“Fingerprint readers integration” team

PPA description

FINGERPRINT AUTHENTICATION FOR UBUNTU BASED ON FPRINTD
=======================================================
This PPA contains packages that add a comprehensive fingerprint-based authentication functionality to Ubuntu, including a seamless integration into GNOME 2.x, Unity and GNOME 3.x. Supported releases of Ubuntu are 12.04, 13.10, 14.04. Please note that since version 12.10 these packages are present in the standard repositories (still, this PPA supports a wider range of fingerprint readers).

Quick installation guide
==================
You should be running Ubuntu 12.04, 13.10, 14.04 or any derivative thereof, and you need to have a supported fingerprint reader. Supported devices are:
     045e:00bb    08ff:1683    08ff:2580    08ff:268d
     045e:00bc    08ff:1684    08ff:2660    08ff:268e
     045e:00bd    08ff:1685    08ff:2680    08ff:268f
     045e:00ca    08ff:1686    08ff:2681    08ff:2691
     0483:2015    08ff:1687    08ff:2682    08ff:2810
     0483:2016    08ff:1688    08ff:2683    08ff:5501
     05ba:0007    08ff:1689    08ff:2684    08ff:5731
     05ba:0008    08ff:168a    08ff:2685    138a:0001
     05ba:000a    08ff:168b    08ff:2686    138a:0005
     061a:0110    08ff:168c    08ff:2687    138a:0008
     08ff:1600    08ff:168d    08ff:2688    147e:1000
     08ff:1660    08ff:168e    08ff:2689    147e:2016
     08ff:1680    08ff:168f    08ff:268a    147e:2020
     08ff:1681    08ff:2500    08ff:268b    147e:3001
     08ff:1682    08ff:2550    08ff:268c    1c7a:0603
To find out your reader's ID, run the lsusb command and look into the sixth column of the output.

1. Add this PPA to your sources:
      sudo add-apt-repository ppa:fingerprint/fprint
      sudo apt-get update
      sudo apt-get upgrade
2. Install the software:
     sudo apt-get install libfprint0 fprint-demo libpam-fprintd gksu-polkit

(Note: If you have experimented with fingerprint authentication before and have changed your /etc/pam.d/common-auth, you may be presented with a screen asking whether you want to override those changes. Select Yes. Under very special circumstances, you may get an error saying
   pam-auth-update: Local modifications to /etc/pam.d/common-*, not updating.
   pam-auth-update: Run pam-auth-update --force to override.
In this case, run “sudo pam-auth-update --force”, exactly as suggested, and enable the fprintd profile manually. Leave the standard system profiles (Unix, Keyring and ConsoleKit) enabled as well.)

3. Launch “fprint project demo” and check that you can enroll and verify your fingerprints and that your reader is indeed supported.
4. Run “fprintd-enroll” in terminal to save your fingerprint.

That's all! Test it: Lock and unlock screen, log out and back in, try sudo in terminal.

Known (minor) issues
=================
1. No fingerprint and password at the same time
At the moment, you cannot type in your password right away when you are asked for fingerprint. You need to make the fingerprint authentication fail first (swipe wrong finger or let it time out) before you are asked for password. This is a limitation of PAM because its modules mustn't be threaded and hence cannot support multiple means of authentication at the same time. (The old ThinkFinger used to do this, but it was a gross hack which caused many troubles.) A possible solution to this limitation is to make gdm, screensaver and policykit-1 support multiple alternative PAM stacks. Fedora 12 has enhanced the GDM login screen with a button that switches between password and fingerprint authentication mode (screenshot: http://bit.ly/cEjYbo). Similar enhancements for screensaver and PolicyKit are being worked on by Red Hat (see https://bugzilla.redhat.com/show_bug.cgi?id=500338).

Note on keyrings and passwordless logins
=================================
If you log in with your fingerprint, the default keyring manager will not have access to your password or any other secret data to decrypt your enciphered content with. The same applies to encrypted partitions and their automatic unlocking with libpam-mount or eCryptFS. Please note that it is not possible to unlock the keyring unless you have typed in your password (there's nothing to unlock it with, and having a key stored somewhere on disk is a very naïve and insecure solution). If you are wondering why fingerprint authentication cannot provide any secret data to replace the standard password mechanism, please read section “How fingerprint authentication works” below.

There are basically 2 possible solutions to the keyring issue:
1. Keep logging in with your password as before (you will need to make the fingerprint authentication fail first by scanning a wrong finger) and then use fingerprint only for sudo and locked screens. This way you will have your standard password available in your session, and keyring and encrypted partitions will work as before.
2. Remove the password from your default keyring. This way the passwords in it will be stored unencrypted, but this may be perfectly acceptable for you if you store only insensitive data in it (such as passwords to Wi-Fi networks). If you decide to take this route, here is a short how-to: Go to Applications > Accessories > Passwords and Encryption Keys, card Passwords, right click on Passwords: login, Change Password and set it to empty string.

Note on gksu (not an issue in default install since 11.10)
=======================
When you run Synaptic or a similar graphical application that requires unlimited, full root privileges, the standard authentication window doesn't get displayed. Yet the fingerprint reader is ready, and a swipe will authenticate the user. The informative window not appearing is a major bug in GNOME's gksu, which will never be fixed because of its inner limitations. Instead, a replacement called gksu-polkit is being developed (its latest version is in this PPA). With this package installed, you can then adjust your menu items to call gksu-polkit instead of gksu. Go to System > Preferences > Main Menu, select the item you want to modify, click Properties and in the Command field change "gksu [options...] command" to "gksu-polkit /full/path/to/command" (note that you need to drop all the options to gksu, if any, and full path to command is required).
Note that nowadays all graphical applications should run with standard user's privileges, not root's. When they need to perform any administrative action, they should get root privileges for this single action (and not for the whole process) via PolicyKit, the new privilege management framework. This is what applications such as “Users and Groups” or “Time and Date” do. Applications that still rely on gksu are outmoded and should be ported to the new framework.
Offending applications include: Synaptic (bug #227482, not a default app since Oneiric, fixed since Precise), Software Sources (fixed in Oneiric), Computer Janitor (fixed in Maverick), Update Manager (fixed in Maverick), or gdebi, the deb installer (bug #189617, not a default app since Maverick)
Gksu-polkit was written as a temporary solution for the applications that still rely on the old (and now deprecated) gksu.

