26

I recently bought a Lenovo Thinkpad Edge E420s, which comes with a fingerprint reader. I have installed the fingerprint-gui and libbsapi to get it fully working (make: UPEK).

Is there a way to unlock the keyring on login using the fingerprint reader?

Apparently you can get it working by setting a blank password when using Thinkfinger, but that's not an option for me.

Running lsusb in the terminal returns Bus 001 Device 003: ID 147e:1002 Upek

JLinden
  • 1,050

6 Answers6

15

The whole pourpose of the keyring is to store your passwords and data on your storage device. To do that securely, they must be encrypted with something you know (your password). To unlock the keyring, you must provide the password so that gnome-keyring can decrypt the stored passwords. Your fingerprint can not be used as a password because it is not always the same. Fingerprint readers apply some fuzzy logic to tell if the stored fingerprint matches the read fingerprint and tell yes or no. That's why it can be used for authentication, but not for decryption of stored passwords (unless you have a blank password or would accept storing your master password unencrypted) The only way it could work is if the fingerprint device could store your master password on a chip in plaintext that could only be read if the fingerprint matches. And that's assuming that reading the internal memory/registers of a chip is much much harder than reading your local storage. I really don't know how it is done under windows, and I hope it is not security through obscurity. But if they're not using hardware to do this, they're simply using some obscure (but insecure) method to store your passwords.

I. Martin
  • 159
  • 1
  • 4
  • 2
    Can't anything be connected to the pam.d pipe to unlock keyrings on login? – cprn Mar 13 '14 at 15:57
  • 5
    Pingback: This issue is still unresolved in Ubuntu 20.04 LTS – Piotr Czekalski Apr 28 '20 at 13:13
  • 17
    The whole purpose of the fingerprint login is to not to type in a password on login. If I have to type the password just after the login to unlock the keyring, this defeats the whole purpose of that fingerprint reader. – Elin Y. Apr 29 '21 at 20:37
  • is there a way to store to password and unlock the keyring that way? while insecure it will at least enable some setup to work around it, it could be stored on a usb stick and used with pamusb for example – Fuseteam Sep 13 '21 at 13:33
  • Pingback: This issue is still unresolved in 22.04 LTS. Note that I understand that it may be insecure, but if you use drive encryption, then it would make sense. – Piotr Czekalski Oct 11 '24 at 20:24
3

i managed to create a simple script to unlock the keyring. I'm no security expert and this is by no means a reccomended way to do it, but as i always say convenience is inversely proportional to security. besides for fingerprint log in, your fingerprint are probably all over the device your protecting anyway...

anyway without further ado this is one way to do it:

  • create a simple text file somewhere for this example i will create it at /etc/gnome/pwd.txt. this file will contain your keyring password and nothing else
  • run chmod 600 /etc/gnome/pwd.txt so that only the file owner can read it
  • now you need to run chown $USER:$USER /etc/gnome/pwd.txt to ensure that only your user can read this file
  • create script called say fbi with these contents:
#!/bin/bash
/bin/echo -n $(/bin/cat /etc/gnome/pwd.txt)|/usr/bin/gnome-keyring-daemon --daemonize --login
  • then also run set the permissions right with chmod 700 /absolute/path/to/fbi and chown $USER:$USER /absolute/path/to/fbi
  • now make user service by creating a file called say /etc/systemd/user/cia.service with the following contents
[Unit]
Description=Super Top Secret Service


[Service]
ExecStart=/absolute/path/to/fbi


[Install]
WantedBy=graphical-session.target
  • run systemctl --user enable cia and voila now you automagically unlock your keyring on login

it is secure? no it is not. if someone got a hold of your harddrive, sure they can't read the keyring, but they can find the file that contains the password. this has no real benefit, as far as i can tell, from simply setting a blank password. it is convenient? sure is. and hey you can also save not save your passwordfile on the machine your trying to protect :^3 still not secure tho if that file gets into the wrong hands

Fuseteam
  • 443
2

this is currently a bug with GNOME-Keyring it was listed as invaild during the previous year but they recently opened back up for 11.04 and are working on it as of May 7th 2011 hope this helps

https://bugs.launchpad.net/gnome-keyring/+bug/276384

Frosty
  • 86
1

I had the same issue on my T14 Gen2i and solved the issue this way: open these files: /etc/pam.d/fingerprint-auth and /etc/pam.d/gdm-password

Add auth optional pam_gnome_keyring.so to the top of both files and session optional pam_gnome_keyring.so auto_start to the end of the both files. Check they are not repeated in other lines. If so remove those old lines. Restart gdm service and now it's working

Hoshyar Karimi
  • 11
  • 2
0

According to this post from Ubuntu Forums, there is no way to do this.

Eliah Kagan
  • 119,820
dsaint
  • 774
-1

You might wanna try to get fprint working though I'm not sure it will work because it's not on the list of supported devices however it is not on the list of unsupported devices either.

There are packages for upek in general included, so it might just work.

Here are some instructions on how to set it up: http://ubuntuforums.org/showthread.php?t=760018

LayerCake
  • 1,046