SUSE Linux Enterprise Desktop 10 SP4

Appendix D. Using the Fingerprint Reader¶

Contents

D.1. Supported Applications and Actions
D.2. Managing Fingerprints with YaST
D.3. Managing Fingerprints with tf-tool
D.4. For More Information

With the ThinkFinger driver, SUSE Linux Enterprise® supports the fingerprint reader by UPEK/SGS Thomson Microelectronics included with some IBM and Lenovo ThinkPads. The same fingerprint reader can also be found in other laptops and either as a stand-alone device or built into some USB keyboards. For more details, refer to http://thinkfinger.svn.sourceforge.net/viewvc/*checkout*/thinkfinger/README.in. If your system includes the fingerprint reader, you can use biometric authentication in addition to standard authentication via login and password. After registering their fingerprint, users can log in to the system either by swiping a finger on the fingerprint reader or by typing in a password.

If the hardware check detects the fingerprint reader integrated with your laptop (or connected to your system), the packages libthinkfinger, pam_thinkfinger, and yast2-fingerprint-reader are automatically installed.

Currently, only one fingerprint per user can be registered. The user's fingerprint data is stored to /etc/pam_thinkfinger/login.bir. To manage fingerprint authentication, either use YaST (see Section D.2, “Managing Fingerprints with YaST” or the tf-tool command line tool which also offers additional options (see Section D.3, “Managing Fingerprints with tf-tool”.

D.1. Supported Applications and Actions ¶

The PAM module pam_thinkfinger supports fingerprint authentication for the following applications and actions (although you may not be prompted to swipe your finger in all cases):

Logging in to GDM/KDM or a login shell
Unlocking your screen on the GNOME/KDE desktop
Starting YaST and the YaST modules
Starting an application with root permission: sudo or gnomesu
Changing to a different user identity with su or su - username

D.2. Managing Fingerprints with YaST¶

Procedure D.1. Enabling Fingerprint Authentication

In order to allow biometric authentication for certain users, you need to generally enable fingerprint support in YaST first.

Start YaST and select Hardware+Fingerprint Reader.
In the configuration dialog, activate Use Fingerprint Reader and click Finish to save the changes and close the dialog.

Now you can register a fingerprint for various users.

Procedure D.2. Registering a Fingerprint

In YaST, click Security and Users+User Management to open the User and Group Administration dialog. A list of users or groups in the system is displayed.
Select the user for whom you want to register a fingerprint and click Edit.
On the Plug-Ins tab, select the fingerprint entry and click Launch to open the Fingerprint Configuration dialog.
YaST prompts the user to swipe his finger until three readable fingerprints have been gathered.
After the fingerprint has been acquired successfully, click Accept to close the Fingerprint Configuration dialog and the dialog for the user.
If you also want to use fingerprint authentication for starting YaST or the YaST modules, you need to register a fingerprint for root, too.
To do so, set the filter in the User and Group Administration dialog to System Users, select the root entry and register a fingerprint for root as described above.
After you have registered fingerprints for the desired users, click Finish to close the administration dialog and to save the changes.

As soon as the user's fingerprint has been successfully registered, the user can choose to authenticate with either fingerprint or password for the actions and applications listed in Section D.1, “Supported Applications and Actions ”.

Currently, YaST does not offer verification or removal of fingerprints, but you can verify or remove fingerprints from the command line. Refer to Procedure D.4, “Verifying or Removing a Fingerprint” for more information.

With YaST, you can also import fingerprint files (*.bir) already stored somewhere in your file system. Click Hardware+Fingerprint Reader and select or enter the Directory with fingerprint files. Click Finish to start the import. The fingerprint files are copied to /etc/pam_thinkfinger/login.bir, the default directory for the fingerprint files.

D.3. Managing Fingerprints with tf-tool¶

Procedure D.3. Registering a Fingerprint

Open a shell and log in as root.
To register a fingerprint for a certain user, enter
```
tf-tool --add-user login
```
tf-tool prompts the user to swipe his finger until three readable fingerprints have been gathered.
If you also want to use fingerprint authentication for starting YaST or the YaST modules in the GNOME Control Center, you need to register a fingerprint for root, too.

Procedure D.4. Verifying or Removing a Fingerprint¶

Open a shell and log in as root.
To verify an existing fingerprint for a certain user, run the following command:
```
tf-tool --verify-user login
```
Let the user swipe his finger. tf-tool compares the fingerprint to the print stored for this user and provides a message if the fingerprints match.
To remove a user's fingerprint, delete the appropriate fingerprint file for this user with the following command:
```
shred /etc/pam_thinkfinger/login.bir
```

With tf-tool --acquire you can do a test run with tf-tool. The fingerprint is stored as /tmp/test.bir and can be verified with tf-tool --verify.

D.4. For More Information ¶

Find the project home page at http://thinkfinger.sourceforge.net/
For more technical details, refer to /usr/share/doc/packages/libthinkfinger/README in your installed system.
There are also man pages available for pam_thinkfinger and tf-tool.