Many Business laptop models equipped with Fingerprint Sensor. Though it is not considered as good security system for a laptop login, still some specific applications utilize this feature for identification and authentication.
My Sony laptop VGN-CS15GN/B is having Upek Fingerprint sensor. In this case my OS is Fedora 13 64bit. By default Fedora supports Fingerprint login for some of the models of sensor, not all. My fingerprint is one such unsupported. Its Vendor ID is 147e and Product ID is 1000.
$ lsusb
. . . . . .Bus 003 Device 002: ID 147e:1000 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor. . . . . .
$ dmesg
. . . . . .
usb 3-1: new full speed USB device using uhci_hcd and address 2
usb 3-1: New USB device found, idVendor=147e, idProduct=1000
usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 3-1: Product: Fingerprint Sensor
usb 3-1: Manufacturer: TouchStrip
. . . . . .
I am just testing whether my fingerprint sensor is supported out of box in Fedora.
$ fprintd-enroll
list_devices failed: No devices available
As I know it is not supported 
Let’s start our work now.
I read and understood that the libfprint project, the backend library and kernel module behind fingerprint sensors supports upek devices. But when I checked with upeksonly module code (one which supports UPEK Touchstrip sensor-only models), the supported device table does not list my model 147e:1000. Though it is not supported, I have read some where in intenet, that still it works as “Unknown device”. It is better to patch this module, so that other GUI applications which we are going to use will recognize this sensor without any hassles. This How-To explains the way to get GDM login using fingerprint.
Step-1: Here is the steps to get patched libfprint installed.
$ yum search libfprint
Loaded plugins: presto, refresh-packagekit
============================== Matched: libfprint ==============================
libfprint-devel.i686 : Development files for libfprint
libfprint-devel.x86_64 : Development files for libfprint
libfprint.i686 : Tool kit for fingerprint scanner
libfprint.x86_64 : Tool kit for fingerprint scanner
Now let’s install the dependencies to compile the libfprint.
# yum groupinstall ‘Development Tools’
# yum install kernel-devel libfprint-devel *libusb* *libcrypto* glib2-devel ImageMagick-devel
Download the libfprint from here.
$ tar jxvf libfprint-0.1.0-pre2.tar.bz2
$ cd libfprint-0.1.0-pre2
$ vi libfprint/drivers/upeksonly.c
Add “{ .vendor = 0x147e, .product = 0×1000 },” in the supported devices table declared as shown below.
. . . . . .
static const struct usb_id id_table[] = {
{ .vendor = 0x147e, .product = 0×2016 },
{ .vendor = 0x147e, .product = 0×1000 },
{ 0, 0, 0, },
};
. . . . .
$ ./configure
$ make
$ su -c ‘make install’
Step-2: Now let’s install fingerprint-GUI application.
Let’s install the dependencies first.
$ su -c ‘yum install libQt* libfake* libqca*’
Download the fingerprint-GUI application from here.
$ tar zxvf fingerprint-gui-0.14-x64.tar.gz
$ cd fingerprint-gui-0.14
$ su -c ‘./install.sh’
Password:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The following device was found on your system:
Bus 003 Device 002: ID 147e:1000 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor.
A specific proprietary (non opensource) driver “libbsapi.so”
from UPEK Inc. (http://www.upek.com/) is available for this device.
To take full advantage of this device, the installation of this driver
is required. Do you want the install script to copy this driver to
“/usr/lib”? (Yes/no): Yes
Driver “libbsapi.so” was copied to “/usr/lib”.!!!WARNING!!!
A group named “plugdev” was not found in “/etc/group”.
Please create this group and make all desktop users to members of this group.
Refer to “Install-step-by-step.pdf” for more information.Fingerprint binaries have been installed.
Step-3: Create a group called “plugdev” and add your desktop user as member of this group. This can be done through System -> Administration -> Users and Groups. Refer the following screenshots for easier steps.
Reboot the system.
Step-4: Ensure that “uinput” module (for fingerprint PAM authentication) loaded.
$ lsmod | grep uinput
uinput 7230 0
Now it’s time to enroll our fingerprint and store. This can be done by System -> Preferences -> Fingerprint GUI. The below screenshots are self explanatory to enroll the fingerprint.
Now we have successfully saved fingerprint a desktop user. You may notice a hang or crash of fingerprint-GUI while testing PAM service in “Settings” tab as shown below.
Step-5: Before solving PAM issue, let’s confirm the working of fingerprint libraries through following command.
$ fingerprint-identifier
It should show a fingerprint animation asking you to swipe your finger to test it against the stored one. The below screenshots are self explanatory.
Since PAM authentication is not yet configured, the following command will fail (not recognizing the user) as shown in screenshot below.
$ su -c ‘fingerprint-plugin’
Step-6: At this stage, we have to configure out authentication mechanism to use fingerprint-GUI’s library instead of default one. This How-To is going to explain only GNOME GDM login screen. Apart from GDM, other authentication scenarios like console login, su, xscreensaver lock are also well explained in PDF document available here. This PDF is available in libfprint source directory also.
Removing the system installed fingerprint plugin for GDM.
$ su -c ‘yum remove gdm-plugin-fingerprint’
Disable fingerprint authentication in System -> Administration -> Authentications as shown below.
Next step is to edit the PAM authentication configuration files.
$ cd /etc/pam.d
$ su -c ‘cp system-auth-ac common-auth.fingerprint’
$ su -c ‘vi common-auth.fingerprint’
Add the following line as first line in common-auth.fingerprint
auth sufficient pam_fingerprint-gui.so debug
And also ensure that try_first_pass is passed as argument to pam_unix.so in this file.$ su -c ‘vi /etc/pam.d/gdm-password’
Change the line
auth substack password-auth
as
auth substack common-auth.fingerprint
Though the fingerprint-GUI document instructs to issue the following command to disable user browser in GDM screen, it causes login dialog to disappear. So I am skipping the following command!!!!!!
$ su -c ‘gconftool-2 –direct –config-source xml:readwrite:/etc/gconf/gconf.xml.defaults –type bool –set /apps/gdm/simple-greeter/disable_user_list true’
Reboot the system. GDM login does not show fingerprint swipe dialog. When I login as usual with password, I noticed security error alerts. I understood that SELinux does not permit fingerprint module to run during GDM login session. I am getting following security errors.
1. SELinux is preventing /usr/local/bin/fingerprint-helper “create” access to .config
2. SELinux is preventing /usr/libexec/gdm-session-worker “write” access on fingerprint-plugin
3. SELinux is preventing /usr/local/bin/fingerprint-helper ”write” access to fingerprint-plugin
The following is the way to put SELinux in permissive mode to get our job done. I understood that it is not a solution, but this is how I got it working. If some one can comment on how to do it neatly, I will be happy.
$ su -c ‘vi /etc/selinux/config’
Change the line
SELINUX=enforcing
as
SELINUX=permissive
Logout and to check out your GDM login screen. Since we are not able to disable user browser list, you have to select user to login. Then fingerprint swipe dialog displayed. Just swipe and login.
I request your comment and suggestion to improve this HOW-TO.
