-
-
Notifications
You must be signed in to change notification settings - Fork 22
/
CHANGELOG
351 lines (304 loc) · 15.6 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
Project Fingerprint GUI
=======================
version 1.09 (2016-08-03):
Bugfixes:
- LED on UPEK devices are switched off when fingerprint scan was cancelled
(password invoked),
- Conflict (deadlock) while starting webmin fixed,
- Current version of ressource file "usb.ids" used,
version 1.08 (2016-06-15):
Bugfixes:
- Login doesnt work for Linux Mint 17.2 (Cinnamon and Mate),
- fingerprint-polkit-agent not starting in MATE desktop,
- Space bar not working after fingerprint login.
Improvements:
- Loading fingerprint data via pkexec is only used when not running with
root privilegs (speedup loading).
version 1.07 (2015-07-05):
Bugfixes:
- fixed: fingerprint export doesn't handle well spaces in custom filename,
- important security fix:
Directory "/var/lib/fingerprint-gui" and all its subdirectories are now owned
by root.root with mode 755. All files in these directories are also owned by
root.root with mode 600 now. The helper module "fingerprint-suid" was replaced
by a new module "fingerprint-rw" not set to suid root any more. This module is
executed via "pkexec" for reading and modifying fingerprint data. A new policy
file "cc.ullrich-online.fingerprint-gui.policy" is installed in
"/usr/share/polkit-1/actions/". This policy requires user authentication via
polkit when the users fingerprint data are modified. So an attacker with access
to a user's desktop while the user is away, can not register his fingerprint in
the name of this user any more.
- other changes: libpolkit-qt-1.0 is not supported any more.
version 1.06 (2014-09-24):
Workarounds:
- Fix for cinnamon-screensaver on Mint 16 and Mint 17 provided by Pavel Sochelnikov,
Bugfixes:
- fixed: Segfault after failed login on secure tty,
Improvements:
- fingerpint-helper is aware of multiple screen environments and is
always placed on the screen that contains the cursor,
- Added MATE to fingerprint-polkit-agent.desktop settings,
- New program icon provided by Anna Petrova,
- GUI improvements provided by Pavel Sochelnikov,
version 1.05 (2013-05-08):
Workarounds:
- loader for UPEK devices is aware of the vendorId/productId now:
productId < 0x2000 loads bsapi version 4.0
productId >= 0x2000 loads bsapi version 4.3
Bugfixes:
- fixed: Segfault when stopping libfprint device asynchronous
Improvements:
- new usb.ids file (Version: 2013.05.08)
- tested on Ubuntu 13.04
version 1.05 (pre3):
Workarounds:
- unity-greeter calls pam_sm_authenticate twice for login (Ubuntu 12.10)
and kills the first instance immediately. So we wait for one second
to be killed until we go ahead with authentication.
- missing environment variable DISPLAY in unity-greeter,
so fingerprint-helper is not shown (Ubuntu 12.10). DISPLAY is set
before fingerprint-helper is forked.
- unity-greeter releases the keyboard focus when fingerprint-helper
is started. So noone can invoke a password while fingerprint-helper
waits for finger-swipes. We search for unity-greeters window-id and
push the keyboard focus back to it.
Bugfixes:
- fixed: Deadlock when reading /etc/mtab on systems where /etc/mtab is a symlink
- fixed: Permission problem with uinput for sudo in secure tty
- fixed: Compiler errors since ubuntu 12.10
- fixed: Some wrong include directives for qt4 headers
Improvements:
- new usb.ids file (Version: 2013.01.16)
- tested on Ubuntu 13.04 Beta1
version 1.04 (2012-03-11):
CHANGES:
Bugfixes:
- fixed: When running PAM-service "sudo" in a GUI environment the
fingerprint-helper is started with privilegs of the calling
user now. This avoids Gtk error messages about running a
GUI process as suid root.
- fixed: After lightdm bug #862559 since its version 1.1.4 has been
fixed, pam_fingerprint-gui.so didn't start fingerprint-helper
gui any more due to a bug in the workaround needed for
lightdm versions below 1.1.4 (Ubuntu 11.10).
- fixed: Segfault in DeviceHandler.cpp with newer glibc.
version 1.03 (2011-12-07):
CHANGES:
Bugfixes:
- fixed: fingerprint-polkit-agent doesn't start on Lubuntu 11.10;
- fixed: No fingerprint login on secure tty (Ubuntu 11.10);
- fixed: X-server doesn't restart on logout (Ubuntu 11.10);
- fixed: Error message doesn't show up, when user's homedir is
encrypted and fingerprint login was without password.
version 1.02 (2011-10-23):
CHANGES:
Minor bugfix: Segfault in fingerprint-polkit-agent fixed.
version 1.01 (2011-10-15):
CHANGES (needed for Ubuntu 11.10):
- workaround for bug #862559 (lightdm): Display ":0" hard coded for service
lightdm in pam_fingerprint-gui.so
Minor bugfixes:
- inserted missing "Unity" entry in /etc/xdg/autostart/fingerprint-polkit-agent.desktop
- fixed: disabled password dialog in polkit agent, when more than one administrator user
is available.
version 1.00 (2010-12-13):
CHANGES:
- fingerprint-polkit-agent builds by default on systems with libpolkit-qt-1-0.
For systems with libpolkit-qt-1-1 (Natty) qmake must be called with the extra
argument LIBPOLKIT_QT=LIBPOLKIT_QT_1_1.
- The default PREFIX for building and installing was changed from "/usr"
to "/usr/local".
- System is bundled with UPEK libbsapi "BSAPI_4.0.0218Lite_RC_for_Linux"
supporting a larger number of UPEK device.
Minor bugfixes:
- pam_fingerprint-gui.so fixed for systems without XAuth variable in GDM
environment (Gentoo);
version 1.00-rc3 (2010-11-19):
Additional library required: libpolkit-qt-1
CHANGES:
- Authenticating root in console, gnome-terminal and xterm for "su" works now
without gui widget;
- A new module "fingerprint-polkit-agent" has been added. It enables fingerprint
authentication for the PAM service "polkit-1". The agent needs to be started
at system startup. Therefore the file "fingerprint-polkit-agent.desktop" is
installed to /etc/xdg/autostart. This agent conflicts with files in
/etc/xdg/autostart that must be removed:
"polkit-gnome-authentication-agent-1.desktop" and
"polkit-kde-authentication-agent-1.desktop".
- New "help" menu in fingerprint-gui. "Help" opens a "Fingerprint GUI Manual" in
default browser. If available the manual is opened in the users local language
(See "Manual_??.html" files in /usr/share/doc/fingerprint-gui).
- "sudo make install-upek" installs a new libbsapi.so named
"BSAPI 4.0 for Linux Unqualified Preview". This lib can handle 147e:1000 devices
with NVM emulation now. It will be upgraded as soon a final version is available.
- Default settings for NVM emulation are installed in "/etc/upek.cfg" and a
directory "/var/upek_data" is created.
- Bugfix: Test button is disabled while a test is running; no segfault any more.
version 1.00-rc2 (2010-10-30):
CHANGES:
- IPC between pam_fingerprint-gui.so and fingerprint-helper has been changed
from using libfakekey/uinput to using a pipe (for sending random number,
password and username). This should make the system independent from keymaps.
Only <enter> is sent to the pam prompt by libfakekey or uinput now.
- new argument for pam_fingerprint-gui.so "try_first_identified"
This option avoids a finger-swipe to be requested twice if the PAM stack calls
pam_fingerprint-gui.so more then once. Example for gdm login with disabled
user browser:
File "/etc/pam.d/gdm":
...
auth optional pam_fingerprint-gui.so -d #required to get the username for nologin
auth requisite pam_nologin.so
...
@include common-auth
...
File "/etc/pam.d/common-auth":
...
auth [success=3 default=ignore] pam_fingerprint-gui.so try_first_identified -d
...
The second call to pam_fingerprint-gui.so returns PAM_SUCCESS if the user was
identified by fingerprint in the first call from file "/etc/pam.d/gdm".
version 1.00-rc1 (2010-10-16):
CHANGES: Some minor gui improvements like follows:
- In the "Finger" tab fingers with already existing bir data are marked
green.
- In the "Password" tab the path to the external media for saving the
encrypted password is predefined in the "Save to Directory" field when
a password was saved there before and this media is connected.
BUGFIXES:
- Gnome-screensaver hangs while unlocking -- fixed
- Logout hangs after fingerprint login -- fixed
- Applications using polkit-1 can not be unlocked -- fixed (but fingerprints
are ignored; a password is required)
- Usernames with more than 8 characters don't work -- fixed
- "su" doesn't work in gnome-terminal -- _not_ fixed (as a workaround
"sudo su" can be used)
version 0.15 (2010-08-20):
CHANGES: Some minor bugfixes like follows:
- Environment variables like username or hostname are requested by a
posix compliant system call now;
- The uinput driver module is loaded on-the-fly when needed.
- libbsapi is now installed to /usr/lib (on 32bit systems)
or /usr/lib64 (on 64bit systems);
- The file locations are changed to fit the Filesystem Hierarchy Standard:
Helper programs that should not be called by the user are located in
"/usr/local/lib/fingerprint-gui/" now.
!!!PLEASE UNINSTALL A PREVIOUS VERSION BEFORE INSTALLING THIS ONE!!!
version 0.14 (2010-05-14):
CHANGES: Some minor bugfixes for running on Fedora 12 like follows:
- libbsapi is now installed to /usr/lib
- A bug in selecting the current fingerprint device (with more than one devices
available on the system) was fixed.
- A minor bug in FingerprintPAM (login with given PAM_RHOST) has been fixed.
- A script to disable the user list in gdm was added.
- The install script installs required rules files to /etc/udev/rules.d/ now
when libbsapi.so is installed.
- The install script creates a /etc/upek.cfg file and a /var/upek_data directory
when libbsapi.so is installed.
- The Install-step-by-step.pdf manual has been adapted to Fedora12, Kubuntu 10.04
and Lubuntu 10.04.
- The whole system requires "libfprint-0.1.0" and "libusb-1.0.0" now. Please
upgrade your libfprint (see Ubuntu-upgrade-libfprint.sh)!!
version 0.13 (2010-04-21):
IMPORTANT: Fingerprint data (bir) and configuration files (config.xml) located
in "~/.fingerprints/...", that are created by a previous version, can _not_ be
used any more! All user-specific data and configuration has to be newly setup!
The entry "/usr/local/bin/fingerprintPlugin -d" made with gconf-editor for
the gnome-screensaver, that was created for a previous version, has to be changed
to "/usr/local/bin/fingerprint-plugin -d".
All entries for fingerprint in PAM configuration files (/etc/pam.d/...) have to
be renamed from "libpam_fingerprint.so" to "pam_fingerprint-gui.so".
For more information about upgrading please read IMPORTANT-UPGRADE-INFORMATION.txt.
CHANGES: Lots of code cleanup and CONFIGURATION CHANGES:
- Executables have been renamed to "fingerprint-gui", "fingerprint-helper",
"fingerprint-identifier", "fingerprint-plugin" and "pam_fingerprint-gui.so".
- A new executable "fingerprint-suid" has been added. It is called from
fingerprint-gui and creates subdirectories for user's bir-data with proper
directory- and file mode.
- Fingerprints and user configurations are NOT stored to the user's home directory
any more! They are stored to a new directory /var/lib/fingerprint-gui/<user>/ now.
(This makes it possible to login for users with an encrypted home directory,
when an external media with stored encrypted password is available).
- Subdirectories for fingerprint data of different drivers are now named after
the driver name.
- A wrapper for proprietary device drivers is now used for those devices.
- Proprietary driver libraries are now dynamically loaded at runtime. Different
executables (linked to proprietary drivers) are not needed any more.
- A preliminary mechanism is used for identifying an unmounted encrypted homedir
of the identified user:
- if the homedir is empty, it is assumed to be encrypted and unmounted;
- if it is not empty _and_ a file "README.TXT" exists _and_ this file is a
symlink _and_ this symlink points to a path that contains a string
"ecryptfs-utils" in pathname, the homedir is assumed to be encrypted and
unmounted.
