Fingerprint reader on an Lenovo/IBM T43p in Gentoo Linux

What?

This document describes the process of setting up the fingerprint reader of a ThinkPad T43p under Gentoo Linux. There is documentation on the process in the ThinkWiki and the official site of the drivers. These two references were also the basis for the information in here.

Requirements

You need the following packages from the official portage tree (as of October 5th 2006. My original ebuilds can still be found in my subversion overlay).

• sys-auth/bioapi
• sys-auth/tfm-fingerprint
• sys-auth/pam_bioapi

And, of course, a shiny T43p.. However, the responses to this article indicate that it also seems to work with T60, T60p, T43 and R52 as well. Thank's for the notification, guys! Keep me updated with other models.

Step-by-step installation

Let's go then. Step-by-step along these lines:

1. Install the required packages by running:

   emerge bioapi tfm-fingerprint pam_bioapi

2. Put the users that want to do fingerprinting into groups usb and bioapi. You might want to check that the directory permission of /proc/bus/usb is writable for group usb.
3. Create the fingerprint file for your user. Run QSample as user, select the "TouchChip" device and enroll your user id. This generates a .bir-file in the current directory.
   Note: if you do not have QSample, you can use the non-GUI tool named Sample. I did not get that to work however, so you better emerge bioapi with USE-flag qt3. (Or drop me a line how to work that command line tool.)
4. Change to root and install that .bir-file by running these commands:

   SERIAL=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
   echo $SERIAL

   If that last command did not print anything like {5550454b-2054-464d-2f45-535320425350}, do SERIAL={5550454b-2054-464d-2f45-535320425350}, then continue:

   mkdir -p /etc/bioapi/pam/$SERIAL
   cp <username.bir> /etc/bioapi/pam/$SERIAL

5. Replace the contents of /etc/pam.d/system-auth with this here (a backup of the original file might be a good idea). Thanks to "Horror Vacui" for pointing out a shortcoming in the first version of the configuration.

   account    required     pam_unix.so
   auth       sufficient   pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
   password   optional     pam_bioapi.so {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
   auth       required     pam_unix.so nullok_secure
   
   password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
   password   sufficient   pam_unix.so nullok md5 shadow use_authtok
   password   required     pam_deny.so
   
   session    required     pam_limits.so
   session    required     pam_unix.so

That's it buddy. Now login with your user (probably leave a root console open to be able to revert the changes..) and you will be prompted to swipe the finger. If you want to use the same finger for root, just copy the .bir-file to root.bir in the same directory.

If you compiled xlockmore with USE-flag pam you're even ready to unlock the locked screen by simply pressing enter on the password prompt and then swiping your nose over the reader...
See How to enable the fingerprint reader for information about making it work with xscreensaver (if it doesn't out of the box).

Questions and troubles?

Questions and comments about the ebuilds and this document go to: .

Before contacting me in case of any problems, make sure you have read:

• How to enable the fingerprint reader
• and
• The Internet

Thanks, cheerio and goodbye.

Last edited: January, 3rd 2007
Tobias Sager --