Discussion:
[Thinkfinger-devel] thinkfinger and KDM
Jérôme Lodewyck
2007-01-31 20:17:25 UTC
Permalink
Hi,

thanks to Luca's patch, I could successfully compile thinkfinger under dedian
etch (toshiba U200). Fingerprint authentication works from console and gdm,
but not from kdm. Has someone succeeded in this ?

Thanks,

Jérôme
Jérôme Lodewyck
2007-02-01 08:10:41 UTC
Permalink
Hi,
Hi Jérôme,
Post by Jérôme Lodewyck
thanks to Luca's patch, I could successfully compile thinkfinger under
dedian etch (toshiba U200). Fingerprint authentication works from console
and gdm, but not from kdm. Has someone succeeded in this ?
KDM seems not to be prepared for other PAM authentications than
passwords. Last time I took a look at KDM it passed both, username and
password to PAM at a time.
GDM first passes the username and then does the PAM conversation for the
password. Basically that is the same two way challenge as if you login
on a VT or run 'su - $USER'. In contrast to that, KDM uses one
challenge where it supplies both username and password.
By the way, is it really necessary for the user to input his/her identifier.
Souldn't the fingerprint be sufficient to identify a person ?
It would be possible to add some very ugly hack to ThinkFinger in order
to make it probably work without touching KDM. But, really, the outcome
would be a gross hack. A hack that nobody would want to have in a PAM
module.
It seems to me that kdm works with pam_bioapi. Do they use a "gross hack" for
this ?

Thanks,

Jérôme
Timo Hoenig
2007-02-01 08:19:32 UTC
Permalink
Post by Jérôme Lodewyck
By the way, is it really necessary for the user to input his/her identifier.
Souldn't the fingerprint be sufficient to identify a person ?
No.

The fingerprint reader is capable of identity matching (1:1). It is not
designed for identification matching (1:n).
Post by Jérôme Lodewyck
It seems to me that kdm works with pam_bioapi. Do they use a "gross hack" for
this ?
Does it accept password authentication and finger authentication at the
very same time?

Timo
Timo Hoenig
2007-02-01 08:13:15 UTC
Permalink
Hi Jérôme,
Post by Jérôme Lodewyck
thanks to Luca's patch, I could successfully compile thinkfinger under dedian
etch (toshiba U200). Fingerprint authentication works from console and gdm,
but not from kdm. Has someone succeeded in this ?
KDM seems not to be prepared for other PAM authentications than
passwords. Last time I took a look at KDM it passed both, username and
password to PAM at a time.

GDM first passes the username and then does the PAM conversation for the
password. Basically that is the same two way challenge as if you login
on a VT or run 'su - $USER'. In contrast to that, KDM uses one
challenge where it supplies both username and password.

It would be possible to add some very ugly hack to ThinkFinger in order
to make it probably work without touching KDM. But, really, the outcome
would be a gross hack. A hack that nobody would want to have in a PAM
module.

Thanks,

Timo
Michael Olbrich
2007-02-03 13:11:01 UTC
Permalink
Post by Timo Hoenig
Post by Jérôme Lodewyck
It seems to me that kdm works with pam_bioapi. Do they use a "gross hack" for
this ?
Does it accept password authentication and finger authentication at the
very same time?
No it does not. Each authentication method is executed separately. And
it is not the only pam module that works this way. pam_opie does as
well.
I'm not a pam expert but from what I see in /etc/pam.d/* it seems to be
possible to pass parameters to pam modules. Wouldn't a parameter for
this make sense?

michael

__________________________________________________________________________
Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach!
Mehr Infos unter http://freemail.web.de/home/landingpad/?mc=021131
Loading...