In case the homedir of the identified user is encrypted and unmounted _and_
an external media containing the users password can not be found, the login
with fingerprint is stopped and an error message
"!!!ERROR: FOUND ENCRYPTED HOMEDIR BUT NO PASSWORD!!!"
is given via PAM conversation. This protects the user from being logged-in
into a session with unmounted homedir.
Maybe I find a more elegant procedure for detecting an encrypted and unmounted
homedir in a later version. Suggestions welcome!
version 0.12 (2009-10-23):
- "with-upek" binaries are linked against UPEKs libbsapi version 3.6 now.
- libbsapi is now availbale as 32bit and 64bit version (install.sh).
- changed displaying behaviour of fingerprint icons while acquire to support
more than 5 required swipes.
version 0.11 (2009-07-15):
- new feature "Save encrypted password to removable media".
version 0.10 (2009-05-13):
- fixed: GDM login on Ubuntu 9.04 didn't work.
version 0.9 (2009-02-23):
- fixed: Identifying didn't work with some libfprint drivers on 64bit systems.
- new: "configure.sh" script that creates makefiles for 32bit and 64bit.
- new: Precompiled 64bit and 32bit binaries for all modules.
- new: Installation script "install.sh" can now install on 32bit and 64bit
systems with "--fprin-only" and "--with-upek" arguments. It makes use of
"getlibs" to overcome the limitation that results from "libbsapi" being 32bit
only for UPEK devices.
version 0.8 (2009-02-05):
- fixed: Ignoring users with empty "gecos" field in /etc/passwd
version 0.7 (2009-01-29):
- fixed: "Abnormal Program Termination" when called from KDM;
- new "Troubleshooting" section in tutorial.
version 0.6 (2009-01-24):
- fixed: Segfault in GUI when pam_unix2.so was called from "Test" button;
- complete new designed libpam_fingerprint.so (see Hacking.pdf);
- new module "fingerprintPlugin" to beused with gnome-screensaver;
- "Install-step-by-step" tutorial enhanced for Fedora 10;
- new "Hacking" tutorial.
version 0.5 (2008-10-27):
- fixed: Segfault in Identifier and PAM when no fingerprint devices are available;
- fixed: Segfault in GUI when more than one fingerprint device is connected;
- removed: Blacklist for services in fingerprintPAM.cpp.
- added: Error messages to stderr when no devices or fingerprints are available
for fingerprintIdentifier;
- added: Error message in Identifier when fingerprint device could not opened.
- added: "Test" button for important PAM services in fingerprintGUI.
- added: "Ubuntu Step by Step" configuration tutorial.
- tested with standalone device HP Compaq SK-3350 (AuthenTec AES2501A).
version 0.4 (2008-10-09):
- fingerprintIdentifier returns login name of the identified user now,
(to be used in scripts or other programs);
- fingerprintPAM can identify users while login before promting for username,
(the former planned fingerprintLogin module is no longer needed);
- target of fingerprintPAM library was renamed to "libpam_fingerprint.so";
- changed layouts and window decorations;
- login tested on Ubuntu 8.04 and SuSE 11.0 (with gdm);
- directory structure and makefiles are changed to build "with-upek" and
"fprint-only" versions of all targets now.
version 0.3 (2008-09-20):
- lots of code cleanup,
- many bugs fixed (compiles and runs now with undefined "HAS_LIBBSAPI"),
- tested on SuSE 11.0 with KDE 3.5.
version 0.2 (2008-08-29):
- added module fingerprintPAM (libfingerprintPAM.so) for using with PAM authentication.
Known issues:
- doesn't show the gui when called from "gksu" or "gnome-screensaver",
ATTENTION: TEST CAREFULLY! Configure pam to use it with
"gnome-screensaver" only if you know what you are doing. It can make your
system unaccessible!
- doesn't authenticate "seahorse" with login (I don't know why yet);
- ONLY TESTED ON Ubuntu 8.04 with UPEK built-in TouchStrip on an IBM R52
version 0.1 (2008-08-22):
Initial version for testing and proof of concept only, containing
fingerprintGUI and fingerprintIdentifier