GNOME Bugzilla – Bug 338635
bioapi support
Last modified: 2007-04-11 17:01:44 UTC
Is there any possibility for gnome-screensaver to incorporate bioapi support? There was a patch for xscreensaver to support bioapi and it would be great to see gnome-screensaver have the same support so that unlocking the screen with the bioapi pam module would be supported. Link to pam bioapi module: http://www.qrivy.net/~michael/blua/
Created attachment 66741 [details] [review] xscreensaver patch Hi, I'm attaching the xscreensaver patch for bioapi support. Perhaps, this could be easily ported to gnome-screensaver. Thanks in advance. Best regards, Whoopie
Thanks for that information. I've made some changes that should do something equivalent. Can you try gnome-screensaver from CVS HEAD and set the /apps/gnome-screensaver/try_auth_first gconf key to TRUE? I don't have a such a device so it is hard for me to test. Thanks.
Hi, thanks for the fast implementation. It's hard for me to test CVS. I only have my laptop. I would test any patches against 2.14.1 (which is the version Ubuntu Dapper Drake ships). I know that this makes it more complicated for you. Sorry! Best regards, Whoopie
Created attachment 66852 [details] Lock screen Hi again, I was able to test CVS in a VMware. It's not the expected behaviour. What I'd like to have: 1. Disable password prompt and show bioapi GUI. Here a URL to see how the GUI looks like: http://www.maven.pl/wp-content/uploads/2006/04/thinkpad-finger.png 2. If bioapi PAM fails, show password prompt to be able to authenticate via password. I attach a snapshot how it looks now. The GUI is the "shadow". Best regards, Whoopie
Thanks for testing it. Could you run gnome-screensaver from the command line like this: gnome-screensaver --no-daemon --debug Lock the screen and then send me the debug output. If you aren't able to authenticate when it is like this then log in from another console or ssh in and kill the screensaver process. The debug output should let me know how it prompts. It shows its own popup over the screensaver? Does this actually work with xscreensaver (it shouldn't)? I suppose there must be some kind of text only mode or else it couldn't work with a text login prompt. Perhaps it uses text only if DISPLAY isn't set? Thanks.
Created attachment 66856 [details] debug output Yes, it shows its own popup over the screensaver. And it works with the attached patch for xscreensaver. You're right, if the DISPLAY variable isn't set, it switches to text mode. There was a small video posted on thinkwiki.org: http://chao.ch/tmp/mov01302.mpg
It isn't supposed to work with xscreensaver. xscreensaver shouldn't allow any popups over the screensaver but it does. We fixed this in gnome-screensaver. I'm not sure this is correct behavior for a pam module to present a GUI directly without communicating via the pam_conv handler. I would exect PAM to send us a prompt via PAM_PROMPT_ECHO_ON or PAM_TEXT_INFO. I guess we can try to kludge clearing DISPLAY while authenticating. That sucks.
I don't understand the whole thing, but it's not the PAM module which shows the GUI. The PAM module invokes the bioapi library which connects to the fingerprint reader. But we need this GUI to see if the authentication failed or the finger was swiped to fast over the reader, ... So, the best behaviour would be what I wrote in comment #4.
My understanding is that the prompts are supposed to be communicated to the client application via pam_conv. Then the client (gnome-screensaver) would present the prompts to the applicant (user). That is the only way it can work. We can have something that looks like your picture in comment #4 but it would be presented by g-s.
Why not disabling the password prompt, showing he GUI and falling back if bioapi authentication fails? I'm seeing this from the end user perspective, so be gracious with me. Your way would necessitate to rewrite the bioapi PAM module and perhaps also the bioapi library, I think. And there's no real maintainer anymore for both. The bioapi library for the fingerprint reader is furthermore proprietary.
So, it seems like it isn't the bioapi's fault at all. It is the Upek module that shows the dialog: http://www.upek.com/support/dl_linux_bsp.asp It doesn't seem like the source code is open so I can't look at what they are doing. However, the pam.pdf file in that download says that if XOpenDisplay fails it will use text prompts. However, from the relnotes.txt is says this: "- built-in GUI callbacks for Xwindows: - If no X server available, callback writes messages to stdout" Oh well, that means it is unusable for us. The problem is that it isn't a proper PAM module.
Hello, I'm author of xscreensaver patch and I'm also working on pam-bioapi. Yes, it's true that UPEK's driver is proprietary and that it show gui directly on screen if DISPLAY is set. To implement better pam-conv interaction with application is in my responsibility. Also I have very good releationship with UPEK (their R&D director is my supervisor for diploma thesis which is about implementing support to linux applications) so may be I want to ask some changes in their BSP module if necessary. Right now I have to learn very hard and do all my this semester exams to the end of June but after that I'm going to continue on all this bioapi related work.
That is excellent news. It looks like they make a very nice product so it would benefit everyone if their software worked well on free software systems. Let me know how I can help. Ideally the driver would be made open source so that it could be shipped by OS vendors like Red Hat, Novell, Ubuntu, Sun, etc. That would surely lead to more hardware sales for UPEK. If it were open source I (and other volunteers) could help you make it better too.
I've made a few more changes. gnome-screensaver 2.15.3 should support any proper PAM module that communicates via pam_conv. So, this is basically fixed. I'll leave this open to track the bioapi progress. Josef, if you have any questions or there is anything at all I can do to help please let me know. Thanks.
Thanks to Ray we've been able to confirm that PAM auth works correctly. I'm going to mark this fixed. Hopefully, the fingerprint reader driver will be open sourced in the future...
Hello William! First thanks for your integration ;-) I playing around with my Fingerprintreader and found your changes to gnome-sceensaver. My distribution is Debian Etch with gnome-screensaver version 2.14.3 So I made a "backport" from your changes * (how can i apply the patch?). Ok.. now i can in gconf-editor set the try_out_first to true. When I lock the screen, I can use the fingerprint without to hafe enter a dummy pass to the box. Great! But the dialog from the UPEK-Module looks like the attached picture from Whoopie on Comment #4. Have i forgotten everything? Thanks, Thomas * http://cvs.gnome.org/viewcvs/gnome-screensaver/src/gs-lock-plug.c?r1=1.66&r2=1.67 http://cvs.gnome.org/viewcvs/gnome-screensaver/data/gnome-screensaver.schemas.in?r1=1.13&r2=1.14&diff_format=l
Created attachment 75580 [details] [review] patch for gnome-screensaver-2.14.3
Is it possible to also support thinkfinger? http://thinkfinger.sourceforge.net/ I tried to user ThinkFinger 0.3 with gnome-screensaver 2.18, but it doesn't seem to work (even though sudo works).
For thinkfinger, please have a look at http://bugzilla.gnome.org/show_bug.cgi?id=411293