IBM X60s - Using fingerprint scanner

Well - I have an IBM X60s for both Private and work use, and have thought about getting the fingerprint scanner to work allso under Linux, So here´s the thing I did. First of all - I needed to change from Arch Linux to Ubuntu (With KDE = Kubuntu) caurse of some wierd problems at work, where under each other Linux - than Debian-baset - I could not use the network at the office. So the nescecary needs fr this guide is having an Ubuntu installed on your laptop.

BASIC INSTALLATION:
Installing the Bioapi Framework:
The Script for enabling the fingerprint reader automates the installation of most components (Bioapi framework,driver, pam_bioapi, pam setup, device permission,parameters and enrolling) for some Linux Distributions.
BINARY PACKAGES:
Note that these packages only takes care of this one section. If you can you should do so and then proceed to the entitled,installing and configuring the driver.
Debian/Ubuntu Dapper:
If you using Debian Sid or Ubuntu Dapper Drake you can try these packages from Michael Crusoe´s site, either version 1.2.3 or older versions.

HINT: Ignore the warning about not finding /usr/lib/libqtpwbsp.so - its not fatal

INSTALLING FROM SOURCE:
* Get the bioapi Source:

$ wget http://www.qrivy.net/~michael/blua/bioapi/bioapi-latest.tar.gz

# I could not compile bioapi with the grphical QT tools, To do it manually - do this:

$ tar xjf bioapi-latest.tar.gz
$ cd bioapi-1.2.2
$ ./configure --with-Qt-dir=no
$ make


And then as root - do:

$ make install
if make install fails, be sure you're root and then:
$ export LD_LIBARY_PATH=/usr/local/lib
$ make install

And if you want to compile pam_bioapi for auth later:

$ cp include/bioapi_util.h include/installdefs.h imports/cdsa/v2_0/inc/cssmtype.h /usr/include

Be aware that checkinstall will not work!!!!

By defaults , bioapi will install nummerious files in /usr/local/(bin, lib, include) including files with "self-explanatory" names such as /usr/local/bin/Sample. To prevent this pollution:

Create a dedicated directory, for example /opt/bioapi
Append --prefix=/opt/bioapi to the above ./configure command
Append /opt/bioapi/bin to $PATH and /opt/bioapi/lib to $LD_LIBARY_PATH
When installing the driver(below), tell it the new install path
$ sh install.sh /opt/bioapi/lib

INSTALLING AND CONFIGURATING THE DRIVER:
Download TFMESS_BSP_LIN_1.0.zip from the UPEK support site, and unzip it into a seperate folder, as it will not create one. Change to that folder and do as root:

$ sh install.sh /usr/lib
On the Ubuntu system I had to do a << cp libftmessbsp.so /usr/lib>> to avoid a errormessage during <<sh install.sh /usr/lib>>


If that faills, it may be that make install failed up above - try setting LD_LIBARY_PATH, do make install again, and come back here and try this again. You allso need mod_install from bioapi in your PATH.

CONFIGURING PERMISSION FOR NON-ROOT USE:
If you want to use PAM-aware applications like xscreensaver that are NOT running with root permission (as apposed to login,gdm or other authentication mechanisms) you may need to do all or at least some of the things in this section.

Create two groups, one for access to BioAPI files and the other for accesss to the USB files. This is done like this:

$ addgroup --system bioapi
$ addgroup --system usbfs
$ groupmod -A yournormaluser bioapi
$ groupmod -A yournormaluser usbfs

$ chown -R root:bioapi /usr/var/bioapi
$ chmod -R 770 /usr/var/bioapi
$ chown -R root:usbfs /proc/bus/usb
$ chmod -R g+X /proc/bus/usb
$ chown root:usbfs /proc/bus/usbfs'lsusb | sed -ne "/0483:2016/s/Bus\ \(.*)\ Device\ \(.*)\:\ .*/\1/\2/p"'
$ chmod 660 /proc/bus/usbfs'lsusb | sed -ne "/0483:2016/s/Bus\ \(.*)\ Device\ \(.*)\:\ .*/\1/\2/p"'

You may need to replace lsusb with it´s full path, which is something like /sbin/lsusb or /usr/bin/lsusb depending on your distro - But not needed with Ubuntu.
The next step is changing the dynamic created UDEV rules - and its done by changing a line in /etc/udev/rules.d/40-permissions.rules and editing the following line to:

SUBSYSTEM=="usb_device", MODE="0660", GROUP="usbfs"

And that should be the hard part done.

