Fingerprint reader configuration & use on 13.1?

rjwilmsi · December 3, 2013, 1:53am

Hi

On opensuse 12.3 I could use the fingerprint reader on my ThinkPad X61T via the YaST module. Integration with KDE was not perfect: could use fingerprint only instead of password rather than fingerprint or password, but it did work and didn’t require me to do anything other than go through the YaST GUI. Now under opensuse 13.1 the YaST fingerprint module has been dropped.

In the meantime support for the Authentec AES2810 has been added, so I could be using the reader in my ThinkPad X200s as well.

However, having installed and tried to play with fingerprint-gui I find that I can enrol a fingerprint as root, but test mode doesn’t work, and I have no obvious way to enrol fingerprints for my local user, or have authentication for KDE login/sudo/su by fingerprint. In short, I’m missing the YaST module.

Has anybody come across a viable alternative to the YaST module for fingerprint setup on 13.1 (64-bit)?

Thanks

Romanator · December 3, 2013, 11:40pm

I would recommend reading about fprintd. fprint

Open Yast and add this hardware repository Index of /repositories/hardware/openSUSE_13.1
Install fprintd, libfprint and fingerprint-gui. I would install the fingerprint-gui package first to test it out.

fingerprint-gui - Tool for fingerprint enrollment and verification

Fingerprint GUI is a set of GUI tools for the use of fingerprint scanners on Linux systems. It enables the recording and checking of fingerprints of users and allows login and authentication of users by their fingerprint through its PAM module. An additional “fingerprintIdentifier” application can be used for customized (shell) scripts when users have to be identified or authenticated by their fingerprints.
The system is based on device drivers from the “libfprint” project.

| fprintd - D-Bus service for Fingerprint reader access
|
|

D-Bus service to access fingerprint readers.

A lot of people have been using it.

Romanator · December 12, 2013, 9:36pm

As a test install fprintd, libfprint and fprintd-pam. Here’s the link: software.opensuse.org: Search

I would also check Yast -->System–>Service Manager and make sure that the fingerprint service is enabled and active.
I’m not 100% sure about this feature but I always check.
Navigate to Security and Users–>User and Group Management for a fingerprint user group. If there is one add yourself to the user group.

Anon135 · December 19, 2013, 4:30am

The good news: I made fingerprint reader on my Lenovo X220 laptop work successfully. I proved that it is indeed possible to enable the fingerprint reader in openSUSE 13.1. It behaves exactly as it did in openSUSE 12.3. BTW - usinc the command line tool lsusb my fingerprint scanner is listed as:

Bus 001 Device 003: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor

This is the same fingerprint reader used in the stand-alone Upek Eikon reader model number TCRD4C (the silver unit), which also worked very well with openSUSE 13.1. The not so good news: I’m not completely sure of exactly what the solution is, due to my quite a bit of hacking about. I definitely installed some unnecessary software (fingerprint-gui), and probably did some actions that were not necessary. When I get everything sorted out so I know exactly what needs to be done in what order to enable the fingerprint reader in openSUSE 13.1, I will post instructions in the openSUSE forum.

Anon135 · December 19, 2013, 4:50am

The good news: I made the fingerprint reader in my Lenovo X220 laptop work successfully. I proved that it is indeed possible to enable the fingerprint reader in openSUSE 13.1 for 64-bit. It behaves exactly as it did in openSUSE 12.3. BTW - lsusb shows my fingerprint scanner listed as:

Bus 001 Device 003: ID **147e:2016** Upek Biometric Touchchip/Touchstrip Fingerprint Sensor

This is the same fingerprint reader used in the stand-alone Upek Eikon reader model number TCRD4C (the silver color unit), which also worked very well with openSUSE 12.3. The not so good news: I’m not completely sure of exactly what the solution is, due to my quite a bit of hacking about. I definitely installed some unnecessary software (fingerprint-gui), and probably did some actions that were not necessary. When I get everything sorted out so I know exactly what needs to be done in what order to enable the fingerprint reader in openSUSE 13.1, I will post instructions in the openSUSE forum.

joba1 · February 20, 2014, 8:26pm

I would definitely be interested in this!

