Yesterday I committed to cvs new version of pam_bioapi source code which add possibility have birshadow.db only accessible by root. It is still only partial support since only verify support this (right now I’m working on enroll to support this too, but I think manipulation with fingerprint isn’t so often and if you would like this more secure version you can few days since I implement also enroll for this making as root).
After that I implement also support for payload. Since UPEK still don’t release new version of their BSP with correct support for payloads I’m planing to make possible for users say by some parameter if they want to store it directly in database or in bir (which don’t work with UPEKs BSP). But even if bir store will be accessible only for root – if you planning use payload for storing passwords or ssh private keys you’ll have to be still very careful since payload will not be encrypted (I don’t know how to do that without any private key). It means that if you in following versions store your password in bir database and if someone gain root access to your system he get access to your pain text passwords! Maybe selinux or any alternative can do something with it, but selinux is too complicated to make it working on desktop computer.
Also I have noticed today that gnome-screensaver with new cvs version of pam_bioapi don’t work correctly. Interesting is that in debug messages from gnome-screensaver there are correctly loged pam_conv() messages from pam_bioapi, but at screen they’re not shown.
And also I want to ask you ma dear readers to let me know if you find some grammatical mistake or misspelled word. I know my English is far to be perfect, so may be I can learn something.