PAM Fingerprint

Available translations: de

PAM Fingerprint is a Linux Pluggable Authentication Module (PAM) for password-less fingerprint authentication. It uses the ZhianTec ZFM-20 fingerprint sensor (a.k.a. "Arduino fingerprint sensor")

Fingerprint sensor

in conjunction with the PyFingerprint library. With a little manual skill, the sensor can be build in a small universal housing:

PAM Fingerprint

Per default the password authentication is set as fallback in case no fingerprint sensor is connected. Two-factor authentication is also possible. The module has to be configured by the pamfingerprint-conf program.

Hardware

PAM Fingerprint requires some hardware:

  • Zhaintec ZFM-20 (a.k.a. "Arduino fingerprint sensor")
  • USB-TTL converter
  • (optional) universal housing (75x55x25)

Connection of the sensor

The sensor and the USB-TTL converter are connected like in the following image:

Connection of the sensor

Installation

After adding the PM Code Works APT repository to the system package sources, the package can be installed using following command:

~# apt-get install libpam-fingerprint

Install missing dependencies:

~# apt-get install -f

Setup

Since PAM Fingerprint communicates via USB and only root is allowed to do this, every user that wants to use PAM Fingerprint must be granted access for using USB:

~# usermod -a -G dialout username

A reboot is now required. After that users can be added to PAM Fingerprint.

~# reboot

PAM Fingerprint consists of the Linux PAM module itself and a console-based configuration utility to add users. To enable fingerprint authentication for a user use e.g. the following command:

~# pamfingerprint-conf --add-user username

Remind to replace username by a real user. Using this command a finger is enrolled twice. To test if added user can login with the finger use e.g. the following command:

~$ pamfingerprint-check --check-user username

The sensor LED should light up and the enrolled finger should be used. During the test some information are printed on the console. If output in last line is "successful" everything works as it should and user is able to use fingerprint authentication in the future.

Credendentials of PAM Fingerprint are stored in the file /etc/pamfingerprint.conf inside the section [users]. The structure of an entry is:

username = Template-ID, SHA256(Fingerprint)

The other section [PyFingerprint] contains settings of the fingerprint sensor.

Since PAM Fingerprint is purely written in Python it can also be run on ARM-HF based Raspberry Pi.

How to write your own PAM module

How PAM works and how PAM modules are written and added to Linux see Linux PAM.