Skip to content

Instantly share code, notes, and snippets.

@pastleo

pastleo/howdy-face-recognition-arch-kde.md

Last active April 12, 2024 06:34
Show Gist options
  • Star 29 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pastleo/76597c6ae8f95bb02982fea6df3a3ade to your computer and use it in GitHub Desktop.
Save pastleo/76597c6ae8f95bb02982fea6df3a3ade to your computer and use it in GitHub Desktop.
Download ZIP
Setup face recognition authentication on ArchLinux and KDE Plasma using howdy
Raw
howdy-face-recognition-arch-kde.md

Setup face recognition authentication on ArchLinux and KDE Plasma using howdy

This is surprisingly easy...basically following Arch Wiki:

https://wiki.archlinux.org/index.php/Howdy

After some investigation, here is step by step and preferences

Install howdy

https://github.com/boltgolt/howdy

https://aur.archlinux.org/packages/howdy/

yay -S --editmenu howdy

yay is an AUR helper

on 2019/10/30, I need to edit PKGBUILD, removing --yes USE_AVX_INSTRUCTIONS to get it compiled

Setup howdy

Find out IR camera device

mpv /dev/video2
# see if this device is IR camera
# it might be /dev/video0, /dev/video1, /dev/video{N}...

mpv is a video playback application

config.ini

sudo vim /lib/security/howdy/config.ini
[core]
# Print that face detection is being attempted
detection_notice = true

# ...

[video]
# The certainty of the detected face belonging to the user of the account
# On a scale from 1 to 10, values above 5 are not recommended
certainty = 4.5

# ...

# The path of the device to capture frames from
# Should be set automatically by an installer if your distro has one
device_path = /dev/video2

# ...

# Because of flashing IR emitters, some frames can be completely unlit
# Skip the frame if the lowest 1/8 of the histogram is above this percentage
# of the total
# The lower this setting is, the more dark frames are ignored
dark_threshold = 100

where device_path = /dev/video{N} is the IR camera device we found using mpv above

Register faces

sudo howdy add # follow its instructions

explore by sudo howdy --help, you will learn to list, remove faces

Set using howdy to authenticate

sudo vim /etc/pam.d/kde # for KDE lock screen
sudo vim /etc/pam.d/sudo # for sudo, obviously

add this line to kde and sudo files before system-auth line:

auth sufficient pam_python.so /lib/security/howdy/pam.py

# original system-auth setting
auth include system-auth

Get KDE lock screen using howdy to unlock

boltgolt/howdy#219

  • detection_notice = true above will make lock screen showing Attempting face detection
  • dismiss_lockscreen = above will prevent IR camera from keeping scanning after unlock (kind of loop?)

And run this to allow using howdy:

sudo chmod -R 755 /lib/security/howdy

Reboot to ensure PAM setting is taking place

Prevent GStreamer warnings in shell

https://wiki.archlinux.org/index.php/Howdy#GStreamer_warnings_in_shell

vim ~/.xprofile

add this line:

export OPENCV_LOG_LEVEL=ERROR

Then reboot or re-login

Using howdy to authenticate

When sudo

Just sudo ..., howdy will start

To unlock KDE lock screen

Leave password empty and press enter, howdy should start

Using howdy on SDDM is not recommended

SDDM is display manager that authenticates only when laptop just boots up and login, while lock screen asks for authentication much more often

add auth sufficient pam_python.so /lib/security/howdy/pam.py to /etc/pam.d/sddm will make it to authenticate using howdy, leave password empty and press enter

But this will result some drawbacks:

  • when failed, SDDM's password input box seems to be freezed..
  • will be unable to unlock KDE Wallet automatically on login and ask password to unlock KDE Wallet for Wifi credentials...Arch Wiki Link
@bogdan-getstream
Copy link

bogdan-getstream commented Jun 2, 2020
edited

Using howdy with password first auth (ArchLinux)
For security reasons it's better to first ask password (especially with sudo).

