[fprint] pam_fprint details

Daniel Drake dan at reactivated.net
Thu Jun 5 19:33:03 BST 2008 

Sorry, hit send by accident.

Jason Gerfen wrote:
> I just have a few questions, comments & suggestions regarding the 
> pam_fprint module.
> 
> After taking a brief look through the pam_fprint.c source I do not see 
> anything in regards to uid/gid mapping for the valid authentication 
> based on the image of a scanned fingerprint.

Sorry for being thick, but what exactly do you mean by uid/gid mapping 
and why is it useful?

Existing system doesn't have any problems identifying the user. PAM 
identifies which user is trying to log in.

> Is this something that you intend to keep? From a Unix/Linux standpoint 
> I can see how this might somewhat limit the security of the 
> authentication process unless you rely on something such as pam_unix 
> within your authentication stack.

I don't understand what you're saying here. What problem are you trying 
to solve, and how?

> First I would like to propose the including of a simple getpw to assist 
> in the authentication of enrolled finger print authenticated users (I 
> can see the use of a getpwnam call but suggest further mapping of user 
> accounts to enrolled fingerprint users.

The getpw/getpwnam functions just read the password file. So we get to 
see the user's encrypted password. How does that assist in 
fingerprint-based authentication?

Or are you saying we should store the user's fingerprint in the password 
file?

> Second I have spoken with you before in regards to adding support for 
> OpenLDAP/Active Directory (RFC2307) as well as MySQL support for 
> centralized authentication. I believe I am now ready to begin adding 
> this support into the existing pam_fprint module, and need to know how 
> updated the API documentation is.

pam_fprint has no API or any documentation.
libfprint API documentation should be fairly complete for everything 
except the asynchronous interface.

This functionality should go in fprintd, not pam_fprint. Then pam_fprint 
needs rewriting to use fprintd.

fprintd already has an abstraction layer for different storage backends, 
but it might need adaptation to better suit your needs.

> Third, after doing some investigation of Active Directory it is possible 
> to implement a photo binary schema attribute for all users following the 
> guide http://msdn.microsoft.com/en-us/library/ms953636.aspx shown here.
> For OpenLDAP I have found the following: 
> http://www.openldap.org/doc/admin24/schema.html (Section 12.2.4.2 
> x-my-Photo)
> 
> And an RFC regarding this schema attribute: 
> http://www.rfc-editor.org/rfc/rfc2798.txt
> 
> MySQL has the blob field type to handle binary data such as photo's. One 
> thing I would like to do with this is to ensure we have 'all' account 
> data available so local accounts on a Unix/Linux system is not needed. 
> Much like a roaming profile, an example of a MySQL database table to 
> manage this would be something like:

Now you've lost me even more :)
Photos? How does that relate to fingerprint based authentication?

Daniel

More information about the fprint mailing list