I just broke fingerprint authentication on my laptop by upgrading from opensuse 12.2 to 13.1

Has someone found the info why this useful feature was removed?
I did not find anything except some reference to a fate#313128, whatever that may be :-/

joba1 · February 21, 2014, 6:52pm

I made it work on my notebook again. Maybe it helps someone if I describe what I did.

DISCLAIMER: Enabling fprint authentication is not secure. It is just a small step better than automatic login, so do not try to protect vital data with this.

Having said that, it seems the only missing links on my system were, that the stored fingerprints are now expected in a different location and enrolling was only allowed for root. Maybe the fingerprints are also stored in a different format now, I did not check with the old files, just enrolled again.

I made sure I have the necessary packages installed (they were already installed)

$ sudo zypper install libfprint0 pam_fprint
Daten des Repositories laden ...
Installierte Pakete lesen ...
'pam_fprint' ist bereits installiert.
Kein Aktualisierungskandidat für 'pam_fprint-0.2-12.1.2.x86_64'. Die neueste Version ist bereits installiert.
'libfprint0' ist bereits installiert.
Kein Aktualisierungskandidat für 'libfprint0-0.5.0-3.1.3.x86_64'. Die neueste Version ist bereits installiert.
Paketabhängigkeiten auflösen ...

Keine auszuführenden Aktionen.

Next I checked pam is configured to use fprint authentication (not sure this check is complete, it was already ok)

$ sudo pam-config --query --fprint
auth:

if the output is empty (not auth: ), then add module fprint to pam like this:

$ sudo pam-config --add --fprint

Now I enrolled a fingerprint for root

$ sudo pam_fprint_enroll

Switching to root (e.g. sudo) now asks for fingerprint, and only falls back to password if scan does not work.

Finally enrolled fingerprint for “normal” user

Problem is, the scan device is owned by root. Normal users cannot use it. We change that by creating an udev rule for it that gives write access to group users:

a) Find the vendor and product id of the scanner with lsusb. Mine is an Upek with vendor id 147e and product id 2016:


$ lsusb
Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 046d:c526 Logitech, Inc. Nano Receiver
Bus 001 Device 004: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor
Bus 001 Device 005: ID 0a5c:217f Broadcom Corp. BCM2045B (BDC-2.1)
Bus 001 Device 006: ID 17ef:480f Lenovo Integrated Webcam [R5U877]
Bus 002 Device 003: ID 05c6:9204 Qualcomm, Inc.

b) Add an udev rule file for this device (using your vendor and product id’s of course)

$ sudo echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="147e", ATTR{idProduct}=="2016", MODE="0664", OWNER="root", GROUP="users"' >/etc/udev/rules.d/70-fprint.rules

c) Activate the rules

sudo udevadm control --reload-rules
sudo udevadm trigger

d) Now you should be able to call pam_fprint_enroll as normal user.

To log into a kde session on the login screen you can now enter your username, then hit Enter, click on OK button, then scan. If the scan does not recognize you, also enter the password before pressing Enter and then scan. This is clumsy (On windows you enter nothing, just scan), but I still like it.

joba1 · February 24, 2014, 3:30pm

Just noticed, gdm is much nicer for X session fingerprint authentication.
You see a list of users, select one, press enter and scan (no mouse required).
Enable it like this:

sudo zypper install gdm
sudo sed -i 's/^DISPLAYMANAGER=.*/DISPLAYMANAGER="gdm"/' /etc/sysconfig/displaymanager

If you want to try immediately (warning: this stops current X sessions without saving open documents!), execute as root:

telinit 3; telinit 5

carioca · March 9, 2014, 5:08pm

This has been a useful thread, though I still have not managed to get the fingerprint reader to work on a Thinkpad T500.

This is on a fresh installation of 13.1 64 bit and btrfs filesystem.
I have one problem and one question.

Question one when doing “pam_fprint_enroll” after an attempt to scan my finger it always comes back with an error -22 what is this telling me ?

When I tried to config pam it came back complaining that it could not find /lib/security/pam_fprint.so .
Now I had only installed the 64 bit versions of fprint and there was under /lib64/security/pam_fprint.so so why was it looking for the 32 bit version in /lib?
further looking at this and I realised that all the 32 bit and 64 bit pam libraries were installed yet the system seems to be using the 32 bit versions why is this? why have the 32 bit libraries been installed anyway?.

