think finger
David Zeuthen
davidz at redhat.com
Thu Oct 25 21:57:38 UTC 2007
On Thu, 2007-10-25 at 10:06 -0400, Jeremy Katz wrote:
> On Thu, 2007-10-25 at 08:55 -0400, Bryan Clark wrote:
> > Pushing off from Ben's email on new user creation [1] I wanted to get
> > some setup for the think finger support that david mentioned [2].
>
> I'd actually like to make it a teensy bit more general and think about
> the non-Thinkfinger readers also. From my Pile Of Laptops, the
> Authentec readers are pretty common. And davidz has already done some
> prodding with them based on his blog ;)
So the one way to do this sanely is to build a simple API that will work
for our purposes; e.g. make it high-level driven by application
requirements. Since messing around with auth tokens / whatever is a
privileged operation, expose it over D-Bus and lock it down via
PolicyKit. It doesn't need to be more complicated than the API offered
by tf-tool
> # tf-tool --help
>
> ThinkFinger 0.3 (http://thinkfinger.sourceforge.net/)
> Copyright (C) 2006, 2007 Timo Hoenig <thoenig at suse.de>
>
> Usage: tf-tool [--acquire | --verify | --add-user <login> |
> --verify-user <login> ] [--verbose]
Notably, to make fingerprint enrollment work in a sane way (we're so not
going to do crazy stuff like running X11 apps as root) _anyway_ you need
to expose it over D-Bus. And, really, it's pretty trivial, only a matter
of a few hours in C; see
http://blog.fubar.dk/?p=94
on details how to do it. Hey, you can even do it in Python and since it
only involves shelling out to tf-tool, it's probably on the order of
hundreds of lines. Now, when we have this API we'll just merge the
following properties on the hal device object
info.capabilities += 'fingerprint_reader'
fingerprint_reader.dbus_service = 'com.example.ThinkfingerService'
fingerprint_reader.dbus_obj = '/'
fingerprint_reader.dbus_iface = 'org.freedesktop.FingerPrinterReader'
so if someone wants to do Authentec or whatever they just do a D-Bus and
make an object that implements the org.freedesktop.FingerPrinterReader
D-Bus interface. Then they merge
info.capabilities += 'fingerprint_reader'
fingerprint_reader.dbus_service = 'com.example.AuthentecService'
fingerprint_reader.dbus_obj = '/'
fingerprint_reader.dbus_iface = 'org.freedesktop.FingerPrinterReader'
Our UI apps simply don't care what fingerprint_reader.dbus_service is;
they only care about poking an object with the D-Bus interface
org.freedesktop.FingerPrinterReader. So the UI simply does
1. hal.find_by_caps('fingerprint_reader')
2. read .dbus_service, .dbus_obj, .dbus_iface
3. checks that .dbus_iface=='org.freedesktop.FingerPrinterReader'
4. calls into the service
5. profit
David
>
> While not very relevant to the interaction, it's mostly important so
> that we don't make assumptions of hardware capabilities that may or may
> not be present.
>
> > Can it's presence be detected automatically? And it's (pam)
> > authentication be added automatically?
>
> They're all usb devices, so pretty detectable. Adding the pam config is
> just a matter of deciding we're doing it and then adding to the stacks
> written out by authconfig
>
> > How many times does it take to train think finger support initially?
>
> This probably depends on the hardware. Thinkfinger is 3 swipes and
> trained in hardware. Some of the other readers just give you back an
> image and you have to do verification[1] on your own. But probably 3 is
> a reasonable guess there too. It's at least the range of "more than
> one, less than many"
>
> > Can it be (re)trained incrementally? Is this required?
>
> Nope, you pretty much have to do the initial readings upfront.
>
> > Can we get the image from think finger for user feedback? Ray mentioned
> > we might be able to fake it, which would probably be good enough.
>
> This is definitely going to be dependent on the hardware, so probably
> can't be counted on.
>
> > Can we detect / remember the number of failed think finger attempts
> > before a successful one? This is related to retraining, if it's
> > possible to retrain the reader or human to scan better over time.
>
> PAM doesn't usually keep track of a number of failures. You could have a module do it, though if you really wanted I think.
>
> Jeremy
>
More information about the Fedora-desktop-list
mailing list