kdm crashes with pam_thinkfinger

Version: (using KDE KDE 3.5.0)
Installed from: Unspecified Linux
OS: Linux

It would be nice to manage in a practical way the use of fingerprint reader with kdm.
Actually when Kdm ask for account name, I enter and then press (without typing the password) the login button, and pnly after I have to swipe my finger on my reader.
But I never see a message that ask me to swipe my finger. A bit annoying but that's my I report it as a wish.
What could be done :
when the user enter his name it's logic that he must press the login button,
but it would be cool to display a nice finger picture to tell the user to swipe his finger.
Windows does it wy KDE not.
So here are links to manage with fingerprint reader :
http://linux.spiney.org/debian_gnu_linux_on_an_ibm_thinkpad_t43p_fingerprint_reader
http://www.qrivy.net/~michael/blua/

Thanks for reading

kdm & kdesktop_lock provide a plugin interface that allows supporting (almost?) arbitrary authentication methods. it's pretty obvious that kdm simply can't provide a frontend for every pam module out there; they have to be shipped with the modules themselves. guess how it works on windows.

While I fully understand and agree that KDM cannot possible support every custom PAM module, I believe fingerprint authentication is so widespread and important that it deserves a certain amount of special treatment.

More and more computers are shipped with fingerprint readers, and logging in with username + fingerprint makes little sense as the fingerprint is both unique and secure, and as such, the KDM should from a usability point of view be able to identify and log the user in with one single swipe - no mouse or key clicked.

If for nothing else, consider it from a usability point of view.

Thanks.

*** This bug has been confirmed by popular vote. ***

*** Bug 145580 has been marked as a duplicate of this bug. ***

There is an active open source project: driver and pam authentication for these fingerprint readers (UPEK/SGS Thomson Microelectronics) here: http://thinkfinger.sourceforge.net/
A cooperation would be great.

Imho it should be possible to login with a fingerprint, but kdm should display a big fat warning ("Authentication via fingerprint only is insecure by design.")

I would also really like to see fingerprint *only* authentication in KDE. It's one of the features I will miss most when I move from Windows to Linux & KDE on my ThinkPad.

@Robert: Can you please justify your a bit harsh statement?

I don't really know if this is the right place to discusss it.

@Grzegorz: There are a lot of ways to cheat a fingerprint-scanner with stuff everybody has at home (plus graphit spray) in spite of 'life detection' is getting better. The German computer magazine c't has a (German) article about this in its actual edition (12 - http://www.heise.de/ct/ ). Of course the attacker needs your fingerprint, so it's a good idea not to use the right forefinger if you're right hander but for example the left ring finger (or a toe ;-) ).
   BUT
@Robert: A working reader is much better as a bad password. Besides all this I can access all the data on my computer with a normal Knoppix boot-CD if my harddisk isn't encrypted. So everybody has to choose himself.

I fully agree with the last comment.
For a large group of home users, the primary concern is not security, but convenience, and such users normally don't have classified information on their harddrives anyway. If so, having physical access to the computer (which you need for a finger print reader anyway ;) ) can always give root anyway.

My experience is that the vast majority of "home users" have separate accounts for the convenience of separating settings, documents, email and bookmarks from various family members, and as such greatly appreciate the simplicity of logging in with just the swipe of a finger.

In many cases the alternative is a password-less account or at best a very poor password.

I fully agree with the last comment and will add a new topic:

Unsecure environment: A working reader is much better as a strong password!!!

I prefer to keep my laptop with me at conferences or in public areas. Yes I will leave my fingerprints also there. But with the surveillance cameras or mobile vga cams it is very easy to record also my strongest passwords. So I prefer the finger print reader in these areas for login and unlocking. (But NOT for my PGP-passphras etc.)

Just wondering: Wouldn't you need to make sure that the kdm session is running at the console and not remotely? Or more genrerally: you'd have to make sure that the input device is belonging to the xserver that is handling the authentication. Otherwise someone else might just get authenticated at a remote display, waiting to log in(???)

I'm pretty sure because of the way PAM works and consequently the way thinkfinger is written, you'll have to select a username first. Fingerprint-only isn't something you'd do at the KDE level, you'd have to make changes to PAM.

I'd just like to click a user in KDM and swipe my finger for auth, and then get swipe support for KDE su. Those two things would accommodate the vast majority of my use.

One thing I would like to see is , u do not ask for the username ...u just ask for a finger swipe and decide upon the username after he swipes the finger.

I understand that this will make the sytem a bit unsecure because the login id can itself be a unknown thing to the person if he is trying to break.

