(gutsy) lock screen doesn't support fingerprint readers driven by thinkfinger

GDM is the only Gnome app I'm aware of that properly uses fingerprint scanning. I use thinkfinger for GDM login, console login, sudo, etc but gnome-screensaver, gksudo, and other gnome apps don't work with it.

In fact, it breaks gksudo - https://bugs.launchpad.net/ubuntu/+source/gksu/+bug/86843

ogra@laptop:~$ ldd /usr/lib/gnome-screensaver/gnome-screensaver-dialog |grep pam
        libpam.so.0 => /lib/libpam.so.0 (0xb7b01000)

its like that since we package gnome-screensaver ... we link against libpam0g-dev ... probably recheck your pam changes ?

according to http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger#gnome-screensaver it is not just a libpam link problem. gnome-screensaver doesn't run as root and that's why thinkfinger doesn't work with it.

In the link above there is a workaround but I can't confirm it works. I tested it and gnome-screensaver won't unlock with my fingerprint. But I didn't check twice, i don't have that time. This is just a clue in case someone missed this link.

regards,
Olivier

If gnome-screensaver isn't root during authentication, then how does an ordinary password work? They are stored in a root readable file /etc/shadow. Whatever credential switching that is done in order for ordinary passwords to work could also be done for thinkfinger to work.

Never mind - found the answer. A setuid helper binary is used - http://linux.die.net/man/8/unix_chkpwd

This means that the "correct" solution for thinkfinger is to also have a helper binary that verifies
fingerprint only for the invoking user.

With thinkfinger packages 0.3+r118-0ubuntu1 on hardy, gnome screen saver now unlocks for me. Yay!

Reported as working on Hardy with updated thinkfinger packages. Thanks!

Either it's broken again or there was a configuration change. It's not working for me and i have the latest thinkfinger package. sudo, gdm works. gnome-screensaver isn't.

/etc/pam.d/common-auth:

auth sufficient pam_thinkfinger.so
auth required pam_unix.so try_first_pass nullok_secure

Nevermind. It works now. Thanks.

Brian,
What did you do to make gnome-screensaver work with thinkfinger. I just installed it and gdm and sudo work fine, but no gnome-screensaver unlock without using password

Thanks

Check permissions on your $HOME/.thinkfinger.bir file. Mine was owned by root and everything worked except gnome-screensaver. Changing ownership to me solved the problem. I had done the enrollment using 'sudo tf-tool --acquire' because it claimed that the USB device couldn't be claimed when run as me (a reboot seemed to make that go away).

You should be able to run (as your user) 'tf-tool --verify' to check your fingerprint and if that works then everything else should just work.

(Related topic) As a double bonus I had given up on thinkfinger with gutsy as the network manager insisted my keyring have a password so I was always forced to type in a password anyway. With Hardy that is no longer an issue.

Cool that is the answer what did it for me. Thanks a lot.

thinkfinger works with gnome-screensaver for me under Hardy, but has regressed with Intrepid. I do have:

  -rw------- 1 noel noel 182 2008-09-14 00:16 .thinkfinger.bir

in my home directory, and thinkfinger works with other programs as we'd expect (with the other known regression that one has to hit <cr> after entering the fingerprint).

It seems that the problem has two parts. The first is wrong owner of /dev/input/uinput: it should be root:plugdev instead of root:root

The second part of the problem can be seen after manually changing the owner:
     sudo chown root\:plugdev /dev/input/uinput

Now after locking the screen you should see 'Password or swipe finger: ' prompt in the unlock dialog but unlocking doesn't work. Swiping finger has no effect and after entering password the dialog hangs saying 'Checking...'. I didn't wait to see if it ever finishes and killed the gnome-screensaver process from console (login didn't offer to swipe finger, only password).

I tried reproduce the above with 'gnome-screensaver --debug --no-daemon &> gs.out' and attached the output. Also, I noticed that this is not always reproducible. Sometimes swiping works in the unlock dialog and it hangs only after n-th attempt to lock/unlock the screen.

Sorry, forgot to add that this is on Intrepid.

Adding

/etc/udev/rules.d/60-thinkfinger.rules
#
# udev rules file for the thinkfinger fingerprint scanner
#

# uinput device
KERNEL=="uinput", MODE="0660", GROUP="plugdev"

makes it work for me now. Consistently, so far. This is not required in Hardy (8.04.1).

Noel, obviously, this will only set correct owner/permissions. Did you try to reproduce the second part of the problem in Intrepid?