TESTING THE DRIVER AND ENROLLING A FINGERPRINT:

To test the driver and generate the file containing your fingerprint information, you need a sample program included with the driver. The compilation steps below were discovered by trial and error. IF IT DON'T WORK FOR YOU - TRY THE BINARY SAMPLE UTILITY THAT CAME WITH THE BETA VERSION OF THE DRIVER. Go to the folder where you extracted TFMESS_BSP_1.0_zip and do:

$ cd NonGUI_Sample
### Edit main.c and remove (or comment out ) the line:
#include "port/bioapi_port.h"
### Then add the line
#include <stdlib.h>

$ gcc -o Sample main.c -L/usr/lib -lbioapi100 -DUNIX -DLITTLE_ENDIAN

NOTE: Sample may only run as root, unless you've allready configured the usbfs file permission.
You can now try to "e"nroll(to record a fingerprint) and then "v"erify(test the fingerprint)
You'll save a step later if you use your own loginname as the username to enroll here.

Now we have a record for the fingerprint and username( Remember each user should have a sample file (*.bir)

LOGIN VIA PAM_BIOAPI:

THe following explains how to add a fingerprint authentication to programs that uses PAM(Pluggable Authentication Module) frameworks suchs as Gnome's GDM and KDE's kdm and screensaver.

GETTING REQUIRED LIBS AND TOOLS:

Prerequisites:
Get and compile the pam_bioapi module:

$ wget http://www.qrivy.net/~michael/blua/pam_bioapi/pam_bioapi-latest.tar.bz2
$ tar xjf pam_bioapi-latest.tar.bz2
$ cd pam_bioapi-0.2.1
$ wget http://badcode.de/downloads/fingerprint.patch
$ patch -p0 < fingerprint.patch
### If you want to, review the patch. In general you should review all code you download and compile, if possible.
$ ./configure --libdir=/lib && make
### and as root
$ make install


Use the sample tool from the fingerprint reader to create <username>.bir (<username> must be the username you want to login with. gdm will probably break for any login name that has no .bir file).

As root do:
$ SERIAL=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
$ echo $SERIAL should print something like {5550454b-2054-464d-2f45-535320425350} now.
### If it does, do:
$ mkdir -p /etc/bioapi/pam/$SERIAL
$ cp <username>.bir /etc/bioapi/pam/$SERIAL
### If not, you might just try
$ SERIAL={5550454b-2054-464d-2f45-535320425350}
### as this value is hardcoded into the UPEK docs.

CONFIGURATING PAM:
The following part is distribution specific. On Ubuntu I just modify /etc/pam.d/common-auth (On other system its different)

 

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
password sufficient pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
auth required pam_unix.so nullok_secure

JUST REMEMBER _THIS COULD GIVE SOM SERIOUS PROBLEMS ABOUT SSH
su/sudo will call for your fingerprint even if you are remote via ssh. Pressing *CTLR-c* (or closing graphic window) will allow you the desired password option.

To Add a graphical popup to KDM, you need the following:
* Patch for pam_bioapi. THis patch adds third parameter to pam_bioapi.so module, which is a name of file with additional enviorment variables that will be supported to the UPEK driver:

$ wget http://upir.cz/linux/patches/pam_bioapi-0.2.1-alter-environ.patch
$ patch -p1 < pam_bioapi-0.2.1-alter-environ.patch

On Ubuntu simply do:
$ echo "DISPLAY=$DISPLAY" >> /var/lib/kdm/kdm_env

Please note - this won't work if you have more than one Xserver.