pam_bsdbioapi – (BSD) PAM Module to BioAPI

The (BSD) BioAPI service module for PAM provides authentication management.

Apart from the PAM module itself the pam_bsdbioapi package consists of libbirdb and bbdm.


This is a library that provides module independat storage of BIR entries.
Long-term storage are left to libbirdb backend modules.
The following modules are available:

Filebacked database. One b-tree per BSP.
Entries are stored in a MySQL database either locally or remote
Plain text files. Backwards compatible with pam_bsdbioapi 1.0.
Use this only if you really need 1.0 compability.

See libbirdb(3) for more information.


bbdm (BioAPI BIR Database Management) is a account management utility which
works together with BioAPI and libbirdb.
It allows enrollment/verification/identification of BIR records.

See bbdm(1) for more information.


The PAM module itself.
Utilize libbirdb for access to BIR databases.

More information is avaiable from pam_bsdbioapi(8)

Obtaining pam_bsdbioapi

Stable release 1.5.1 (20080315)
Development version
SVN repository (web)
FreeBSD ports tree

Release history

1.5.1 – 20080315
Add -s option to pam module. Makes the login fall back directly without prompting for fingerprint for users that has not enrolled.

Minor compiler warning fixes and some spelling mistakes corrected.

1.5 – 20060223
Major update. Addition of libbirdb and bbdm.
The version number was bumped to 1.5 because of the major update.
Initial release.


  • Atleast FreeBSD 5.x
  • BioAPI, security/bioapi

Configuration and usage

libbirdb configuration

You will need to create a configuration file for libbirdb which lists
the backend modules you want and their arguments.
A sample file is provided and should be sufficient.

This is an example of /usr/local/etc/birdb.conf

# Filebacked database module, entries are stored in a per BSP b-tree.
# Takes one argument wich is the path where the databases are stored.
filedb = {
    path = "/usr/local/share/birdb/"
    arg = "/var/db/bioapi/bir"
# MySQL backend. Entries are stored in an mysql database.
# Arguments
#  host[:port] user[:password] [database:table]
# where the default database and table is bioapi:bir
# You must create the database structure first using the
# supplied SQL file.
#mysql {
#   path = "/usr/local/share/birdb/"
#   arg = "localhost"
#   arg = "bioapi:ipaoid"

# Store BIRs in plain text files.
# NOT RECOMMENDED, only avaiable for backward compability with
# previous versions of pam_bsdbioapi.
plain = {
    path = "/usr/local/share/birdb/"
    arg = "/var/db/bioapi/bir"

If you want to use the MySQL backend you must create the database and
table. A sample scripts for this purpose is available in

PAM configuration

This is an example configuration of /etc/pam.d/system which uses the “BioAPI v1.1 Dummy BSP” (UUID {ffffffff-ffff-ffff-ffff-ffffffffffff}) as biometric backend and “filedb” as the birdb backend

If the BioAPI authentication will fail it will fall back to the standard UNIX authenication module.

auth        sufficient {ffffffff-ffff-ffff-ffff-ffffffffffff} filedb
auth        required     no_warn try_first_pass nullok

If you want to force BioAPI authentication you can change “sufficient” to “required”.

If you want the ability to enroll new users and let the user create new records you will need to configure the “password” service aswell.
The BSP UUID and the birdb backend should match the login configuration.

password    required {ffffffff-ffff-ffff-ffff-ffffffffffff} filedb

BioAPI GUI callbacks

Some BSPs support BioAPI GUI message callback.
This allows a customizable output sent to PAM via pam_info and is very suitable for graphical login managers such as GDM to help them display the biometrical login progress

A message file can be specified with -m /path/to/file

auth    sufficient {ffffffff-ffff-ffff-ffff-ffffffffffff} filedb -m /usr/local/share/pam_bsdbioapi/mymsg.cmsg

See also

Comments are closed.