But this would be a kool feature ...A user comes and swipes his finger to log in.

About just needing to swipe the finger to log in, i think one _must_ select a user first, for example i use 3 users (normal, testing, and devel)

to hector:

You have more than 3 fingers I suppose

Despite of the amount of finger the user could have, recognizing the username only by fingerprint is still a great (and even easier) idea and, if he has more than one username, this could then be the (only) time to make him to select which one he wants to use.
And if it's possible to associate more than one fingerprint to one username, making the username shared to more than one person (which, sometimes, is a regular user need - like somebody who share the desktop and files and all their stuff, and without fingerprint reader would normally share a password), this solution (of, after reading the fingerprint, to display only the usernames which have the same fingerprint associated, if the case - or if not, simply login, displaying no list) also solves it.

I really couldn't care less whether you need to select a username or not. I simply wish my fingerprint reader to function as intended (i.e., to allow me to log into my Thinkpad using it). Perhaps the username selection for fingerprint authentication could be a selectable option in kcontrol. In any event, this wishlist item is almost 2 years old, so will it ever be implemented?

Keep in mind that 2 years ago, fingerprint readers were far less common and, for the last year or so, getting the basic KDE 4 stuff working has been the main focus.

Besides, I'm (slowly) starting to learn C++ and Qt, so once KDE 4 comes out, I'll start making time to fix things I've voted for. Sooner or later, this WILL get done. It just may take a while.

Well, I much anticipate this feature being added, and I appreciate you work :)

Until then, however, it looks like I'll be using GDM :(

On 6 Sep 2007 23:27:20 -0000, Stephan Sokolow
<email address hidden> wrote:
[bugs.kde.org quoted mail]

Regardess of whether it is supported in KDE, has anyone created the PAM Module needed to auth a fingerprint against the local users to find a match?

Russ: http://thinkfinger.sourceforge.net/

I'm not sure, if I would like this authentication-without-username-selection feature. I have several accounts on my machine, too. Sure, you could use a different finger for each account, but this way, you have to remember what finger you assigned to which account and you could easily end up using the wrong finger by accident and login to the wrong account. This could be annoying.

Another problem would be, that you can't force users to use different fingers. What if a user assigned the same finger to several accounts, which account should be selected for login? Or would you like to prevent this scenario by the following error message during fingerprint registration: "This fingerprint is already used by a different user, please use another finger!" ;)

I have set my KDM to automatically pre-select the last user, so I think in 97% of the cases there is no need to explicitly select a user and just swipe your finger, because you're the last one who logged in and you want to use the same account again.

Yeah, this is what I meant.
Forcing the user to assign one finger to each account would hurt accessibility.
I think the best would be what I (and Jörg Hermsdorf) suggested: allow user to assign the same finger to several accounts and, on kdm, tell him to select or type an account name and password or just swipe a finger. Kdm would recognize the users assigned to that finger. If there's only 1, would just log him in. Having more than 1 account assigned to that finger, prompt the accounts to user to select the one he wants to use. Having none, display an error message about it.

I don't see a conflict between the two options (ask for a username or not when you swipe a finger). You can configure your kdm to behave either way. Just like I have the option to automatically log in a specific user, but I choose not to enable it.

ThinkFinger is already integrated with PAM.

On load, KDM should automatically select/enter the name of the previously used user name. The fingerprint reader should be used to authenticate that user. Other names could be selected from a list, then still authenticate with the fingerprint reader.

The KDE Wallet and Screensaver should both use the fingerprint reader to authenticate the current user.

You might think that, but it's not true based on my experience. In fact, letting KDM load at boot for me would often crash Thinkfinger's PAM in such a way that it wouldn't work for anything else after. KDE Wallet and Screensaver have never recognized any input from the reader, even if it was working to authenticate other things like sudo from a term.

There must be support for multiple fingers any of which can be used to authenticate a specific user (like windows btw). This allows a simple solution to deal with injury - like cut finger ... or bandaged hand etc.
Not sure if this is thinkfingers job or kdm or pam?

I'd have to say this is KDM's realm of responsibility. Thinkfinger exists now as a PAM module, and since KDM is supposed to support PAM for authentication, this is a bug in KDM.

I agree with Comment 28, however I also feel that Kdesktoplock also needs to support this feature. Since currently attempting to use it crashes kdesktoplock forcing users to kill the process, which if you have VT switching disabled, is kind of impossible.

I think that this is a bug in kdm since thinkfinger provides the pam module. Needs to be fixed ASAP. I do not like Gnome, and have always used KDE.

