Daniel Drake wrote: > Sorry, hit send by accident. > > Jason Gerfen wrote: >> I just have a few questions, comments & suggestions regarding the >> pam_fprint module. >> >> After taking a brief look through the pam_fprint.c source I do not see >> anything in regards to uid/gid mapping for the valid authentication >> based on the image of a scanned fingerprint. > > Sorry for being thick, but what exactly do you mean by uid/gid mapping > and why is it useful? >
Currently the pam_fprint module only looks for a valid enrolled fingerprint scan (image) and compares it to the current scanned finger during login. Correct? I only briefly scanned the source for pam_fprint.c By implementing a secondary check for the uid, gid you are mapping a local account to the log in process for added security... If this still does not make sense to you think about the Kerberos authentication protocol and the TGT verification process and the requirement of it mapping a local user account *before it lets you get a desktop environment. > Existing system doesn't have any problems identifying the user. PAM > identifies which user is trying to log in. > You currently can only setup the enrolled finger with a local account right? >> Is this something that you intend to keep? From a Unix/Linux >> standpoint I can see how this might somewhat limit the security of the >> authentication process unless you rely on something such as pam_unix >> within your authentication stack. > > I don't understand what you're saying here. What problem are you trying > to solve, and how? > As I stated above. There is not a problem with the authentication stack logging a user in. It is ensuring that there are specific attributes in the passwd database that on *most *NIX systems are required thereby adding a stricter rule to authentication. >> First I would like to propose the including of a simple getpw to >> assist in the authentication of enrolled finger print authenticated >> users (I can see the use of a getpwnam call but suggest further >> mapping of user accounts to enrolled fingerprint users. > > The getpw/getpwnam functions just read the password file. So we get to > see the user's encrypted password. How does that assist in > fingerprint-based authentication? > Stated above... > Or are you saying we should store the user's fingerprint in the password > file? > hahaha... funny >> Second I have spoken with you before in regards to adding support for >> OpenLDAP/Active Directory (RFC2307) as well as MySQL support for >> centralized authentication. I believe I am now ready to begin adding >> this support into the existing pam_fprint module, and need to know how >> updated the API documentation is. > > pam_fprint has no API or any documentation. > libfprint API documentation should be fairly complete for everything > except the asynchronous interface. > Sorry, I did mean the libfprint API. Thanks. > This functionality should go in fprintd, not pam_fprint. Then pam_fprint > needs rewriting to use fprintd. > So adding OpenLDAP/MySQL functionality here could be used in the pam_fprint module. No worries on this one. > fprintd already has an abstraction layer for different storage backends, > but it might need adaptation to better suit your needs. > >> Third, after doing some investigation of Active Directory it is >> possible to implement a photo binary schema attribute for all users >> following the guide >> http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here. >> For OpenLDAP I have found the following: >> http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2 >> x-my-Photo) >> >> And an RFC regarding this schema attribute: >> http://www.rfc-editor.org/rfc/rfc2798.txt >> >> MySQL has the blob field type to handle binary data such as photo's. >> One thing I would like to do with this is to ensure we have 'all' >> account data available so local accounts on a Unix/Linux system is not >> needed. Much like a roaming profile, an example of a MySQL database >> table to manage this would be something like: > > Now you've lost me even more :) > Photos? How does that relate to fingerprint based authentication? > Fingerprint Image storage. Everything is a photo to me. Let me know if you need more explanation. > Daniel > -- Jason Gerfen Systems Administration/Web application development [EMAIL PROTECTED] Marriott Library Lab Systems PC 295 South 1500 East Salt Lake City, Utah 84112-0806 Ext 5-9810 "Tomorrow isn't promised so we live for today" _______________________________________________ fprint mailing list [email protected] http://lists.reactivated.net/mailman/listinfo/fprint
