After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 338635 - bioapi support
bioapi support
Status: RESOLVED FIXED
Product: gnome-screensaver
Classification: Deprecated
Component: general
unspecified
Other Linux
: Normal enhancement
: ---
Assigned To: gnome-screensaver maintainers
gnome-screensaver maintainers
Depends on:
Blocks:
 
 
Reported: 2006-04-15 18:41 UTC by bugs
Modified: 2007-04-11 17:01 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
xscreensaver patch (8.90 KB, patch)
2006-06-04 18:54 UTC, Whoopie
none Details | Review
Lock screen (23.52 KB, image/png)
2006-06-06 19:23 UTC, Whoopie
  Details
debug output (21.65 KB, text/plain)
2006-06-06 20:08 UTC, Whoopie
  Details
patch for gnome-screensaver-2.14.3 (2.65 KB, patch)
2006-10-28 21:09 UTC, Thomas Creutz
none Details | Review

Description bugs 2006-04-15 18:41:20 UTC
Is there any possibility for gnome-screensaver to incorporate bioapi support?  There was a patch for xscreensaver to support bioapi and it would be great to see gnome-screensaver have the same support so that unlocking the screen with the bioapi pam module would be supported.


Link to pam bioapi module:

http://www.qrivy.net/~michael/blua/
Comment 1 Whoopie 2006-06-04 18:54:16 UTC
Created attachment 66741 [details] [review]
xscreensaver patch

Hi,

I'm attaching the xscreensaver patch for bioapi support.
Perhaps, this could be easily ported to gnome-screensaver.

Thanks in advance.

Best regards,
Whoopie
Comment 2 William Jon McCann 2006-06-05 23:02:29 UTC
Thanks for that information.  I've made some changes that should do something equivalent.  Can you try gnome-screensaver from CVS HEAD and set the /apps/gnome-screensaver/try_auth_first gconf key to TRUE?

I don't have a such a device so it is hard for me to test.  Thanks.
Comment 3 Whoopie 2006-06-06 11:45:17 UTC
Hi,

thanks for the fast implementation.

It's hard for me to test CVS. I only have my laptop. I would test any patches against 2.14.1 (which is the version Ubuntu Dapper Drake ships).

I know that this makes it more complicated for you. Sorry!

Best regards,
Whoopie
Comment 4 Whoopie 2006-06-06 19:23:42 UTC
Created attachment 66852 [details]
Lock screen

Hi again,

I was able to test CVS in a VMware. It's not the expected behaviour.

What I'd like to have:
1. Disable password prompt and show bioapi GUI. Here a URL to see how the GUI looks like: http://www.maven.pl/wp-content/uploads/2006/04/thinkpad-finger.png

2. If bioapi PAM fails, show password prompt to be able to authenticate via password.

I attach a snapshot how it looks now. The GUI is the "shadow".

Best regards,
Whoopie
Comment 5 William Jon McCann 2006-06-06 19:47:03 UTC
Thanks for testing it.  Could you run gnome-screensaver from the command line like this: 
gnome-screensaver --no-daemon --debug

Lock the screen and then send me the debug output.  If you aren't able to authenticate when it is like this then log in from another console or ssh in and kill the screensaver process.  The debug output should let me know how it prompts.

It shows its own popup over the screensaver?  Does this actually work with xscreensaver (it shouldn't)?  I suppose there must be some kind of text only mode or else it couldn't work with a text login prompt.  Perhaps it uses text only if DISPLAY isn't set?

Thanks.
Comment 6 Whoopie 2006-06-06 20:08:24 UTC
Created attachment 66856 [details]
debug output

Yes, it shows its own popup over the screensaver.

And it works with the attached patch for xscreensaver.

You're right, if the DISPLAY variable isn't set, it switches to text mode. There was a small video posted on thinkwiki.org: http://chao.ch/tmp/mov01302.mpg
Comment 7 William Jon McCann 2006-06-06 20:17:19 UTC
It isn't supposed to work with xscreensaver.  xscreensaver shouldn't allow any popups over the screensaver but it does.  We fixed this in gnome-screensaver.

I'm not sure this is correct behavior for a pam module to present a GUI directly without communicating via the pam_conv handler.  I would exect PAM to send us a prompt via PAM_PROMPT_ECHO_ON or PAM_TEXT_INFO.  I guess we can try to kludge clearing DISPLAY while authenticating.  That sucks.
Comment 8 Whoopie 2006-06-06 20:23:53 UTC
I don't understand the whole thing, but it's not the PAM module which shows the GUI.

The PAM module invokes the bioapi library which connects to the fingerprint reader.

But we need this GUI to see if the authentication failed or the finger was swiped to fast over the reader, ...

