ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 7. Using the Fingerprint Reader</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.auth.html" title="Part I. Authentication"><link rel="prev" href="cha.security.kerberos.html" title="Chapter 6. Network Authentication with Kerberos"><link rel="next" href="part.local_security.html" title="Part II. Local Security"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.auth.html">Authentication</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 6. Network Authentication with Kerberos" href="cha.security.kerberos.html"><span>◀</span></a> </strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 7. Using the Fingerprint Reader"><div class="titlepage"><div><div><h2 class="title"><a name="cha.security.fp"></a>Chapter 7. Using the Fingerprint Reader<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.security.fp">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.security.fp.html#sec.security.fp.supported">7.1. Supported Applications and Actions</a></span></dt><dt><span class="sect1"><a href="cha.security.fp.html#sec.security.fp.yast">7.2. Managing Fingerprints with YaST</a></span></dt></dl></div><p>
If your system includes a fingerprint reader, you can use biometric
authentication in addition to standard authentication via login and
password. After registering their fingerprint, users can log in to the
system either by swiping a finger on the fingerprint reader or by typing
in a password. openSUSE® supports most available fingerprint
readers. For a list of supported devices, please refer to
<a class="ulink" href="http://reactivated.net/fprint/wiki/Supported_devices" target="_top">http://reactivated.net/fprint/wiki/Supported_devices</a>.
</p><p>
If the hardware check detects the fingerprint reader integrated with your
laptop (or connected to your system), the packages
<code class="systemitem">libfprint</code>,
<code class="systemitem">pam_fp</code>, and
<code class="systemitem">yast2-fingerprint-reader</code>
are automatically installed.
</p><p>
Currently, only one fingerprint per user can be registered. The user's
fingerprint data is stored to
<code class="filename">/home/<em class="replaceable"><code>login</code></em>/.fprint/</code>.
</p><div class="sect1" title="7.1. Supported Applications and Actions"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.fp.supported"></a>7.1. Supported Applications and Actions<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.fp.supported">¶</a></span></h2></div></div></div><p>
The PAM module <code class="literal">pam_fp</code> supports fingerprint
authentication for the following applications and actions (although you
may not be prompted to swipe your finger in all cases):
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Logging in to GDM/KDM or a login shell
</p></li><li class="listitem" style="list-style-type: disc"><p>
Unlocking your screen on the GNOME/KDE desktop
</p></li><li class="listitem" style="list-style-type: disc"><p>
Starting YaST and the YaST modules
</p></li><li class="listitem" style="list-style-type: disc"><p>
Starting an application with <code class="systemitem">root</code> permission:
<span class="command"><strong>sudo</strong></span> or <span class="command"><strong>gnomesu</strong></span>
</p></li><li class="listitem" style="list-style-type: disc"><p>
Changing to a different user identity with <span class="command"><strong>su</strong></span> or
<span class="command"><strong>su <code class="option">-</code>
<em class="replaceable"><code>username</code></em></strong></span>
</p></li></ul></div><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Fingerprint Reader Devices and Encrypted Home Directories"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Fingerprint Reader Devices and Encrypted Home Directories</th></tr><tr><td colspan="2" align="left" valign="top"><p>
If you want to use a fingerprint reader device, you must not use
encrypted home directories (see Chapter <i>Managing Users with YaST</i> (↑Reference) for
more information). Otherwise logging in will fail, because decrypting
during login is not possible in combination with an active fingerprint
reader device.
</p></td></tr></table></div></div><div class="sect1" title="7.2. Managing Fingerprints with YaST"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.fp.yast"></a>7.2. Managing Fingerprints with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.fp.yast">¶</a></span></h2></div></div></div><div class="procedure" title="Procedure 7.1. Enabling Fingerprint Authentication"><a name="id581054"></a><p class="title"><b>Procedure 7.1. Enabling Fingerprint Authentication</b></p><p>
You can only use biometric authentication if PAM is configured
accordingly. Usually, this is done automatically during installation of
the packages when the hardware check detects a supported fingerprint
reader. If not, manually enable the fingerprint support in YaST as
follows:
</p><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Hardware</span>+<span class="guimenu">Fingerprint Reader</span>.
</p></li><li><p>
In the configuration dialog, activate <span class="guimenu">Use Fingerprint
Reader</span> and click <span class="guimenu">Finish</span> to save the
changes and close the dialog.
</p></li></ol></div><p>
Now you can register a fingerprint for various users.
</p><div class="procedure" title="Procedure 7.2. Registering a Fingerprint"><a name="id581114"></a><p class="title"><b>Procedure 7.2. Registering a Fingerprint</b></p><ol class="procedure" type="1"><li><p>
In YaST, click <span class="guimenu">Security and Users</span>+<span class="guimenu">User Management</span> to open the
<span class="guimenu">User and Group Administration</span> dialog. A list of
users or groups in the system is displayed.
</p></li><li><p>
Select the user for whom you want to register a fingerprint and click
<span class="guimenu">Edit</span>.
</p></li><li><p>
On the <span class="guimenu">Plug-Ins</span> tab, select the fingerprint entry
and click <span class="guimenu">Launch</span> to open the <span class="guimenu">Fingerprint
Configuration</span> dialog.
</p></li><li><p>
YaST prompts the user to swipe his finger until three readable
fingerprints have been gathered.
</p><div class="informalfigure"><div class="mediaobject"><table border="0" summary="manufactured viewport for HTML img" cellspacing="0" cellpadding="0" width="70%"><tr><td><img src="images/yast2-fingerprint-register.png" width="100%"></td></tr></table></div></div></li><li><p>
After the fingerprint has been acquired successfully, click
<span class="guimenu">Accept</span> to close the <span class="guimenu">Fingerprint
Configuration</span> dialog and the dialog for the user.
</p></li><li><p>
If you also want to use fingerprint authentication for starting YaST
or the YaST modules, you need to register a fingerprint for
<code class="systemitem">root</code>, too.
</p><p>
To do so, set the filter in the <span class="guimenu">User and Group
Administration</span> dialog to <span class="guimenu">System Users</span>,
select the <code class="systemitem">root</code> entry and register a fingerprint for <code class="systemitem">root</code>
as described above.
</p></li><li><p>
After you have registered fingerprints for the desired users, click
<span class="guimenu">Finish</span> to close the administration dialog and to
save the changes.
</p></li></ol></div><p>
As soon as the user's fingerprint has been successfully registered, the
user can choose to authenticate with either fingerprint or password for
the actions and applications listed in
<a class="xref" href="cha.security.fp.html#sec.security.fp.supported" title="7.1. Supported Applications and Actions">Section 7.1, “Supported Applications and Actions”</a>.
</p><p>
Currently, YaST does not offer verification or removal of fingerprints,
but you remove fingerprints by deleting the directory
<code class="filename">/home/<em class="replaceable"><code>login</code></em>/.fprint</code>.
</p><p>
For more technical details, refer to
<a class="ulink" href="http://reactivated.net/fprint/" target="_top">http://reactivated.net/fprint/</a>.
</p></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.auth.html">Authentication</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 6. Network Authentication with Kerberos" href="cha.security.kerberos.html"><span>◀</span></a> </strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018