The initial comment :

"kdm & kdesktop_lock provide a plugin interface that allows supporting (almost?) arbitrary authentication methods. it's pretty obvious that kdm simply can't provide a frontend for every pam module out there; they have to be shipped with the modules themselves. guess how it works on windows."

was incredibly ignorant, and is designed to turn users away from KDE.

What needs fixing here is kdm, not thinkfinger.

Is this bug going ignored? Or is it just that the Devs don't give a Sh*t?

Either way, I'm considering switching to GDM so that Thinkfinger 0.3 doesn't crash it. (I'm stuck on Thinkfinger 0.2 which causes the reader to get warm because KDM crashes with 0.3)

Either way, I mainly use it for sudo inside Yakuake.

Does fprint work with other kde apps, say kdesu or kde screensaver?

Under Debian (Lenny + some Sid), I just installed libpam-fprint and fprint-demo. I then used fprint_demo to register my fingers (one is enough). I then altered /etc/pam.d/common-auth to contain just this now :

auth sufficient pam_fprint.so
auth required pam_unix.so nullok_secure

And now I can authenticate to KDE with my finger (kdesktop_lock works too). The tip is to press enter without a password. There are too much "Enter"s to do in my opinion, but it works.

Regards, OdyX

kdesu is bad. I suggest using KdeSudo, which uses sudo and works well with fprint:
http://www.kde-apps.org/content/show.php/KdeSudo?content=72106 Because it uses sudo, you can configure your /etc/sudoers :
"KDE's normal KdeSu doesn't deal correctly with sudo, and is only capable of authentication. It doesn't deal with sudo specific features like NOPASSWD and so on."

"Other kde apps" should work IF they work with pam...

As somebody said here, PAM takes care of authentification. thinkfinger wasnt stable, so it did not worked well with KDE. But fprint is more stable, so it does not crash KDM (or anything else). KDM does not have to support fingerprint auth., it just need to support PAM (which it does). It must be stable enough not to crash though.

As #61, there is too much "enter" to press. But this is an issue with PAM and its interaction with programs. It does work.

What could be done in KDM is maybe a better integration with fingerprint readers. For example, a message telling to press enter _without_ a password to authenticate with fingerprint...

yeah, combining fingerprint + username + password sounds good :) (see #54)
is anybody working on it nowadays? perhaps we could steal some code from the new, rewritten gdm?

Hmm still no progress here? For me the most annoying thing is that I have to kill the krunner_lock manually.

Hello, i'm going buy after new year Notebook with fingerprint reader. I hope in good support in KDM. Thanks :-) (I added few votes ;-) )

It does work well for me. I can login through KDM. Basically I select my username (or type it, or last selected), press login (or enter) without putting a password (leave it blank). Then fprint will ask you to swipe your finger and press ok.

Thats it ;)

Through what software stack, Nicolas?

You mean what to manage the finger print reader?

I'm using fprint:
http://reactivated.net/fprint/wiki/Main_Page
and its PAM module:
http://reactivated.net/fprint/wiki/Pam_fprint

Is that what you meant?

I hope it works with opensuse 11.1: https://bugzilla.novell.com/show_bug.cgi?id=441144

#66: How did you get pam_fprint to comfortably still offer passwords as an option? Whenever I tried, it'd show the fingerprint dialog even if you entered a password and, if I set it up for console, it'd only ask for a password if the fingerprint failed too many times. (I preferred the pam_thinkfinger-style prompt, but thinkfinger 0.2.x makes the scanner run hot, 0.3.x crashes KDM, and development on thinkfinger has ceased in favor of fprint)

Guys, this is not a forum, please stop discussing workarounds here.
The bug is open and some work need to be done.

are there any moves on torwards implementing this feature as in gdm and resolve this bug (wish request) ?

Some additional useful information can be found here:
http://fedoraproject.org/wiki/Features/Fingerprint

May I know the status of this bug?
Is there anyone who fixed it already ? any patches available ?

fwiw, this is closely related to bug 105631. read comment 24.

http://blog.djaara.net/wordpress/2009/
http://blog.djaara.net/wordpress/2009/04/30/fingerprint-login-in-kdm-video/

I filed bug 201628 a few days ago (before I saw this one). It is a wish request for Solid to add support for fingerprint devices. The bug I filed isn't specifically concerned with KDM, but rather with general support (to be used in e.g. kwallet). I'm not sure if it should be considered a dupe of this. Just letting y'all know...

There is some work to integrate fingerprint management module and kgreeter plugin.

