PAM and screen (un)locking

big_gie · 2007-08-10 20:13:24

Hi,

I have set my UPEK fingerprint reader with pam using thinkfinger. Some things work like console login and su/sudo. After entering my login name, I get "Password or swipe finger:" which I do and it works.

I think KDM sucks for login via pam and fingerprints. So I tried Slim (http://slim.berlios.de/) and it works. My login name is pre-entered, I press enter, and swipe my finger to login.

diff etc/pam.d/login /etc/pam.d/login
1a2
> auth          sufficient      pam_thinkfinger.so
4c5
< auth          required        pam_unix.so nullok
---
> auth          required        pam_unix.so nullok try_first_pass

What I'd like now would be to lock my screen and unlock it. I tried xscreensaver but it doesn't seems to work... It's like xscreensaver isn't aware of the finger swaping.

diff etc/pam.d/xscreensaver /etc/pam.d/xscreensaver
1c1,2
< auth          required        pam_unix_auth.so
---
> auth            sufficient      pam_thinkfinger.so
> auth          required        pam_unix_auth.so try_first_pass

Doesn anyone have a clue? Or know another way to lock the screen and be able to unlock it wih pam?

Thanx!

big_gie · 2007-08-11 04:17:57

Ok after many try, I've been able to unlock xscreensaver with thinkfinger pam module!

First, xscreensaver -verbose gave me :

xscreensaver: 23:34:24: ungrabbing server.
xscreensaver: 23:34:28: input finished.
xscreensaver: 23:34:28: pam_authenticate (...) ==> 0 (Success)
xscreensaver: 23:34:28: pam_acct_mgmt (...) ==> 9 (Authentication service cannot retrieve authentication info.)
xscreensaver: 23:34:28: pam_setcred (...) ==> 0 (Success)
xscreensaver: 23:34:28: pam_end (...) ==> 0 (Success)
xscreensaver: 23:34:28: grabbing server...

which is not really helpful. I was able to unlock with password, but not with finger.

I also had this in my /var/log/auth.log :

Aug 10 23:18:30 dld830 xscreensaver[28946]: pam_thinkfinger(xscreensaver): pam_sm_authenticate called. Aug 10 23:18:30 dld830 xscreensaver[28946]: pam_thinkfinger(xscreensaver): Error: Could not claim USB device. Aug 10 23:18:30 dld830 xscreensaver[28946]: pam_thinkfinger(xscreensaver): pam_sm_authenticate returning '9': Authentication service cannot retrieve authentication info..

I then tryed to run xscreensaver via strace (strace xscreensaver -verbose &> xscreensaver.log) to see what it was doing. I then saw :

open("/dev/misc/uinput", O_WRONLY|O_NONBLOCK) = -1 EACCES (Permission denied)

Checking /dev/misc/uinput :

> ls /dev/misc/uinput
crw-rw---- 1 root root 10, 223 aoû 10 23:40 /dev/misc/uinput

not really helpful...

I checked /etc/udev/rules.d/udev.rules for uinput. 3 lines :

[...]
KERNEL=="uinput", NAME="misc/%k", SYMLINK+="%k"
[...]
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664"
[...]
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664"

So I changed those lines so /dev/misc/uinput and /dev/bus/usb* would be writable. I have put wheel because I am already member of that group. Maybe anotherone would be better. Putting exactly the same rule in another file seemed to work. Can a udev hacker confirm that putting a new rule in another file will overwrite the other?

/etc/udev/rules.d/99my.rules

KERNEL=="uinput", NAME="misc/%k", SYMLINK+="%k", MODE="0660", GROUP="wheel"
SUBSYSTEM=="usb_device", ACTION=="add", PROGRAM="/bin/sh -c 'K=%k; K=$${K#usbdev};printf bus/usb/%%03i/%%03i $${K%%%%.*} $${K#*.}'", NAME="%c", MODE="0664", GROUP="wheel"
SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", NAME="bus/usb/$env{BUSNUM}/$env{DEVNUM}", MODE="0664", GROUP="wheel"

After that, running "strace xscreensaver" was ok, I was able to unlock with finger, but "xscreensaver" would not unlock! Why?! Because xscreensaver is setuid to root:

> ls /usr/bin/xscreensaver
-rwsr-sr-x 1 root root 217K aoû 2 20:47 /usr/bin/xscreensaver

After setting it normal:

> sudo chmod -s /usr/bin/xscreensaver
> ls /usr/bin/xscreensaver
-rwxr-xr-x 1 root root 217K aoû 2 20:47 /usr/bin/xscreensaver

Now I can unlock the xscreensaver screen with thinkfinger pam!
So the usage : Lock the screen, then move the mouse or press a key. The xscreensaver window appears, and now the message reads "Password or swipe finger :" Swipe your finger and the screen is unlocked! Wouhou!!

Mission accomplished!!!

Thanx to :
http://www.thinkwiki.org/wiki/Talk:How_ … int_reader

Last edited by big_gie (2007-08-11 04:18:49)

hst · 2007-10-14 01:36:09

humm.. how did you get it to work with slim? :o
dunno what i'm doing wrong, but i can't get it to work.

Last edited by hst (2007-10-14 01:36:35)

nightmorph · 2008-02-01 10:42:11

I haven't tried thinkfinger yet, as I'm using fprint. Though fprint reportedly works with GDM out-of-the-box, I'm using SLiM on my laptop, and fprint doesn't work with it. Kinda negates half the reason to use a fingerprint reader.

How did you get thinkfinger working with SLiM? This might help give some clues on how to get fprint working.

big_gie · 2008-02-01 13:03:00

Hum... Sorry I don't use it anymore. What I do now is I autologin with KDE, but on start I lock the session with xscreensaver-command -lock in ~/.kde/Autostart.
My laptop then boots completely, login into KDE, but keep it lock. Then I just have to unlock it to have a fully booted system.

As for slim... I think it was quite simple. You enter your name, then instead of the password, even if its not asking for something, just swipe your finger. I was surprised when it worked because it didn't ask for somehting....

Be sure also that it works. So pam should be well configured...

nightmorph · 2008-02-02 07:25:17

Yup, thinkfinger works out-of-the-box with SLiM. Too bad too; I was planning to keep using fprint in support of my fellow developer.

I made a quick comparison of the PAM code for thinkfinger & fprint, and they seem to be doing different things. I'll see about filing a bug upstream for a pam_fprint update to work with SLiM.

Arch Linux

#1 2007-08-10 20:13:24

PAM and screen (un)locking

#2 2007-08-11 04:17:57

Re: PAM and screen (un)locking

#3 2007-10-14 01:36:09

Re: PAM and screen (un)locking

#4 2008-02-01 10:42:11

Re: PAM and screen (un)locking

#5 2008-02-01 13:03:00

Re: PAM and screen (un)locking

#6 2008-02-02 07:25:17

Re: PAM and screen (un)locking

Board footer