Skip to content

Instantly share code, notes, and snippets.

@robertoschwald
Forked from m1nicrusher/ConfigHowdy.sh
Last active May 20, 2024 16:15
Show Gist options
  • Save robertoschwald/d34f78fe1cb66032695ebd747bd189a1 to your computer and use it in GitHub Desktop.
Save robertoschwald/d34f78fe1cb66032695ebd747bd189a1 to your computer and use it in GitHub Desktop.
Config Howdy-Beta for Fedora 39 using GNOME
#!/usr/bin/env bash
set -e
# Configure Fedora PAM to use Howdy for facial recognition
# Configured sudo and GDM login.
# SELinux is also configured to allow Howdy to access necessary resources.
# Notes:
# - This script is tested on Fedora 39.
# - This script is for howdy-beta version, which provides pam_howdy.so
# Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy-beta/
# Based on https://gist.github.com/m1nicrusher/35e79b20553c8863e0c642f8d801da7f
# sudo required
if ! [ "$(id -u)" = 0 ]; then
echo "Root privilege is needed. Please rerun the script as root." >&2
exit 1
fi
SUDO_CFG="/etc/pam.d/sudo"
GDM_CFG="/etc/pam.d/gdm-password"
SUDO_PATTERN='1i\' # Append to the first line
GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line
HOWDY_PAM="auth sufficient pam_howdy.so"
if ! grep -q "$HOWDY_PAM" "$SUDO_CFG"; then
echo "Configuring sudo PAM"
sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG
else
echo "sudo PAM already configured"
fi
# Configure GDM
if ! grep -q "$HOWDY_PAM" $GDM_CFG; then
echo "Configuring GDM PAM"
sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG
else
echo "GDM PAM already configured"
fi
echo "Configuring SELinux (this takes a moment)"
MODULE=$(cat << EOF
module howdy 1.0;
require {
type lib_t;
type xdm_t;
type v4l_device_t;
type sysctl_vm_t;
class chr_file map;
class dir { create add_name };
class file { create getattr open read write };
}
#============= xdm_t ==============
allow xdm_t lib_t:dir create;
allow xdm_t lib_t:dir add_name;
allow xdm_t lib_t:file { create write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;
EOF
)
echo "$MODULE" > howdy.te
checkmodule -M -m -o howdy.mod howdy.te
semodule_package -o howdy.pp -m howdy.mod
semodule -i howdy.pp
rm howdy.te howdy.mod howdy.pp
# Done!
echo "Done. Please restart terminal to check sudo result."
@harshil1973
Copy link

This is not working in the latest Fedora 40.

@robertoschwald
Copy link
Author

robertoschwald commented Apr 27, 2024

Here its working after Fedora 40 update as well. Same config

@harshil1973
Copy link

I don't know what's wrong with my setup but by running howdy test no error is coming but not working with sudo or gdm. So there is definitely something wrong with pam.d in my case.

@forabi
Copy link

forabi commented May 2, 2024

What pam file should I edit to enable this for e.g. 1Password app unlock? It already supports unlocking with my Fedora user password.

@robertoschwald
Copy link
Author

Look in /etc/pam.d if there is a module file for 1pw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment