From Fedora Project Wiki
< Features
(add mention of gdm-plugin-fingerprint) |
|||
| (49 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
= Fingerprint Readers = | = Fingerprint Readers = | ||
== Summary == | |||
The goal of the project is making fingerprint readers as easy as possible to use for secondary authentication. | |||
See the use cases in the [[Desktop/Whiteboards/FingerprintAuthentication|whiteboard]]. | |||
== Owner == | == Owner == | ||
* Name: | * Name: [[BastienNocera | Bastien Nocera]] | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/11 | Fedora 11]] | ||
* Last updated: | * Last updated: 2009-03-05 | ||
* Percentage of completion: | * Percentage of completion: 100% | ||
libusb1, and the required libfprint are available in rawhide (F-11). | |||
The | fprintd is in rawhide. It includes a pam plugin to not require a password for login. The [https://bugzilla.redhat.com/show_bug.cgi?id=469418 authconfig patch to add fingerprint reader authentication] is also in rawhide. | ||
Enrollment support is in gnome-about-me, available in the control-center package in rawhide. | |||
Fingerprints can be used for authentication in gdm and gnome-screensaver. | |||
If you log in with a fingerprint, gnome-keyring cannot unlock the login keyring (since it uses the login password for that). Therefore, gnome-keyring will ask for your password the first time a secret is needed in the session. | |||
Still to do: | |||
- Integrate with multiple pam stacks feature | |||
- Enable by default | |||
- Replace icons | |||
- Bug fixing | |||
== Detailed Description == | == Detailed Description == | ||
Currently, using Fingerprint readers is a bit of a pain, and installing/using [http://www.reactivated.net/fprint/ fprint] and its pam module take more time than should ever be necessary. | Currently, using Fingerprint readers is a bit of a pain, and installing/using [http://www.reactivated.net/fprint/ fprint] and its pam module take more time than should ever be necessary. The goal of this feature is to make it painless by providing all the required pieces in Fedora, together with nicely integrated configuration. | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
Better Out-of-the-box experience for systems with fingerprint readers. | Better Out-of-the-box experience for systems with fingerprint readers. | ||
Fedora will support one more piece of frequently found hardware. | |||
== Scope == | == Scope == | ||
| Line 38: | Line 44: | ||
Better integration would mean | Better integration would mean | ||
* Having a D-Bus service | * Having a D-Bus service for handling reading/using the fingerprint reader. | ||
* The PAM module | * The PAM module uses the VerifyStart method provided over D-Bus to authenticate users, and will be added to the default configuration. | ||
* gnome-about-me would use the | * gnome-about-me would use the EnrollStart method to write a new fingerprint data file for the specified user. | ||
* gnome-screensaver would be able to use finger scans to unlock the desktop | * gnome-screensaver would be able to use finger scans to unlock the desktop | ||
* Any other dialog presented to the user for authentication would be able to use finger scans | * Any other dialog presented to the user for authentication would be able to use finger scans, e.g PolicyKit | ||
* The create-user dialog in firstboot or its replacement could offer to enroll the new user | * The create-user dialog in firstboot or its replacement could offer to enroll the new user | ||
== | == How to test == | ||
* Person installs a laptop/desktop system with a fingerprint-reader that's supported by [http://www.reactivated.net/fprint/ fprint]. A good way to find information about your fingerprint reader is to scan the output of lshal for 'Fingerprint Reader'. | |||
* Person sets their fingerprint in gnome-about-me | |||
* Person can log in using their fingerprint, and the session behaves the same whether logged in with password or fingerprint. In particular, gnome-keyring-daemon is running in both cases | |||
* Person deletes their fingerprint in gnome-about-me | |||
* Person can no longer log in with their fingerprint | |||
* Another thing to test: turning fingerprint support off in authconfig prevents login with fingerprint, but keeps the fingerprint data, so that turning it back on doesn't force people to re-enroll. | |||
* To install the necessary packages to test this feature, on a stock Fedora 10 machine, run: | |||
yum -y --enablerepo=rawhide install fprintd-pam control-center authconfig gdm-plugin-fingerprint | |||
== Known issues == | |||
* Imaging devices can go crazy if EnrollStop is not called after straight after a successful enrollment. This is worked-around in fprintd. | |||
* Imaging devices will fail to read subsequent prints when enrolling and the 'enroll-retry-scan' status is encountered. This is a bug in libfprint. | |||
* authconfig support is currently disabled by default. In Fedora 11, it will be enabled by default: https://bugzilla.redhat.com/show_bug.cgi?id=481273 | |||
* fprintd currently has an ImageMagick dependency. See https://bugzilla.redhat.com/show_bug.cgi?id=472103 | |||
* gdm should ask for ''Swipe your finger '''or''' enter your password'' without a forced 30 second wait: https://bugzilla.redhat.com/show_bug.cgi?id=475810 | |||
* Using fingerprints in PolicyKit dialogs doesn't work: https://bugzilla.redhat.com/show_bug.cgi?id=475803 | |||
* The authentication dialogs should all behave similar wrt to fingerprints: gdm, gnome-screensaver, PolicyKit. | |||
== User Experience == | |||
[[Image:fingerprint-authconfig.png|Fingerprint support in authconfig-gtk]] | |||
[[Image:fingerprint-delete.png|Deleting existing fingerprints in gnome-about-me]] | |||
[[Image:fingerprint-enrollment-step1.png|Fingerprint enrollment wizard]] | |||
[[Image:fingerprint-enrollment-step2.png|Fingerprint enrollment wizard, step 2]] | |||
[[Image:fingerprint-enrollment-step3.png|Fingerprint enrollment wizard, step 3]] | |||
[[Image:fingerprint-enrollment-step4.png|Fingerprint enrollment wizard, step 4]] | |||
== Dependencies == | == Dependencies == | ||
* | * libfprint and libusb1 | ||
* | * [https://bugzilla.redhat.com/show_bug.cgi?id=469418 authconfig support] | ||
* fprintd with pam module | |||
== Contingency Plan == | == Contingency Plan == | ||
Don't install the packages by default. If fprintd is not installed, authconfig and gnome-about-me will not show their fingerprint-related UI. | |||
== Documentation == | |||
* [http://wiki.debian.org/FingerForce Debian's fingerprint integration wiki] | |||
* [https://wiki.ubuntu.com/FingerprintAuthentication Ubuntu's fingerprint integration wiki] | |||
* [http://www.reactivated.net/fprint/ the fprint library] | |||
* [http://www.reactivated.net/fprint/wiki/Supported_devices supported fingerprint readers] | |||
== Release Notes == | == Release Notes == | ||
''' | Fedora 11 supports authentication using fingerprint readers. Before you can log in using your fingerprint, | ||
you need to enable fingerprint authentication in authconfig (''System → Administration → Authentication'') | |||
and enroll your fingerprint in gnome-about-me (''System → Preferences → Personal → About Me''). For a list | |||
of supported fingerprint readers, see http://www.reactivated.net/fprint/wiki/Supported_devices. | |||
== Discussion == | For upgrades from older versions of Fedora, and if pam_fprint was installed, the package itself as well as the changes to PAM configuration should be removed (unless major changes were done to the files, running authconfig as mentioned above will clear the previous changes). Note that you will need to install the gdm-plugin-fingerprint package as well. | ||
== Comments and Discussion == | |||
See [[Talk:Features/Fingerprint]] | |||
---- | ---- | ||
[[Category: | |||
[[Category:FeatureAcceptedF11]] | |||
Revision as of 15:00, 31 July 2009
Fingerprint Readers
Summary
The goal of the project is making fingerprint readers as easy as possible to use for secondary authentication.
See the use cases in the whiteboard.
Owner
- Name: Bastien Nocera
Current status
- Targeted release: Fedora 11
- Last updated: 2009-03-05
- Percentage of completion: 100%
libusb1, and the required libfprint are available in rawhide (F-11).
fprintd is in rawhide. It includes a pam plugin to not require a password for login. The authconfig patch to add fingerprint reader authentication is also in rawhide.
Enrollment support is in gnome-about-me, available in the control-center package in rawhide.
