.

Thanks,

Timo
Jose Plans
2007-02-22 19:16:01 UTC
Permalink
Post by Timo Hoenig
Post by Jose Plans
;-) I was adding that after reading the patch once sent. Do you mind if
I finish it and send over ? or did you started one ? (Dont mind!)
Very well :) No, I haven't started. Take your time and pass it over
once you're happy with the result.
Also, we should make that option clear in the man page/documentation.
What about this one ? setting debug out of the struct sounds good to me
as then, if one day we learn about that scanner and therefore can pass
other options, or even for other enhancements, then we can remove the
volatile and use a struct pam_tf_config {} or something similar.

I've also changed the man page bits.

Jose
Timo Hoenig
2007-02-22 19:21:52 UTC
Permalink
Post by Jose Plans
What about this one ? setting debug out of the struct sounds good to me
as then, if one day we learn about that scanner and therefore can pass
other options, or even for other enhancements, then we can remove the
volatile and use a struct pam_tf_config {} or something similar.
I've also changed the man page bits.
Perfect, patch looks good to me. Thanks for that! I'll commit this
within the next days.

Timo
Luca Capello
2007-02-26 14:19:07 UTC
Permalink
Hello!
Post by Jose Plans
Post by Evgeni Golov
Post by Timo Hoenig
Probably there is someone on the list who is more familiar with
PAM on Debian than I am.
Maybe Luca has some ideas, when he has finished recovering his data.
Luca,
Could you rebuild on one of these hosts Pam with --enable-debug
and provide the console logs ? This will dump you quite a lot of
debugs on the console and syslog, once it's gathered, just reverse
to the previous deb. (I would assume dmesg -c; dmesg > log would be
sufficient)
Nothing about this specific problem (which if I've correctly
understood was a birdir typo and thus now solved), but in case you
expect a fast reply it's better to directly cc: me, please. I read
the list, but I'm always a bit behind and now even more because of my
X60 HD failure...

Thx, bye,
Gismo / Luca
Timo Hoenig
2007-02-21 14:56:08 UTC
Permalink
Post by Evgeni Golov
Yes it does, but I don't understand why it should be one, becase
exactly the same configuration works with 0.2.2
Agreed, that is strange. To ease debugging of pam_thinkfinger I will
soon be adding some debug options. Sorry that I can not determine a
date for that though. The preparations for FOSDEM are still eating up
my time.

Timo
Loading...