Timur,

I presume that you mean "after locking the screen you should see 'Password or swipe finger: ' prompt in the unlock dialog but unlocking doesn't work. Swiping finger
has no effect and after entering password the dialog hangs saying 'Checking...'."

I am not sure what was unclear about "makes it work for me now", but after changing the group membership of /dev/input/uinput to plugdev, I successfully unlock the screensaver dialog with thinkfinger. Yes, on Ubuntu 8.10 Intrepid.

Noel,

Thanks for the clarification. In my case even if it seems to work after changing owner, this happens only two or three times and the dialog hangs again after that. This is really weird.

It works for me consistently after applying the change of ownership (thank you, by the way). Are you current on updates (I am), and have you applied the thinkfinge code from the PPA (I have not, yet, since I haven't checked to see exactly what was changed).

$ dpkg -l | grep thinkfinger
ii libpam-thinkfinger 0.3+r118-0ubuntu3
ii libthinkfinger0 0.3+r118-0ubuntu3
ii thinkfinger-tools 0.3+r118-0ubuntu3

See also Bug 256429.

My system is up to date (at least I install everything that auto-updater reports) and I have the packages from Jon Oberheide's PPA suggested in the discussion of the 256429 bug:

$ dpkg -l | grep thinkfinger
ii libpam-thinkfinger 0.3+r118-0ubuntu4~ppa1
ii libthinkfinger0 0.3+r118-0ubuntu4~ppa1
ii thinkfinger-tools 0.3+r118-0ubuntu4~ppa1

I tried removing these and installing the packages from main repository, but the only thing that changes is the notorious extra carriage return. The unlock dialog still hangs in the vast majority of cases when I enter password or swipe finger. Anyway, thanks for your suggestion.

Also, I noticed that when I poke the screensaver, a line like this

 Nov 14 18:43:11 tizhbulatov kernel: [ 1483.142341] input: Virtual ThinkFinger Keyboard as /devices/virtual/input/input11

appears in /var/log/messages regardless the versions of packages. And the input$N is incremented every time. Seems like the kernel emits an event for a newly discovered input device which is somewhat suspicious.

Broken again for Intrepid and Jaunty. A udev rule appears to be one possible solution.

The fix described in https://bugs.launchpad.net/ubuntu/+source/thinkfinger/+bug/138957/comments/18, and included as an attachment here, fixes this for me in Jaunty as well as Intrepid.

What would it take to get that as a fix to be included in our thinkfinger distribution?

Doing 3 things fixed this for me.

1. Change the permissions on $HOME/.thinkfinger_bir so that it is owned by the user, not by root:

$ sudo chown pauljohn .thinkfinger.bir

2. Changing the permissions of the uinput device, which was root:root, and instead this is needed:

chown root\:plugdev /dev/input/uinput

3. Add the udev rule mentioned in previous message.

Those steps *did* fix the problem on my T61 Lenovo Thinkpad. Now the finger swipe will unlock me.

I'm using the 0.3+r118 thinkfinger packages from Jon Oberheide's repository:

$ dpkg -l | grep thinkf
ii libpam-thinkfinger 0.3+r118-0ubuntu4~ppa1 PAM module for the STMicroelectronics finger
ii libthinkfinger0 0.3+r118-0ubuntu4~ppa1 library for the STMicroelectronics fingerpri
ii thinkfinger-tools 0.3+r118-0ubuntu4~ppa1 utilities for the STMicroelectronics fingerp

PJ

I should add a 4th thing to do :

4. give /dev/input/uinput the right permissions for gnome-screensaver to work :

chmod g+w /dev/input/uinput

On my system, the udev rule didn't apply instantly, and I needed the chmod, else G-S never showed " or swipe finger" prompt and swiping didn't work.

Obviously a reboot makes 2. and 4. obsolete, but I didn't want to reboot.

Running latest Jaunty on Thinkpad X300 with thinkfinger 0.3+r118-0ubuntu4 (debdiff against 0.3+r118-0ubuntu3 coming from https://bugs.launchpad.net/ubuntu/+source/thinkfinger/+bug/311732) and no other modifications.

I did all the 3 steps (owner for .thinkfinger.bir, owner for uinput and udev rule) and it still doesn't unlock my screensaver. Any ideas?

hi,
I am using a thinkpad x300 with ubuntu jaunty.
thinkfinger is working great except for unlocking the screensaver.
I can't find the file .thingfinger.bir you are talking about.
I am new to linux. Can you explain me how to change permissions on home/.thinkfinger.bir ?
Thanks