Did you try fingerprint-gui? http://www.pdfserver.net/fingerprint
Besides the libfprint drivers it makes use of a proprietary driver libbsapi.so for upek devices with better recognition rates. Also it has a clean and well privileged directory in /var/lib/fingerprint-gui/, where fingerprint data are stored protected against other users. The pam_fingerprint-gui.so module recognizes remote sessions and doesn't request finger swipes for them. W.U. > hi! > > i have an upek eikon 2 (147e:2016) in my thinkpad x220t. > > i'm using fprint for 3 weeks now, i must say it is an excellent feature > to prevent others seeing your password, especially in lectures where 8 > people are sitting right arround you. > > everywhere on the internet is described to use the pam_fprint.so pam.d > module, but pam_fprint_enroll always fails with error -22 on the last > stage. this means 5 times everything works as it should, but suddenly > the LED on the scanner no more activates, and the program exits with > error -22. > > so somewhere in the gentoo wiki i found another pam.d module, pam_fprintd.so > > i inserted this in the sudo pam file, and everything worked just > perfectly. i enrolled my finger with fprintd-enroll, it created a > fingerprint for my user, but not the way it should. later i noticed a > bunch of security issues. > > i think it is possible to enroll a finger with no root privileges and > overwrite existing fingerprints for this user just by executing > fprintd-enroll. > this means everyone using the notebook can just overwrite the > fingerprint and have root access. > where is the database file and why isn't it protected? can it be > protected just with filesystem access limitations? why isn't the current > fingerprint checked first or why no password check? > > next thing is, when you ssh into your laptop with having fprint > activated for sudo, it will require you to swipe your finger, although > your laptop might be somewhere arround the globe. i don't think theres a > way to fix this, but you should be able to skip the scanning process and > continue entering a password. > I actually don't understand why it is not possible to cancel auth with > ctrl-c or whatever yet. when the system has a defined auth order in the > pam setting, you should be able to skip the fingerprinting, like it is > possible with a password. > > -- Jonas > _______________________________________________ > fprint mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/fprint > -- Regards Wolfgang Ullrich e-Mail: [email protected] _______________________________________________ fprint mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/fprint
