[fprint] fprintd database protection, enrolling fail, abort fprint scanning
jelten at in.tum.de
Wed Nov 16 23:09:16 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
i have an upek eikon 2 (147e:2016) in my thinkpad x220t.
i'm using fprint for 3 weeks now, i must say it is an excellent feature
to prevent others seeing your password, especially in lectures where 8
people are sitting right arround you.
everywhere on the internet is described to use the pam_fprint.so pam.d
module, but pam_fprint_enroll always fails with error -22 on the last
stage. this means 5 times everything works as it should, but suddenly
the LED on the scanner no more activates, and the program exits with
so somewhere in the gentoo wiki i found another pam.d module, pam_fprintd.so
i inserted this in the sudo pam file, and everything worked just
perfectly. i enrolled my finger with fprintd-enroll, it created a
fingerprint for my user, but not the way it should. later i noticed a
bunch of security issues.
i think it is possible to enroll a finger with no root privileges and
overwrite existing fingerprints for this user just by executing
this means everyone using the notebook can just overwrite the
fingerprint and have root access.
where is the database file and why isn't it protected? can it be
protected just with filesystem access limitations? why isn't the current
fingerprint checked first or why no password check?
next thing is, when you ssh into your laptop with having fprint
activated for sudo, it will require you to swipe your finger, although
your laptop might be somewhere arround the globe. i don't think theres a
way to fix this, but you should be able to skip the scanning process and
continue entering a password.
I actually don't understand why it is not possible to cancel auth with
ctrl-c or whatever yet. when the system has a defined auth order in the
pam setting, you should be able to skip the fingerprinting, like it is
possible with a password.
- -- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the fprint