Another Problem With Fingerprints And Linux: SSH and sudo
A few days ago I’ve managed to stumble across another problem with using fingerprint authentication on my X61 Tablet. The screenshot below summarizes it the best.
If you run any command that asks you for your password over SSH, then it will ask you to swipe your finger. This is a problem because if you are SSH’ing into your computer, then it most likely means that you are not physically present and so you cannot swipe your finger. The good news is that you don’t have to swipe your finger to actually login via SSH, so this isn’t as big of a problem. Only if you plan to use the sudo or su commands.
So what is the solution? I don’t think there is a good one. I did come up with a proposal for one, but it is not perfect since it doesn’t even work yet with my driver of choice (fprint). The best solution would be for the fingerprint driver to guess if it is being called from a remote machine or local machine, and fail based on that. However that is not possible yet. What I would propose instead is to prompt a user for a fingerprint, allow him to cancel it via a keyboard and then prompt him for a password.
This might not seem like a very good solution, since maybe you want your computer to be very secure and always want a biological identification. Asking for a password then defeats the purpose. If this is what you want, then I suggest you watch this video. Fingerprints readers aren’t very secure and can be bypassed. I think the purpose of having a fingerprint reader is to provide a balance between security and practicality. Swiping a finger is much faster and easier than typing a long password. This is especially true when you are using a tablet and do not have access to a keyboard. And it is relatively secure, since an average person would not probably be able to bypass it. It does require a bit of work and equipment.
Before I begin, I will go over how the fingerprint drivers plug into the standard Linux authentication framework, PAM. This background information is not very throughout, since I have just learned it myself this morning. But it should give you enough knowledge to understand why this fingerprint problem is present and maybe to come up with alternate solutions. Please leave a comment if you do.
When a program wants to authenticate a user, it talks to PAM. PAM asks the program for a username and what service to authenticate for. The reason it asks for a service is that different services might have different rules for authentication. The rules for the service are stored in the file /etc/pam.d/service-name, where service-name is the name of the service. This file contains a list of rules, one rule per line. Comments start with the # symbol and are included. Each rule has the following syntax:
type control module
The type field is the type of the rule. There are different types. For example, the auth type is used to authenticate a user by prompting him for a password. The control field determines what action should be taken if the rule fails or succeeds. For example, a required control means that the rule must succeed for the user to be authenticated. On the other had, a suffiecient control means that if the rule succeed then the user is authenticated and if it fails, then the other rules will be tested. The module field is just a reference to which module will be used to test the rule. The pam.d manpage contains a list of possible values for the type and control fields.
PAM starts by evaluating the rules in order. If the first rule tells it that the user is authenticated, then it finishes. If the first rule tells it that the user is not authenticated, then it proceeds to the next rule (or finishes) based on the value stored in the control field. A quirk is that a required rule is not always tested. For example, if the first rule is sufficient, then the user is authenticated whether any consequent required rules would fail or succeed.
If you followed my tutorial (or one of the many countless tutorials on the web) to setup your finger print reader, then you added the following set of lines to the file /etc/pam.d/common-auth. This file is the set of rules that is included in almost every service defined in the same directory.
auth sufficient pam_fprint.so
auth required pam_unix.so nullok_secure
This means that PAM first asks for a fingerprint. If that fails (wrong finger, reader not present or hardware error…), then the first rule fails. Since the rule is only sufficient, then PAM proceeds to the next rule. The next rule is the rule for standard Unix password authentication. What I would like fprint to do is to fail (causing it to proceed to password prompt) if I hit a certain key. For example according to the ThinkWiki page, the properiaty bio_api driver already does this with the Ctrl+C key combination. This way I could choose whether to use a fingerprint or proceed with typing in a password.
Of course, some people you use the keyboard more than the fingerprint reader. In that case, you can replace those two lines with the following.
auth sufficient pam_unix.so nullok_secure
auth required pam_fprint.so
This means “try password first, then fingerprint”. You can always cause the password prompt to fail by hitting Ctrl+C.