T43 finger print reader problems

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

T43 finger print reader problems

Alastair McKinley
Hi everyone,

I am having a problem with my fingerprint reader, I was hoping someone
could help!

I am using FC 4, bioapi-1.2.2, pam_bioapi-0.2.1 and the UPEK driver
TFMESS_BSP_LIN_1.0beta2.

I followed the instructions here:
http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader

I had a few problems including the missing symbol rpl_malloc.  I removed
the term -Dmalloc=rpl_malloc from the pam_bioapi makefiles and added
-lpam to LIBS on advice of someone else.

Now when I type 'su' at the console, nothing special happens and the
normal password prompt appears.  However, when I hit return, the prompt
to swipe my fingerprint appears.  But in /var/log/messages, pam_unix has
already sent this message:

su(pam_unix)[5334]: authentication failure; logname= uid=500 euid=0
tty=pts/2 ruser=alastair rhost=  user=root

So even though my fingerprint is recognised, I cannot use it to
authenticate.

This is my /etc/pam.d/system-auth file, I havent edited common-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

# changes for fingerprint reader to work
auth       sufficient   pam_bioapi.so
{5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/

password   sufficient   pam_bioapi.so
{5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/

auth       required     pam_unix.so nullok_secure



Can anyone point me in the right direction?  

Thanks a lot!

Alastair


--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: T43 finger print reader problems

Wolfgang Karall-2
On Tue, 2005-12-06 at 19:53 +0000, Alastair McKinley wrote:
> This is my /etc/pam.d/system-auth file, I havent edited common-auth:

I wouldn't put it in system-auth, since it seems to be the "fallback to
deny access" file in FC4. (not using Fedora I can't really tell, just
guessing from the supplied file)

Personally I wouldn't put it in common-auth either, instead put it just
in those configurations that you want to use with it, e.g. login, gdm or
similar, maybe su. OTOH it doesn't make sense for e.g. ssh, so putting
it into common-auth is not a good idea IMO.

> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so

> auth       sufficient   pam_bioapi.so
> {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/

> Can anyone point me in the right direction?  

PAM modules get called in the order supplied in the configuration, see
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html

So you need to put the bioapi module more towards the start of the
auth-modules series.

Regards
WK
--
http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: T43 finger print reader problems

ammulder
In reply to this post by Alastair McKinley
Another question is, can you hit "enter" at the password prompt and
then just use the fingerprint to authenticate?

Aaron

On 12/6/05, Alastair McKinley <[hidden email]> wrote:

> Hi everyone,
>
> I am having a problem with my fingerprint reader, I was hoping someone
> could help!
>
> I am using FC 4, bioapi-1.2.2, pam_bioapi-0.2.1 and the UPEK driver
> TFMESS_BSP_LIN_1.0beta2.
>
> I followed the instructions here:
> http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader
>
> I had a few problems including the missing symbol rpl_malloc.  I removed
> the term -Dmalloc=rpl_malloc from the pam_bioapi makefiles and added
> -lpam to LIBS on advice of someone else.
>
> Now when I type 'su' at the console, nothing special happens and the
> normal password prompt appears.  However, when I hit return, the prompt
> to swipe my fingerprint appears.  But in /var/log/messages, pam_unix has
> already sent this message:
>
> su(pam_unix)[5334]: authentication failure; logname= uid=500 euid=0
> tty=pts/2 ruser=alastair rhost=  user=root
>
> So even though my fingerprint is recognised, I cannot use it to
> authenticate.
>
> This is my /etc/pam.d/system-auth file, I havent edited common-auth:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account     required      /lib/security/$ISA/pam_permit.so
>
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
>
> # changes for fingerprint reader to work
> auth       sufficient   pam_bioapi.so
> {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
>
> password   sufficient   pam_bioapi.so
> {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
>
> auth       required     pam_unix.so nullok_secure
>
>
>
> Can anyone point me in the right direction?
>
> Thanks a lot!
>
> Alastair
>
>
> --
> The linux-thinkpad mailing list home page is at:
> http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
>
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: T43 finger print reader problems

Alastair McKinley
In reply to this post by Alastair McKinley
>Another question is, can you hit "enter" at the password prompt and
>then just use the fingerprint to authenticate?
>
>Aaron

Thanks for the quick reply Aaron,

Actually what happens when I press "enter" is the fingerprint reader GUI prompt appears and it recognises my fingerprint, but it does not authenticate me.

As soon as I press enter a message appears in /var/log/messages complaining that authentication has failed.

Best regards,

Alastair

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: T43 finger print reader problems

Wolfgang Karall-2
On Tue, 2005-12-06 at 21:13 +0000, Alastair McKinley wrote:
> Actually what happens when I press "enter" is the fingerprint reader
>  GUI prompt appears and it recognises my fingerprint, but it does not
>  authenticate me.
>
> As soon as I press enter a message appears in /var/log/messages
>  complaining that authentication has failed.

That's because the password prompt comes from pam_unix.so which is
'required' and called first in your configuration, and AFTER that the
bioapi module is called which tries to authenticate and even succeeds,
but since pam_unix.so is 'required' it doesn't matter any longer.

Change the ordering to call the bioapi first which is 'sufficient' for
the authentication to succeed, but if it fails it will fall back to the
'required' pam_unix.so module.

BTW, that and a lot more is explained in the PAM documentation at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html .
Somebody just needs to read it. ;)

Regards
WK
--
http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: T43 finger print reader problems

Alastair McKinley
In reply to this post by Alastair McKinley
>On Tue, 2005-12-06 at 21:13 +0000, Alastair McKinley wrote:
>> Actually what happens when I press "enter" is the fingerprint reader
>>  GUI prompt appears and it recognises my fingerprint, but it does not
>>  authenticate me.
>>
>> As soon as I press enter a message appears in /var/log/messages
>>  complaining that authentication has failed.

>That's because the password prompt comes from pam_unix.so which is
>'required' and called first in your configuration, and AFTER that the
>bioapi module is called which tries to authenticate and even succeeds,
>but since pam_unix.so is 'required' it doesn't matter any longer.
>
>Change the ordering to call the bioapi first which is 'sufficient' for
>the authentication to succeed, but if it fails it will fall back to the
>'required' pam_unix.so module.

>BTW, that and a lot more is explained in the PAM documentation at
>http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html .
>Somebody just needs to read it. ;)
>
>Regards
>WK

Thanks a lot Wolfgang, I think I've got it sorted!

Yes reading the PAM docs would be a good idea :)

Also I got a lot of info for setting up my hardware/suspend etc from your site, thanks for that!!

Best regards,

Alastair

--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad