The goal of the project is making fingerprint readers as easy as possible to use for secondary authentication.
See the use cases in the whiteboard.
- Name: Bastien Nocera
- Targeted release: Fedora 11
- Last updated: 2008-12-08
- Percentage of completion: 95%
libusb1, and the required libfprint are available in rawhide (F-11).
fprintd is in rawhide. It includes a pam plugin to not require a password for login. The authconfig patch to add fingerprint reader authentication is also in rawhide.
Enrollment support is in gnome-about-me, available in the control-center package in rawhide.
Fingerprints can be used for authentication in gdm and gnome-screensaver.
Currently, using Fingerprint readers is a bit of a pain, and installing/using fprint and its pam module take more time than should ever be necessary. The goal of this feature is to make it painless by providing all the required pieces in Fedora, together with nicely integrated configuration.
Benefit to Fedora
Better Out-of-the-box experience for systems with fingerprint readers. Fedora will support one more piece of frequently found hardware.
Better integration would mean
- Having a D-Bus service for handling reading/using the fingerprint reader.
- The PAM module uses the VerifyStart method provided over D-Bus to authenticate users, and will be added to the default configuration.
- gnome-about-me would use the EnrollStart method to write a new fingerprint data file for the specified user.
- gnome-screensaver would be able to use finger scans to unlock the desktop
- Any other dialog presented to the user for authentication would be able to use finger scans, e.g PolicyKit
- The create-user dialog in firstboot or its replacement could offer to enroll the new user
How to test
- Person installs a laptop/desktop system with a fingerprint-reader that's supported by fprint. A good way to find information about your fingerprint reader is to scan the output of lshal for 'Fingerprint Reader'.
- Person sets their fingerprint in gnome-about-me
- Person can log in using their fingerprint, and the session behaves the same whether logged in with password or fingerprint. In particular, gnome-keyring-daemon is running in both cases
- Person deletes their fingerprint in gnome-about-me
- Person can no longer log in with their fingerprint
- Another thing to test: turning fingerprint support off in authconfig prevents login with fingerprint, but keeps the fingerprint data, so that turning it back on doesn't force people to re-enroll.
- To install the necessary packages to test this feature, on a stock Fedora 10 machine, run:
yum -y --enablerepo=rawhide install fprintd-pam control-center authconfig
- Imaging devices can go crazy if EnrollStop is not called after straight after a successful enrollment. This is worked-around in fprintd.
- Imaging devices will fail to read subsequent prints when enrolling and the 'enroll-retry-scan' status is encountered. This is a bug in libfprint.
- authconfig support is currently disabled by default. In Fedora 11, it will be enabled by default.
- fprintd currently has an ImageMagick dependency. See https://bugzilla.redhat.com/show_bug.cgi?id=472103
- gnome-about-me should pay attention to whether fingerprint login is possible: https://bugzilla.redhat.com/show_bug.cgi?id=475804
- libfprint and libusb1
- authconfig support
- fprintd with pam module
Don't install the packages by default. If fprintd is not installed, authconfig and gnome-about-me will not show their fingerprint-related UI.
- Debian's fingerprint integration wiki
- Ubuntu's fingerprint integration wiki
- the fprint library
- supported fingerprint readers
Fedora 11 supports authentication using fingerprint readers. Before you can log in using your fingerprint, you need to enable fingerprint authentication in authconfig (System → Administration → Authentication) and enroll your fingerprint in gnome-about-me (System → Preferences → Personal → About Me). For a list of supported fingerprint readers, see http://www.reactivated.net/fprint/wiki/Supported_devices.
For upgrades from older versions of Fedora, and if pam_fprint was installed, the package itself as well as the changes to PAM configuration should be removed (unless major changes were done to the files, running authconfig as mentioned above will clear the previous changes).