Fingerprints can be used for authentication in gdm and gnome-screensaver.
If you log in with a fingerprint, gnome-keyring cannot unlock the login keyring (since it uses the login password for that). Therefore, gnome-keyring will ask for your password the first time a secret is needed in the session.
Still to do: - Integrate with multiple pam stacks feature - Enable by default - Replace icons - Bug fixing
Detailed Description
Currently, using Fingerprint readers is a bit of a pain, and installing/using fprint and its pam module take more time than should ever be necessary. The goal of this feature is to make it painless by providing all the required pieces in Fedora, together with nicely integrated configuration.
Benefit to Fedora
Better Out-of-the-box experience for systems with fingerprint readers. Fedora will support one more piece of frequently found hardware.
Scope
Better integration would mean
- Having a D-Bus service for handling reading/using the fingerprint reader.
- The PAM module uses the VerifyStart method provided over D-Bus to authenticate users, and will be added to the default configuration.
- gnome-about-me would use the EnrollStart method to write a new fingerprint data file for the specified user.
- gnome-screensaver would be able to use finger scans to unlock the desktop
- Any other dialog presented to the user for authentication would be able to use finger scans, e.g PolicyKit
- The create-user dialog in firstboot or its replacement could offer to enroll the new user
How to test
- Person installs a laptop/desktop system with a fingerprint-reader that's supported by fprint. A good way to find information about your fingerprint reader is to scan the output of lshal for 'Fingerprint Reader'.
- Person sets their fingerprint in gnome-about-me
- Person can log in using their fingerprint, and the session behaves the same whether logged in with password or fingerprint. In particular, gnome-keyring-daemon is running in both cases
- Person deletes their fingerprint in gnome-about-me
- Person can no longer log in with their fingerprint
- Another thing to test: turning fingerprint support off in authconfig prevents login with fingerprint, but keeps the fingerprint data, so that turning it back on doesn't force people to re-enroll.
- To install the necessary packages to test this feature, on a stock Fedora 10 machine, run:
yum -y --enablerepo=rawhide install fprintd-pam control-center authconfig gdm-plugin-fingerprint
Known issues
- Imaging devices can go crazy if EnrollStop is not called after straight after a successful enrollment. This is worked-around in fprintd.
- Imaging devices will fail to read subsequent prints when enrolling and the 'enroll-retry-scan' status is encountered. This is a bug in libfprint.
- authconfig support is currently disabled by default. In Fedora 11, it will be enabled by default: https://bugzilla.redhat.com/show_bug.cgi?id=481273
- fprintd currently has an ImageMagick dependency. See https://bugzilla.redhat.com/show_bug.cgi?id=472103
- gdm should ask for Swipe your finger or enter your password without a forced 30 second wait: https://bugzilla.redhat.com/show_bug.cgi?id=475810
- Using fingerprints in PolicyKit dialogs doesn't work: https://bugzilla.redhat.com/show_bug.cgi?id=475803
- The authentication dialogs should all behave similar wrt to fingerprints: gdm, gnome-screensaver, PolicyKit.
User Experience
Dependencies
- libfprint and libusb1
- authconfig support
- fprintd with pam module
Contingency Plan
Don't install the packages by default. If fprintd is not installed, authconfig and gnome-about-me will not show their fingerprint-related UI.
Documentation
- Debian's fingerprint integration wiki
- Ubuntu's fingerprint integration wiki
- the fprint library
- supported fingerprint readers
Release Notes
Fedora 11 supports authentication using fingerprint readers. Before you can log in using your fingerprint, you need to enable fingerprint authentication in authconfig (System → Administration → Authentication) and enroll your fingerprint in gnome-about-me (System → Preferences → Personal → About Me). For a list of supported fingerprint readers, see http://www.reactivated.net/fprint/wiki/Supported_devices.
For upgrades from older versions of Fedora, and if pam_fprint was installed, the package itself as well as the changes to PAM configuration should be removed (unless major changes were done to the files, running authconfig as mentioned above will clear the previous changes). Note that you will need to install the gdm-plugin-fingerprint package as well.