-
-
Save robertoschwald/d34f78fe1cb66032695ebd747bd189a1 to your computer and use it in GitHub Desktop.
Config Howdy-Beta for Fedora 39 using GNOME
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| # Configure Fedora PAM to use Howdy for facial recognition | |
| # Configured sudo and GDM login. | |
| # SELinux is also configured to allow Howdy to access necessary resources. | |
| # Notes: | |
| # - This script is tested on Fedora 39. | |
| # - This script is for howdy-beta version, which provides pam_howdy.so | |
| # Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy-beta/ | |
| # Based on https://gist.github.com/m1nicrusher/35e79b20553c8863e0c642f8d801da7f | |
| # sudo required | |
| if ! [ "$(id -u)" = 0 ]; then | |
| echo "Root privilege is needed. Please rerun the script as root." >&2 | |
| exit 1 | |
| fi | |
| SUDO_CFG="/etc/pam.d/sudo" | |
| GDM_CFG="/etc/pam.d/gdm-password" | |
| SUDO_PATTERN='1i\' # Append to the first line | |
| GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line | |
| HOWDY_PAM="auth sufficient pam_howdy.so" | |
| if ! grep -q "$HOWDY_PAM" "$SUDO_CFG"; then | |
| echo "Configuring sudo PAM" | |
| sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG | |
| else | |
| echo "sudo PAM already configured" | |
| fi | |
| # Configure GDM | |
| if ! grep -q "$HOWDY_PAM" $GDM_CFG; then | |
| echo "Configuring GDM PAM" | |
| sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG | |
| else | |
| echo "GDM PAM already configured" | |
| fi | |
| echo "Configuring SELinux (this takes a moment)" | |
| MODULE=$(cat << EOF | |
| module howdy 1.0; | |
| require { | |
| type lib_t; | |
| type xdm_t; | |
| type v4l_device_t; | |
| type sysctl_vm_t; | |
| class chr_file map; | |
| class dir { create add_name }; | |
| class file { create getattr open read write }; | |
| } | |
| #============= xdm_t ============== | |
| allow xdm_t lib_t:dir create; | |
| allow xdm_t lib_t:dir add_name; | |
| allow xdm_t lib_t:file { create write }; | |
| allow xdm_t sysctl_vm_t:file { getattr open read }; | |
| allow xdm_t v4l_device_t:chr_file map; | |
| EOF | |
| ) | |
| echo "$MODULE" > howdy.te | |
| checkmodule -M -m -o howdy.mod howdy.te | |
| semodule_package -o howdy.pp -m howdy.mod | |
| semodule -i howdy.pp | |
| rm howdy.te howdy.mod howdy.pp | |
| # Done! | |
| echo "Done. Please restart terminal to check sudo result." |
Here its working after Fedora 40 update as well. Same config
I don't know what's wrong with my setup but by running howdy test no error is coming but not working with sudo or gdm. So there is definitely something wrong with pam.d in my case.
What pam file should I edit to enable this for e.g. 1Password app unlock? It already supports unlocking with my Fedora user password.
Look in /etc/pam.d if there is a module file for 1pw
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is not working in the latest Fedora 40.