[Fingerforce-devel] [Thinkfinger-devel] ThinkFinger, Quo Vadis?

Thu Nov 15 14:29:52 UTC 2007

Hi Luca!

On Thu, 2007-11-15 at 14:12 +0100, Luca Capello wrote:

> nice to see you back on this project :-)

Well, nice to see your constant fidelity in the project :)

> Cc:ing the FingerForce-devel mailing list because this post is
> interesting for Debian as well.

I guess it's a good choice to keep the cross postings up until we have
figured out how to proceed properly.  That will ensure we'll make the
fingerprint experience on Linux a success. 

> FWIW, I use ThinkFinger since the beginning and the latest version with
> Christian's and ssh patches is working fine on X60 with Debian sid.

Can you elaborate a little on "working fine".  Are you saying that
everything (login, displaymanager, screensaver, authentication helpers
[ such as gksudo, kdesu ]) are working fine?

> FYI, the Debian Popularity Contest Statistics reports about 80
> installation of the ThinkFinger packages I maintain [1] and since their
> inclusion in Debian I haven't received any unknown bug.

Great!

> While I announced to upload ThinkFinger into unstable (and then testing,
> so the next Debian release) [2][3], I haven't prepared it yet because of
> the ssh issue Stephen reported on Ubuntu [4].  Have you planned to
> include a fix also for this remaining issue?

Thanks for reminding me.

I've committed the following.

Index: pam/pam_thinkfinger.c
===================================================================

--- pam/pam_thinkfinger.c       (revision 116)
+++ pam/pam_thinkfinger.c       (working copy)
@@ -238,6 +238,7 @@
 {
        int ret;
        int retval = PAM_AUTH_ERR;
+       const char *rhost = NULL;
        pam_thinkfinger_s pam_thinkfinger;
        struct termios term_attr;
        libthinkfinger_init_status init_status;
@@ -252,6 +253,12 @@
        if (pam_thinkfinger.isatty == 1)
                tcgetattr (STDIN_FILENO, &term_attr);
 
+       pam_get_item (pamh, PAM_RHOST, (const void **)( const void*) &rhost);
+       if (rhost != NULL && strlen (rhost) > 0) {
+               pam_thinkfinger_log (&pam_thinkfinger, LOG_ERR, "Error: Remote login from host \"%s\" detected.", rhost);
+               goto out;
+       }
+
        if ((retval = pam_get_user(pamh, &pam_thinkfinger.user, NULL)) != PAM_SUCCESS)
                goto out;
        if (pam_thinkfinger_user_sanity_check (&pam_thinkfinger) || pam_thinkfinger_user_bir_check (&pam_thinkfinger) < 0) {


Thanks,

   Timo