So, the best behaviour would be what I wrote in comment #4.
Comment 9 William Jon McCann 2006-06-06 20:29:05 UTC
My understanding is that the prompts are supposed to be communicated to the client application via pam_conv.  Then the client (gnome-screensaver) would present the prompts to the applicant (user).  That is the only way it can work.  We can have something that looks like your picture in comment #4 but it would be presented by g-s.
Comment 10 Whoopie 2006-06-06 21:00:03 UTC
Why not disabling the password prompt, showing he GUI and falling back if bioapi authentication fails?

I'm seeing this from the end user perspective, so be gracious with me.

Your way would necessitate to rewrite the bioapi PAM module and perhaps also the bioapi library, I think. And there's no real maintainer anymore for both.
The bioapi library for the fingerprint reader is furthermore proprietary.
Comment 11 William Jon McCann 2006-06-06 21:02:03 UTC
So, it seems like it isn't the bioapi's fault at all.  It is the Upek module
that shows the dialog:
http://www.upek.com/support/dl_linux_bsp.asp

It doesn't seem like the source code is open so I can't look at what they are
doing.  However, the pam.pdf file in that download says that if XOpenDisplay
fails it will use text prompts.  However, from the relnotes.txt is says this:
"- built-in GUI callbacks for Xwindows:
            - If no X server available, callback writes messages to stdout"

Oh well, that means it is unusable for us.  The problem is that it isn't a proper PAM module.
Comment 12 Josef nax Hajas 2006-06-07 14:19:16 UTC
Hello, I'm author of xscreensaver patch and I'm also working on pam-bioapi. Yes, it's true that UPEK's driver is proprietary and that it show gui directly on screen if DISPLAY is set. To implement better pam-conv interaction with application is in my responsibility. Also I have very good releationship with UPEK  (their R&D director is my supervisor for diploma thesis which is about implementing support to linux applications) so may be I want to ask some changes in their BSP module if necessary.

Right now I have to learn very hard and do all my this semester exams to the end of June but after that I'm going to continue on all this bioapi related work.
Comment 13 William Jon McCann 2006-06-07 14:25:16 UTC
That is excellent news.  It looks like they make a very nice product so it would benefit everyone if their software worked well on free software systems.  Let me know how I can help.

Ideally the driver would be made open source so that it could be shipped by OS vendors like Red Hat, Novell, Ubuntu, Sun, etc.  That would surely lead to more hardware sales for UPEK.  If it were open source I (and other volunteers) could help you make it better too.
Comment 14 William Jon McCann 2006-06-12 15:26:23 UTC
I've made a few more changes.  gnome-screensaver 2.15.3 should support any proper PAM module that communicates via pam_conv.  So, this is basically fixed.  I'll leave this open to track the bioapi progress.

Josef, if you have any questions or there is anything at all I can do to help please let me know.  Thanks.
Comment 15 William Jon McCann 2006-08-25 15:46:50 UTC
Thanks to Ray we've been able to confirm that PAM auth works correctly.  I'm going to mark this fixed.  Hopefully, the fingerprint reader driver will be open sourced in the future...
Comment 16 Thomas Creutz 2006-10-28 21:06:45 UTC
Hello William!

First thanks for your integration ;-)

I playing around with my Fingerprintreader and found your changes to gnome-sceensaver.

My distribution is Debian Etch with gnome-screensaver version 2.14.3

So I made a "backport" from your changes * (how can i apply the patch?).

Ok.. now i can in gconf-editor set the try_out_first to true.

When I lock the screen, I can use the fingerprint without to hafe enter a dummy pass to the box. Great!

But the dialog from the UPEK-Module looks like the attached picture from Whoopie on Comment #4.

Have i forgotten everything? 

Thanks,
Thomas

* http://cvs.gnome.org/viewcvs/gnome-screensaver/src/gs-lock-plug.c?r1=1.66&r2=1.67 http://cvs.gnome.org/viewcvs/gnome-screensaver/data/gnome-screensaver.schemas.in?r1=1.13&r2=1.14&diff_format=l
Comment 17 Thomas Creutz 2006-10-28 21:09:14 UTC
Created attachment 75580 [details] [review]
patch for gnome-screensaver-2.14.3
Comment 18 Michal J. Gajda 2007-04-11 08:25:06 UTC
Is it possible to also support thinkfinger? http://thinkfinger.sourceforge.net/

I tried to user ThinkFinger 0.3 with gnome-screensaver 2.18, but it doesn't seem to work (even though sudo works).
Comment 19 Whoopie 2007-04-11 17:01:44 UTC
For thinkfinger, please have a look at http://bugzilla.gnome.org/show_bug.cgi?id=411293