To do that apply following changes to /etc/pam.d/system-auth (make sure howdy is not used in any other files)

auth      sufficient    pam_unix.so     try_first_pass nullok
auth      optional      pam_permit.so
auth      required      pam_env.so
auth      required      pam_python.so /lib/security/howdy/pam.py use_first_pass

@pastleo
Copy link
Author

pastleo commented Jun 19, 2020

for sudo, it is truly better to use password first, after some try and error, my /etc/pam.d/sudo ended up like this:

auth      sufficient    pam_unix.so   try_first_pass nullok
auth      optional      pam_permit.so
auth      required      pam_env.so
auth      sufficient    pam_python.so /lib/security/howdy/pam.py
auth      required      pam_unix.so
account   include       system-auth
session   include       system-auth
  • the first pam_unix.so makes it ask for password first
  • then use howdy if password is not correct
  • finally use pam_unix.so as required if howdy failed

for /etc/pam.d/system-auth, I left it unchanged it because I don't want to use howdy for other situations, (sddm, for example)

@nirit100
Copy link

for sudo, it is truly better to use password first, after some try and error, my /etc/pam.d/sudo ended up like this:

auth      sufficient    pam_unix.so   try_first_pass nullok
auth      optional      pam_permit.so
auth      required      pam_env.so
auth      sufficient    pam_python.so /lib/security/howdy/pam.py
auth      required      pam_unix.so
account   include       system-auth
session   include       system-auth

* the first `pam_unix.so` makes it ask for password first

* then use `howdy` if password is not correct

* finally use `pam_unix.so` as required if `howdy` failed

for /etc/pam.d/system-auth, I left it unchanged it because I don't want to use howdy for other situations, (sddm, for example)

Is there a way of achieving this exact behavior, except having howdy run only when entering an empty password into sudo?

@pastleo
Copy link
Author

pastleo commented Apr 22, 2022

actually, i dont know 😅 i want this behavior as well

@rasulali
Copy link

rasulali commented Oct 2, 2022

How can I make kde lock screen to go straight to the desktop without hitting enter key. Upon successful face recognition it shows unlock button at middle so you need to hit enter key or the button to go to desktop. If there is a way to make it seamless that would be perfect because I only use it for screen unlocking. Not sudo or display manager

@SpektacleFR
Copy link

what about using it with GDM?

@pastleo
Copy link
Author

pastleo commented Oct 16, 2022

sorry guys I have switched to another laptop that has a fingerprint reader and it works with Linux perfectly, therefore I am not using howdy anymore, not even sure about current kde lock screen behavior with howdy 😅

for GDM, I think it is /etc/pam.d/gdm-password, but you may need to try yourself, and seems like it is for both logins and unlocks, cannot use different pam settings

@jaxvanyang
Copy link

sorry guys I have switched to another laptop that has a fingerprint reader and it works with Linux perfectly, therefore I am not using howdy anymore, not even sure about current kde lock screen behavior with howdy sweat_smile

for GDM, I think it is /etc/pam.d/gdm-password, but you may need to try yourself, and seems like it is for both logins and unlocks, cannot use different pam settings

Yes, it's /etc/pam.d/gdm-password. Here is my configuration:

#%PAM-1.0

# manually added for Howdy
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_python.so /lib/security/howdy/pam.py

auth       include                     system-local-login
auth       optional                    pam_gnome_keyring.so

account    include                     system-local-login

password   include                     system-local-login
password   optional                    pam_gnome_keyring.so use_authtok

session    include                     system-local-login
session    optional                    pam_gnome_keyring.so auto_start

@Than0s-op
Copy link

Thank you bro

@Cloud0310
Copy link

Now, the default version of python on Arch Linux has already been upgraded to python3, which is causing the previous auth lib (pam_python.so) not found, as well as the 2.6.1 version of howdy code don't function well.
(# pam-python is running python 2, so we use the old module here)

Here's how to solve this issue:

  1. Change the lib path
auth sufficient pam_python.so /lib/security/howdy/pam.py

to

auth sufficient pam_python3.so /lib/security/howdy/pam.py

which solves the issue with not founding pam_python.so problem
2. Change the pam.py file in /lib/security/howdy/pam.py line 10 and 13

# pam-python is running python 2, so we use the old module here
import ConfigParser

# Read config from disk
config = ConfigParser.ConfigParser()
config.read(os.path.dirname(os.path.abspath(__file__)) + "/config.ini")

to

# pam-python is running python 2, so we use the old module here
import configparser

# Read config from disk
config = configparser.ConfigParser()
config.read(os.path.dirname(os.path.abspath(__file__)) + "/config.ini")

Then it would work as predicted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment