Hello, pam_bioapi allows, for me at least, to login to GDM without even having to type my username in - and after tasting that convenience - I can't go back =)
So I trundled into the depths of GDM and fprint with the intention of trying to make it happen. >From my understanding, this is what happens: GDM opens communication with the PAM stack *without* asking for the username (contrary to what I assumed). When it gets to pam_fprint, it calls the pam_get_user() function - which first checks to see if a username was supplied (in this case, the answer is no) - and if it wasn't - it tells GDM to ask the user for the username. Once this is done, the home directory of this user is discovered, and the first fingerprint that it finds which is compatible with a attached device is used to authenticate that user. The first problem here is that each user's fingerprint is stored in the users home directory, rather than in a central location - meaning that in order to "discover" all the fingerprints of all users on the system, you must go through each user's home directory - not the most efficient. Are there any plans to change this? Ignoring that, the next problem is howto check the result of one scan against a list of fingerprints. Currently, pam_fprint utilises the fp_verify_finger() function implemented in libfprint - and this function takes a scan, and verifies if it matches *one* print. A similar function, called fp_identify_finger() allows a new scan to be verified against a list of prints, which seems to suit our purposes better. However, to my dismay, I found out that this function is hardware dependent: and my fingerprint scanner: the UBEK TouchStrip (embedded on my IBM X41 laptop) Further investigation on the wiki (http://reactivated.net/fprint/wiki/Upekts) revealed that the current open source driver only supports verifying one print per scan - and that verification is actually done in hardware, opposed to in software (as I had assumed). However, I have seen this feature work under linux - in the form of pam_bioapi combined with the UPEK binary driver - and I'd be willing to try and reverse-engineer this functionality. Daniel - I believe you have experience with reverse-engineering - maybe you could tell me where to start with this? Cheers, Eddie P.S. For the record, there are some other problems I can see with this feature - for example, how to handle multiple devices, and when one device is selected, how to efficiently filter all the discovered prints down, and convert them into actual prints to be used for authentication. _______________________________________________ fprint mailing list [email protected] http://lists.reactivated.net/mailman/listinfo/fprint