Contact & Feedback
================
Packaging by https://launchpad.net/~jurenka
Packaging requests: bug #376540, bug #346083
Feedback (via Launchpad, by email to ubuntu.box AT-SIGN imx.jurenka D.O.T cz, or by posting to the bugs above) is most welcome.

Issues with the software itself (and not the packaging) are best to be submitted directly to the upstream bug tracker at https://bugs.freedesktop.org/enter_bug.cgi?product=libfprint or to the upstream mailing list at http://lists.freedesktop.org/mailman/listinfo/fprint .
You can run fprintd in debugging mode by executing:
   sudo killall fprintd
   sudo /usr/lib/fprintd/fprintd -t

How fingerprint authentication works
=============================
When you set up fprintd and enroll your fingerprint for the first time, the scan (basically just an image) gets saved on your hard drive (it goes into /var/lib/fprint/<username>). Then when you try to authenticate yourself, the system gets another scan from reader, and it checks whether the picture received looks more or less the same as the picture stored on disk. If that is the case, the user is let in.
This implies that the fingerprint authentication cannot serve as a source of any secret data that could then be used as a password (to decrypt the content of the default keyring or to unlock encrypted partitions, for instance).
Theoretically, one could think of a mathematical reduction of the fingerprint to a number, a reduction that would be comprehensive as well as consistent so that different scans of the same finger always be reduced to the same number but scans of different fingers produce different numbers. Then only a hash of such a description of the fingerprint pattern could be saved on disk for the sake of authentication, and the number itself could be used as a secret, not a particularly strong secret since you keep it publicly at a well known place (your fingertip) and keep leaving copies of it on everything you touch, but at least it wouldn't be stored on your disk, and it could be used for decrypting the keyring, for instance.
However, such a technology is not available at the moment, and it doesn't seem to be feasible either. One hundred years of forensic dactyloscopy haven't brought any applicable algorithm. For the time being, one has to settle for fingerprints only as means of authentication, not as source of passwords for decrypting one's enciphered content.
Additional reading:
Overview of current technology: http://sourceforge.net/apps/mediawiki/sourceafis/ (section Similar projects)
Launchpad discussion on a related matter: bug #276384
Handbook of Fingerprint Recognition: http://bias.csr.unibo.it/maltoni/handbook/

Note on libpam-fprint
=================
The PAM module contained in libpam-fprint has been obsoleted by libpam-fprintd (note the final “d”). Although the latest version of libpam-fprint is available from this PPA, its use is discouraged as it has several shortcomings compared to its successor, libpam-fprintd. If, for whatever reason, you decide to install libpam-fprint, make sure you read /usr/share/doc/libpam-fprint/README.Debian for caveats.

Upstream links
===========
Official wiki: http://www.freedesktop.org/wiki/Software/fprint
Code repository: http://cgit.freedesktop.org/libfprint
Mailing list: http://www.freedesktop.org/wiki/Software/fprint/Mailing_list/
Bug tracker: https://bugs.freedesktop.org/enter_bug.cgi?product=libfprint

Adding this PPA to your system

You can update your system with unsupported packages from this untrusted PPA by adding ppa:fingerprint/fprint to your system's Software Sources. (Read about installing)

Technical details about this PPA

This PPA can be added to your system manually by copying the lines below and adding them to your system's software sources.

Display sources.list entries for:
deb http://ppa.launchpad.net/fingerprint/fprint/ubuntu YOUR_UBUNTU_VERSION_HERE main 
deb-src http://ppa.launchpad.net/fingerprint/fprint/ubuntu YOUR_UBUNTU_VERSION_HERE main 
Signing key:
1024R/2F20733F (What is this?)
Fingerprint:
8141A328E64AC6C85D337D03EFD5FA852F20733F

For questions and bugs with software in this PPA please contact Fingerprint readers integration.

PPA statistics

Activity
0 updates added during the past month.
View package details

Overview of published packages

18 of 8 results
Package Version Uploaded by
fprintd 0.4.1-0ppa1~precise1 David Jurenka (2012-04-29)
gksu-polkit 0.0.3+repack1-0ppa1~trusty1 David Jurenka (2014-02-16)
gksu-polkit 0.0.3+repack1-0ppa1~saucy1 David Jurenka (2013-10-23)
gksu-polkit 0.0.2+git20100909-0ppa2~natty1 David Jurenka (2012-04-09)
libfprint 1:0.5.1-git20130819-1-0ppa1~trusty1 David Jurenka (2014-02-16)
libfprint 1:0.5.1-git20130819-1-0ppa1~saucy1 David Jurenka (2013-10-17)
libfprint 1:0.5.1-git20130819-1-0ppa1~precise1 David Jurenka (2013-09-03)
pam-fprint 1:0.2+git20080330-0ppa2~precise1 David Jurenka (2012-04-09)
18 of 8 results

Latest updates

  • gksu-polkit 10 weeks ago
    Successfully built
  • libfprint 10 weeks ago
    Successfully built
  • gksu-polkit 26 weeks ago
    Successfully built
  • libfprint 27 weeks ago
    Successfully built
  • libfprint 33 weeks ago
    Successfully built