Installing the 32 bit fprint library and pam-config would now quite happily add fprint but still error -22 any thoughts?

Rgds

collinm · April 6, 2014, 1:16pm

carioca:

This has been a useful thread, though I still have not managed to get the fingerprint reader to work on a Thinkpad T500. :-(This is on a fresh installation of 13.1 64 bit and btrfs filesystem.I have one problem and one question.Question one when doing “pam_fprint_enroll” after an attempt to scan my finger it always comes back with an error -22 what is this telling me ?When I tried to config pam it came back complaining that it could not find /lib/security/pam_fprint.so .Now I had only installed the 64 bit versions of fprint and there was under /lib64/security/pam_fprint.so so why was it looking for the 32 bit version in /lib?further looking at this and I realised that all the 32 bit and 64 bit pam libraries were installed yet the system seems to be using the 32 bit versions why is this? why have the 32 bit libraries been installed anyway?.Installing the 32 bit fprint library and pam-config would now quite happily add fprint but still error -22 any thoughts?Rgds

what is the id of your reader?

check with lsusb

Anon135 · April 7, 2014, 5:30am

joba1:

I made it work on my notebook again. Maybe it helps someone if I describe what I did. DISCLAIMER: Enabling fprint authentication is not secure. It is just a small step better than automatic login, so do not try to protect vital data with this. Having said that, it seems the only missing links on my system were, that the stored fingerprints are now expected in a different location and enrolling was only allowed for root. Maybe the fingerprints are also stored in a different format now, I did not check with the old files, just enrolled again. 1) I made sure I have the necessary packages installed (they were already installed)
$ sudo zypper install libfprint0 pam_fprint Daten des Repositories laden ... Installierte Pakete lesen ... 'pam_fprint' ist bereits installiert. Kein Aktualisierungskandidat für 'pam_fprint-0.2-12.1.2.x86_64'. Die neueste Version ist bereits installiert. 'libfprint0' ist bereits installiert. Kein Aktualisierungskandidat für 'libfprint0-0.5.0-3.1.3.x86_64'. Die neueste Version ist bereits installiert. Paketabhängigkeiten auflösen ...  Keine auszuführenden Aktionen. 
Next I checked pam is configured to use fprint authentication (not sure this check is complete, it was already ok)
$ sudo pam-config --query --fprint auth: 
if the output is empty (not auth: ), then add module fprint to pam like this:
$ sudo pam-config --add --fprint 
Now I enrolled a fingerprint for root
$ sudo pam_fprint_enroll 
Switching to root (e.g. sudo) now asks for fingerprint, and only falls back to password if scan does not work. 4) Finally enrolled fingerprint for “normal” user Problem is, the scan device is owned by root. Normal users cannot use it. We change that by creating an udev rule for it that gives write access to group users: a) Find the vendor and product id of the scanner with lsusb. Mine is an Upek with vendor id 147e and product id 2016:
 $ lsusb Bus 001 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 002 Device 002: ID 8087:0020 Intel Corp. Integrated Rate Matching Hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 003: ID 046d:c526 Logitech, Inc. Nano Receiver Bus 001 Device 004: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor Bus 001 Device 005: ID 0a5c:217f Broadcom Corp. BCM2045B (BDC-2.1) Bus 001 Device 006: ID 17ef:480f Lenovo Integrated Webcam [R5U877] Bus 002 Device 003: ID 05c6:9204 Qualcomm, Inc.  
b) Add an udev rule file for this device (using your vendor and product id’s of course)
$ sudo echo 'SUBSYSTEM=="usb", ATTR{idVendor}=="147e", ATTR{idProduct}=="2016", MODE="0664", OWNER="root", GROUP="users"' >/etc/udev/rules.d/70-fprint.rules 
c) Activate the rules
sudo udevadm control --reload-rules sudo udevadm trigger
d) Now you should be able to call pam_fprint_enroll as normal user. To log into a kde session on the login screen you can now enter your username, then hit Enter, click on OK button, then scan. If the scan does not recognize you, also enter the password before pressing Enter and then scan. This is clumsy (On windows you enter nothing, just scan), but I still like it.

Wow! That was an awesome post! Thank you very much for providing a very well written, detailed explanation! Your solution beat the snot out of my most inelegant hack.