6.7.2006

Biometrics on linux – history of my diploma thesis

Filed under: biometrics,Uncategorized — nax @ 15:13

Well, Iā??m not native English speaker (I think you very quickly find out by yourself) but I think information about progression at my diploma thesis might be useful for English speaking users of Internet so I beginning to write in English. I also want to improve my ability to communicate in English and thus Iā??m able to read – I also need to be able to write something. Iā??m sorry if you donā??t understand anything – but Iā??m trying. Yesterday I have also changed theme of my wordpress for brand new biometrics theme (You can download it here: fingerprints.zip ) based on New York Now York theme.

OK, now about biometrics. Iā??m proud owner of IBM ThinkPad T42 with UPEKā??s fingerprint reader. This (relatively cheap) feature was very important for me when Iā??ve decided to buy this notebook. Since Iā??m opensource enthusiast I purchased this device because in that time UPEK released an announcement about their preparations for linux support.

And in September 2005 they really release beta1 of their BSP for linux. BSP means in BioAPI framework terminology driver. It was closed source driver and sample application worked fine. Problem was that pam_bioapi (v0.2.1) didnā??t work and thus I was unable to use this driver for authenticating in XDM or unlocking xscreensaver. By coincidence I was ill at home (drinking hot tea and eating antibiotics) so I have whole 2 days for debugging and I really found reason why pam_bioapi worked with dummy BSP but didnā??t with UPEKā??s BSP. Result was this patch for pam_bioapi, but reason of failure was in BSP it self and they say in later version it was repaired (BSP is close source).

Next I was little bit confused with xscreensaver behaviour. It ask password first and after you type at least one character and hit enter you have been asked by UPEKā??s BSP for your fingerprint. Reason was xscreensaver donā??t count with any other authentication then password so it first ask password and then call pam module. Solution was write up patch which adding new bool choice alternativeAuth into config file. If this is set to true, xscreensaver first call pam_bioapi only if this fail it asks password.

By other coincidence in September 2005 I have to choose my master degree diploma thesis task. Deadline for this thesis is planned to February 2007. I have found out UPEKā??s R&D center is in Prague (where I live) and that my instructor for one of networking course was director of this R&D center. I ask him a meeting and he accepted he will by my supervisor.

Next I want to be able just authenticate by fingerprint in XDM. But there is a problem – pam_bioapi 0.2.1 didnā??t know anything about one-to-many or one-to-few authentication. So first task for me was better store for BIR (pam_bioapi used to files in directory and in each file there was one BIR (fingerprint) for one user). I chose SQLite for very good convenience of using and also for possibility of using by future close sourced BSP (bioapi define also functions for accessing store managed by BSP driver). Resulting release of pam_bioapi 0.3.0 with one-to-few support allow call pam without username and pam_bioapi ask fingerprint and then test match against all records in database and if match is found it return authenticated username.

Then I wrote patch for XDM and after start of system I was able to log in without touching keyboard.

But there was always some serious problems with pam_bioapi. Main is that all users need to have read access to sqlite database to be able authenticate. I need to find out how it is possible that /etc/shadow is readable only by root but all users can authenticate themselves. I have to implement something similar to pam_bioapi too. That is task for next weeks.

Also there were some discusions about support of gnome-screensaver so I want to take a look at too. It seems some better pam_conversation mechanism support will be needed in pam_bioapi. There is also alternative pam_bsdbioapi which might something like this already implement.

Comments are closed.

Powered by WordPress