See this:
http://lists-archives.org/kde-devel/22554-fingerprint-management-module-and-kgreeter-plugin.html

But I do not know if it will make it for kde 4.4 .

http://reactivated.net/fprint/wiki/Main_Page

Has already support for fingerprint scanning.. I was using it years ago..

It works using the PAM..

I think this should be closed as an issue here..

with opensuse 11.2 and kde 4.3.4 kdm seems to support fingerprint reader, but when I activate fingerprint scan for login in YaST the kdm login page looks weird. Is this a known bug?

(In reply to comment #80)
> with opensuse 11.2 and kde 4.3.4 kdm seems to support fingerprint reader, but
> when I activate fingerprint scan for login in YaST the kdm login page looks
> weird. Is this a known bug?

You are right. I tried in suse 11.2 and it works. Theme is corrupted, but this is suse problem I believe.
Does kdesu support fingerprints? Gnome su supports it.

I think kdesu "supports" is through su. su works with pam_fprint on my machine. But kdesu does not show anything if it is waiting for finger swipe, you need to guess the machine is waiting for the swipe...

+1 to having a single swipe that then asks which user you want only if that fingerprint is assigned to more than one. Usability, simplicity and flexibility all in one solution.

Ok i found this upstream project in kde svn,you might want to take a look at this
http://blog.djaara.net/wordpress/2009/10/16/kfingermanager-and-kdmfprintplugin-in-kde-svn/

This enhancement is much more critical than others... or even more than real bugs. Nowadays fingerprint readers are being a standard.

So impatient... this bug is less than 5 years old !

Does linux have enough PAM modules to have support for most finger print readers? Because if we don't, half compatability seems like a bad idea (half the people on IRC tells you it should work and the other half tells you that it never worked for them, and none of them have read the non-existant docs)

@87:

I suspect what most people want is support for libfprint and pam_fprint.
http://reactivated.net/fprint/wiki/Supported_devices

At the moment, their website claims they have a shortage of skilled developers to convert USB sniff logs into drivers, but it also claims that the last notable update was in 2008 and that libfprint is at v0.0.6.

Given that libfprint is at v0.3.0 and their mailing list seems reasonably healthy for a small project, I assume they've been forgetting to update at least parts of their website... which means even more devices than on that list may be supported. (eg. One recent conversation I saw via GMANE involved a developer soliciting testers for a new driver backend)

I think in modern days, PAM handling is done through libfprint which acts as a wrapper.

For those who care, there is a new release of libfprint

v0.3.0 is available at:
http://people.freedesktop.org/~hadess/libfprint-0.3.0.tar.bz2

2010-09-08: v0.3.0 release
 * Add support for UPEK TCS4C (USB ID 147e:1000)
 * Use NSS instead of OpenSSL for GPL compliance
 * upeksonly driver bug fixes
 * Fix a crash if a scan was shorter than 8 lines
 * Fix compilation with C++ compiler

Cheers

Who is leading the dev now hasn't updated or cannot update the project page.

(In reply to comment #90)
> For those who care, there is a new release of libfprint
>
> v0.3.0 is available at:
> http://people.freedesktop.org/~hadess/libfprint-0.3.0.tar.bz2
>
> 2010-09-08: v0.3.0 release
> * Add support for UPEK TCS4C (USB ID 147e:1000)
> * Use NSS instead of OpenSSL for GPL compliance
> * upeksonly driver bug fixes
> * Fix a crash if a scan was shorter than 8 lines
> * Fix compilation with C++ compiler
>
> Cheers
>
> Who is leading the dev now hasn't updated or cannot update the project page.

Those are great news for me (I have UPEK TCS4C). Anyway, are you referring to http://reactivated.net/fprint (last update on 4th of October 2009) ?

Yes,

Take a look at maillist

http://lists.reactivated.net/pipermail/fprint/

It is still an active project.

Soon (only one year) this bug report will have its 10 years birthday.

Fwiw, KDM was deprecated in favor of SDDM for the Plasma5/Frameworks era, so I think this can be closed now and/or moved to SDDM (which sadly is on github)

Based on comment #94, I have added this issue to the SDDM project on github.

For the record purposes and for others to follow, here's a link to the sddm issue:

https://github.com/sddm/sddm/issues/284

Cheers

Hope it can be fixed before its 10 years birthday.

KDM is now deprecated and in maintenance-only mode, there will be no new features added.

We've moved to SDDM as our primary and mainly supported login manager. See comment #96 for following the issue there.

+1 pls add fingerprint reader and login support as a default, integrated option on KDE!