Sorry, hit send by accident. Jason Gerfen wrote: > I just have a few questions, comments & suggestions regarding the > pam_fprint module. > > After taking a brief look through the pam_fprint.c source I do not see > anything in regards to uid/gid mapping for the valid authentication > based on the image of a scanned fingerprint.
Sorry for being thick, but what exactly do you mean by uid/gid mapping and why is it useful? Existing system doesn't have any problems identifying the user. PAM identifies which user is trying to log in. > Is this something that you intend to keep? From a Unix/Linux standpoint > I can see how this might somewhat limit the security of the > authentication process unless you rely on something such as pam_unix > within your authentication stack. I don't understand what you're saying here. What problem are you trying to solve, and how? > First I would like to propose the including of a simple getpw to assist > in the authentication of enrolled finger print authenticated users (I > can see the use of a getpwnam call but suggest further mapping of user > accounts to enrolled fingerprint users. The getpw/getpwnam functions just read the password file. So we get to see the user's encrypted password. How does that assist in fingerprint-based authentication? Or are you saying we should store the user's fingerprint in the password file? > Second I have spoken with you before in regards to adding support for > OpenLDAP/Active Directory (RFC2307) as well as MySQL support for > centralized authentication. I believe I am now ready to begin adding > this support into the existing pam_fprint module, and need to know how > updated the API documentation is. pam_fprint has no API or any documentation. libfprint API documentation should be fairly complete for everything except the asynchronous interface. This functionality should go in fprintd, not pam_fprint. Then pam_fprint needs rewriting to use fprintd. fprintd already has an abstraction layer for different storage backends, but it might need adaptation to better suit your needs. > Third, after doing some investigation of Active Directory it is possible > to implement a photo binary schema attribute for all users following the > guide http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here. > For OpenLDAP I have found the following: > http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2 > x-my-Photo) > > And an RFC regarding this schema attribute: > http://www.rfc-editor.org/rfc/rfc2798.txt > > MySQL has the blob field type to handle binary data such as photo's. One > thing I would like to do with this is to ensure we have 'all' account > data available so local accounts on a Unix/Linux system is not needed. > Much like a roaming profile, an example of a MySQL database table to > manage this would be something like: Now you've lost me even more :) Photos? How does that relate to fingerprint based authentication? Daniel _______________________________________________ fprint mailing list [email protected] http://lists.reactivated.net/mailman/listinfo/fprint
