[fprint] pam_fprint details
Daniel Drake
dan at reactivated.net
Thu Jun 5 19:33:03 BST 2008
Sorry, hit send by accident.
Jason Gerfen wrote:
> I just have a few questions, comments & suggestions regarding the
> pam_fprint module.
>
> After taking a brief look through the pam_fprint.c source I do not see
> anything in regards to uid/gid mapping for the valid authentication
> based on the image of a scanned fingerprint.
Sorry for being thick, but what exactly do you mean by uid/gid mapping
and why is it useful?
Existing system doesn't have any problems identifying the user. PAM
identifies which user is trying to log in.
> Is this something that you intend to keep? From a Unix/Linux standpoint
> I can see how this might somewhat limit the security of the
> authentication process unless you rely on something such as pam_unix
> within your authentication stack.
I don't understand what you're saying here. What problem are you trying
to solve, and how?
> First I would like to propose the including of a simple getpw to assist
> in the authentication of enrolled finger print authenticated users (I
> can see the use of a getpwnam call but suggest further mapping of user
> accounts to enrolled fingerprint users.
The getpw/getpwnam functions just read the password file. So we get to
see the user's encrypted password. How does that assist in
fingerprint-based authentication?
Or are you saying we should store the user's fingerprint in the password
file?
> Second I have spoken with you before in regards to adding support for
> OpenLDAP/Active Directory (RFC2307) as well as MySQL support for
> centralized authentication. I believe I am now ready to begin adding
> this support into the existing pam_fprint module, and need to know how
> updated the API documentation is.
pam_fprint has no API or any documentation.
libfprint API documentation should be fairly complete for everything
except the asynchronous interface.
This functionality should go in fprintd, not pam_fprint. Then pam_fprint
needs rewriting to use fprintd.
fprintd already has an abstraction layer for different storage backends,
but it might need adaptation to better suit your needs.
> Third, after doing some investigation of Active Directory it is possible
> to implement a photo binary schema attribute for all users following the
> guide http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here.
> For OpenLDAP I have found the following:
> http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2
> x-my-Photo)
>
> And an RFC regarding this schema attribute:
> http://www.rfc-editor.org/rfc/rfc2798.txt
>
> MySQL has the blob field type to handle binary data such as photo's. One
> thing I would like to do with this is to ensure we have 'all' account
> data available so local accounts on a Unix/Linux system is not needed.
> Much like a roaming profile, an example of a MySQL database table to
> manage this would be something like:
Now you've lost me even more :)
Photos? How does that relate to fingerprint based authentication?
Daniel
More information about the fprint
mailing list