Fingerprint Recognition with Linux & IBM's T42 156
Michael R. Crusoe writes "UPEK, provider of popular fingerprint sensors to IBM's T42 notebooks and others, has announced that they will be providing a BioAPI compliant library to perform biometric authentication under GNU/Linux. Will Linux be the first operating system to have integrated biometric user authentication 'out of the box'?"
Ahem, PAM (Score:5, Interesting)
They're talking about writing this whole framework for Linux called BioAPI, and then once that's done they're going to work on a BioAPI-to-PAM gateway, but that seems like way too much work.
Why can't an authentication module simply maintain its own database to register the biometric data associated with each user?
The way it is now, pam_unix.so does a one-way hash of the password you create and compares it with a one-way hash of whatever password you enter to log on, right? The password once stored is never stored in the clear.
I get the fact that you can't do that with biometric data because the data never is exactly the same, i.e., the one-way hash of the fingerprint you use to create the account won't be the same as the one-way hash created as you log on. And to do the comparison otherwise you'd need to load the data into memory, which is like loading a password, which is bad.
This is a really tricky problem.
I just don't see why we need a new framework. Seems to me, we need a new kind of hash function.
Why can't that go into pam_finger.so?
Re:Ahem, PAM (Score:2, Interesting)
That's stupid. There is nothing like "PAM killer" on the horizont in next 1-2 years! And there is no need for it - AFAIK PAM architecture is very clever and there are none "system design limitations" (but I'm NOT PAM expert - if I'm wrong, please correct me!)
Better portability to systems that don't use PAM. QNx, ReactOS, Windows, MacOS the world is a big place...
AFAIK MacOS is using PAM (or not?). And writing new API means that you've to transfer (and integrate it into existing) Windows/QNX... OS. The effort is much bigger then having "proprietary" library and just port it to Windows native login API/Linux PAM/...
More uses for the software. Maybe you can use this fingerprinter together with a Firefox plugin to slightly increse the security of your bank transactions?
WRONG! Just make FireFox PAM plugin and voila - you can use your "PIN pad" (if it has PAM plugin), fingerprint/face/voice/DNA/... recognition (just by having PAM plugin for this) out of box!
That wouldn't be a first (Score:3, Interesting)
Anyone on breaking the biometric authentication? (Score:3, Interesting)
So big brother will run on Linux... (Score:3, Interesting)
I am reminded that when I was reading Stallman's The Right To Read [gnu.org] (linked from the recent Slashdot story Old-Fashioned DRM Protects Harry Potter Book [slashdot.org]), I wondered why it didn't include biometrics. That would have prevented the happy ending.
Having biometrics on my computer with a free / open source OS wouldn't be scary like having biometrics on my computer with a closed OS and hardware DRM, of course.
For public / institutional networks though, I can't help but wonder where it's going. But on the plus side, at least if big brother runs on Linux I won't worry so much about script kiddies stealing my identity.
Password renewal (Score:3, Interesting)
Re:Ahem, PAM (Score:3, Interesting)
No, you just don't understand what is being discussed here.
That is not Kerberos Single Sign On. Read the man page for sshd_config, in particular the section on GSSAPI authentication.
Digital Persona Support (Score:2, Interesting)