Fedora 11 fingerprint auth

Authentication is an aspect of computing which many take for granted. What's all the fuss? you think. Username, password and that's that. In the following Q&A session with Bastien Nocera, long time Fedora Contributor and Desktop Renaissance Man, we discover that when it comes to authentication, there is more than meets the finger!

With fingerprint and other biometric authentication options gaining more popularity, its time to get more creative regarding their use. Many laptops have had built-in fingerprint readers for upwards of two years now and Fedora 11, thanks to Bastien and crew, does a solid job of making that option a viable one for Linux desktop user. How did we make this happen for Fedora 11? Will your Fedora laptop one day be able to authenticate you on the web using your finger? Will we ever get GNOME keyring to unlock using a fingerprint? What will Bastien work on next? All this and more if you keep reading below!

1. Can you please give us a quick self introduction and how you got started in Fedora.

Hey, I'm Bastien Nocera, I work for Red Hat, and I've been a GNOME contributor for 10 years. I started using Fedora when I joined Red Hat in 2002, and I've been hooked since :)

'''2. For at least a couple of years now, many laptop models have had built-in fingerprint readers. They never seemed to work well under Linux, despite various bits and pieces of drivers being out there. Can you tell us more about how this feature came about in Fedora 11? [note: PAM is the pluggable authentication system used on Linux machines to authenticate users. D-Bus is a message bus system, a simple way for applications to talk to one another.]'''

I've had a Dell laptop with the omnipresent Thomson fingerprint reader for a couple of years, and I was looking at how I could use it, and make it work out-of-the-box in Fedora. At that time, as far as I remember, the only options were the proprietary Upek bits, and thinkfinger, which was a very PAM specific solution.

Around that time, Daniel Drake mentioned that he was working on ‘libfprint’, a library to fold the support of different fingerprint readers, with different capabilities, into one supported API, for his BSc in Computer Science.

I got in at about that point. Daniel and I already had a pretty good idea on how we should be architect support for the fingerprint readers, and Daniel wrote a first pass at the ‘fprintd’ D-Bus daemon to present it at his final year project presentation.

When Daniel presented his project, he put all his code up, and I started working on the D-Bus daemon, cleaning up the API, and implementing various front-ends on top of it.

'''3. In order to accomplish a lot of this some significant modifications were necessary to other parts of the distro, i.e. DBus, PAM and authentication dialogs. Can you talk to us a little about what type of work needed to be done to get all the pieces to work together.'''

It was pretty fun getting to use some new technology. We fixed some bugs in ‘libfprint,’ re-did the public API, added developer documentation, added PolicyKit integration, added a PAM module, and wrote a nice UI for all that in the GNOME control-center.

We were pretty much done, and then Ray Strode added support to GDM to get multiple PAM stacks. This meant that the user could choose between logging in with a password, or using the fingerprint reader.

4. What are some of the issues that remain to be worked on if any?

Most of the remaining problems fall slightly outside the scope of this project. ‘libusb1’ needs a bit of reworking to handle devices appearing and disappearing more gracefully. ‘libfprint’ needs bug fixes for existing drivers and more drivers (never-ending story). Finally, we need PAM to die die die (or add multiple PAM stacks support to more front-ends).

'''5. Where do you see the future of this going? Do you expect that we will one day down the line see encrypted filesystems which require biometric authentication to decrypt? How about extending this capability to authentication on the web?'''

Hehe. The architecture is there to support those, although security concerns will possibly override that. We're still thinking of ways to integrate LDAP authentication, and get the PAM module to unlock the GNOME keyring for us.

'''6. You are well known as a long time and very involved Fedora contributor. What are some of the other projects you worked on for this release?'''

I worked on the (oh-so-controversial) volume control, updated Bluetooth management tools, and wrote/updated a driver for Wacom Bluetooth tablets.

But work has already started for Fedora 12. With Dan Williams, we already added Bluetooth PAN support to NetworkManager, and we're working on the front-end bits now. I'd like to do some more work on my old flames, Totem and Rhythmbox.

I also have a drawer full of Bluetooth devices that I need to work on. I'm half-way done adding Geolocation to Firefox, for Linux platforms, using GeoClue. Hopefully I'll be able to finish that and work on some more devices.

7. What are you going to do to celebrate the release of Fedora 11?

Probably raise my glass to it, and getting cracking on Fedora 12!