Home Wiki > SDB:Using fingerprint authentication
Sign up | Login

SDB:Using fingerprint authentication

tagline: From openSUSE


This article highlights the configuration and usage of fingerprint reader on openSUSE

Background information

With the ThinkFinger driver, openSUSE supports the fingerprint reader by UPEK/SGS Thomson Microelectronics included with some IBM and Lenovo ThinkPads. The same fingerprint reader can also be found in other laptops and either as a stand-alone device or built into some USB keyboards. For more details, refer to http://thinkfinger.svn.sourceforge.net/viewvc/*checkout*/thinkfinger/README.in. If your system includes the fingerprint reader, you can use biometric authentication in addition to standard authentication via login and password. After registering their fingerprint, users can log in to the system either by swiping a finger on the fingerprint reader or by typing in a password.

If the hardware check detects the fingerprint reader integrated with your laptop (or connected to your system), the packages libthinkfinger, pam_thinkfinger, and yast2-fingerprint-reader are automatically installed.

Currently, only one fingerprint per user can be registered. The user's fingerprint data is stored to /etc/pam_thinkfinger/login.bir. To manage fingerprint authentication, either use YaST or the tf-tool command line tool which also offers additional options.


Supported applications and actions

The PAM module pam_thinkfinger supports user authentication by fingerprint for the following applications and actions (although you may not be prompted to swipe your finger in all cases):

  • Logging in to GDM or a login shell
  • Unlocking your screen on the GNOME desktop
  • Starting YaST and the YaST modules in the GNOME control center
  • Starting an application with root permission: sudo or gnomesu
  • Changing to a different user identity with su or su-username

Managing fingerprints with YaST

Procedure: Enabling fingerprint authentication

In order to allow biometric authentication for certain users, you need to generally enable fingerprint support in YaST first.

  • Start YaST and select Hardware+Fingerprint Reader or Miscellaneous+Fingerprint Reader.

Yast2-fingerprint-reader.png

  • In the configuration dialog, activate Use Fingerprint Reader and click Finish to save the changes and close the dialog.

Now you can register a fingerprint for various users.

Procedure: Registering a fingerprint

  • In YaST, click Security and Users+User Management to open the User and Group Administration dialog. A list of users or groups in the system is displayed.
  • Select the user for whom you want to register a fingerprint and click Edit.
  • On the Plug-Ins tab, select the fingerprint entry and click Launch to open the Fingerprint Configuration dialog.

Yast2-fingerprint-register.png

  • YaST prompts the user to swipe his finger until three readable fingerprints have been gathered.
  • After the fingerprint has been acquired successfully, click Accept to close the Fingerprint Configuration dialog and the dialog for the user.
  • If you also want to use fingerprint authentication for starting YaST or the YaST modules in the GNOME control center, you need to register a fingerprint for root, too. To do so, set the filter in the User and Group Administration dialog to System Users, select the root entry and register a fingerprint for root as described above.
  • After you have registered fingerprints for the desired users, click Finish to close the administration dialog and to save the changes.

As soon as the user's fingerprint has been successfully registered, the user can choose to authenticate with either fingerprint or password for the actions and applications listed above.

Currently, YaST does not offer verification or removal of fingerprints, but you can verify or remove fingerprints from the command line. Refer to the section [#Managing_fingerprints_with_tf-tool Managing Fingerprints with tf-tool] for more information.

With YaST, you can also import fingerprint files *.bir) already stored somewhere in your file system. Click Hardware+Fingerprint Reader or Miscellaneous+Fingerprint Reader and select or enter the Directory with fingerprint files. Click Finish to start the import. The fingerprint files are copied to /etc/pam_thinkfinger/login.bir., the default directory for the fingerprint files.

Troubleshooting: Cannot write PAM settings

To fix this error login as superuser and perform following

 cd /etc/pam.d
 mv common-auth common-auth-old
 ln -s common-auth-pc common-auth

Managing fingerprints with tf-tool

Procedure: Registering a fingerprint

  • Open a shell and log in as root.
  • To register a fingerprint for a certain user, enter
 tf-tool --add-user login

tf-tool prompts the user to swipe his finger until three readable fingerprints have been gathered.

  • If you also want to use fingerprint authentication for starting YaST or the YaST modules in the GNOME control center, you need to register a fingerprint for root, too.
  • Let the user swipe his finger. tf-tool compares the fingerprint to the print stored for this user and provides a message if the fingerprints match.

As soon as the user's fingerprint has been successfully registered, the user can choose to authenticate with either fingerprint or password for the actions and applications listed above.

Procedure: Verifying or removing a fingerprint

  • Open a shell and log in as root.
  • To verify an existing fingerprint for a certain user, run the following command:
 tf-tool --verify-user login
  • Let the user swipe his finger. tf-tool compares the fingerprint to the print stored for this user and provides a message if the fingerprints match.
  • To remove a user's fingerprint, delete the appropriate fingerprint file for this user with the following command:
shred /etc/pam_thinkfinger/login.bir

Procedure: Doing a test run

  • In a shell, run
 tf-tool --acquire
  • The fingerprint is temporarily stored as /tmp/test.bir
  • To verify the fingerprint, run
 tf-tool --verify

Further information

  • Find the project home page at http://thinkfinger.sourceforge.net/
  • For more technical details, refer to /usr/share/doc/packages/libthinkfinger/README in your installed system.
  • There are also man pages available for pam_thinkfinger and tf-tool.