Fingerprint reader on an Lenovo/IBM T43p in Gentoo Linux


This document describes the process of setting up the fingerprint reader of a ThinkPad T43p under Gentoo Linux. There is documentation on the process in the ThinkWiki and the official site of the drivers. These two references were also the basis for the information in here.


You need the following packages from the official portage tree (as of October 5th 2006. My original ebuilds can still be found in my subversion overlay).

And, of course, a shiny T43p.. However, the responses to this article indicate that it also seems to work with T60, T60p, T43 and R52 as well. Thank's for the notification, guys! Keep me updated with other models.

Step-by-step installation

Let's go then. Step-by-step along these lines:

  1. Install the required packages by running:
    emerge bioapi tfm-fingerprint pam_bioapi
  2. Put the users that want to do fingerprinting into groups usb and bioapi. You might want to check that the directory permission of /proc/bus/usb is writable for group usb.
  3. Create the fingerprint file for your user. Run QSample as user, select the "TouchChip" device and enroll your user id. This generates a .bir-file in the current directory.
    Note: if you do not have QSample, you can use the non-GUI tool named Sample. I did not get that to work however, so you better emerge bioapi with USE-flag qt3. (Or drop me a line how to work that command line tool.)
  4. Change to root and install that .bir-file by running these commands:
    SERIAL=`BioAPITest | sed -ne "/Fingerprint/{n;n;s/^.*: \(.\{9\}\)\(.\{4\}\)\(.\{4\}\)\(.\{4\}\)\(.*\)/\1-\2-\3-\4-\5/gp}"`
    echo $SERIAL
    If that last command did not print anything like {5550454b-2054-464d-2f45-535320425350}, do SERIAL={5550454b-2054-464d-2f45-535320425350}, then continue:
    mkdir -p /etc/bioapi/pam/$SERIAL
    cp <username.bir> /etc/bioapi/pam/$SERIAL
  5. Replace the contents of /etc/pam.d/system-auth with this here (a backup of the original file might be a good idea). Thanks to "Horror Vacui" for pointing out a shortcoming in the first version of the configuration.
    account    required
    auth       sufficient {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
    password   optional {5550454b-2054-464d-2f45-535320425350} /etc/bioapi/pam/
    auth       required nullok_secure
    password   required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
    password   sufficient nullok md5 shadow use_authtok
    password   required
    session    required
    session    required

That's it buddy. Now login with your user (probably leave a root console open to be able to revert the changes..) and you will be prompted to swipe the finger. If you want to use the same finger for root, just copy the .bir-file to root.bir in the same directory.

If you compiled xlockmore with USE-flag pam you're even ready to unlock the locked screen by simply pressing enter on the password prompt and then swiping your nose over the reader...
See How to enable the fingerprint reader for information about making it work with xscreensaver (if it doesn't out of the box).

Questions and troubles?

Questions and comments about the ebuilds and this document go to: toe [at] toe [dot] ch.

Before contacting me in case of any problems, make sure you have read:

Thanks, cheerio and goodbye.