Howdy

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Howdy is a program that imitates Windows Hello on Linux. It uses a computer's IR sensors and camera to verify a user's face.

Installation

Install the howdyAUR package.

Configuration

Setup Howdy to start when needed

In order for Howdy to authenticate a user, a small change must be added to any PAM configuration file where Howdy might want to be used. The following line must be added to any configuration file: 

auth sufficient pam_python.so /lib/security/howdy/pam.py

Examples

This example enables howdy authentication for sudo: 

/etc/pam.d/sudo
# PAM-1.0
auth    sufficient pam_python.so /lib/security/howdy/pam.py
auth    include    system-auth
account include    system-auth
session include    system-auth

Another example enabling howdy authentication for local graphical login, e.g. GDM or SDDM: 

/etc/pam.d/system-local-login
#%PAM-1.0

auth      sufficient   pam_python.so /lib/security/howdy/pam.py
auth      include      system-login
account   include      system-login
password  include      system-login
session   include      system-login

However, for LightDM you should edit: 

/etc/pam.d/lightdm
#%PAM-1.0
auth        sufficient  pam_python.so /lib/security/howdy/pam.py
auth        include     system-login
-auth       optional    pam_gnome_keyring.so
account     include     system-login
password    include     system-login
session     include     system-login
-session    optional    pam_gnome_keyring.so auto_start

An example with i3lock or betterlockscreen, change permissions for the howdy folder in /lib/security by running the command chmod -R 755 /lib/security/howdy, and edit the i3lock file: 

/etc/pam.d/i3lock
#
# PAM configuration file for the i3lock-color screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/system-auth) for Arch and Gentoo
# and 'login' for Debian. Note that vanilla i3lock upstream uses 'login' instead.
#

auth sufficient pam_python.so /lib/security/howdy/pam.py
auth include system-auth # For Arch/Gentoo
#auth include login # For Debian

Adding howdy/pam.py as sufficient to any configuration file in /etc/pam.d/ will only prompt for face authentication. This prevents the use of a password if you cannot Ctrl+c face authentication (due to the lack of a shell). In order to use either a password or a face in a graphical interface, add the following line to the top of any files required: 

auth		sufficient  	pam_unix.so try_first_pass likeauth nullok
auth		sufficient  	pam_python.so /lib/security/howdy/pam.py
...

This will prompt for a password; pressing Enter on a blank field will proceed to face authentication.

Add correct IR sensor

Determine the correct /dev/videoX file connected to the IR sensor. This can be done through various programs such as cheese, fswebcamAUR or v4l-utils.

An example of doing this with a tool included in the v4l-utils package: 

$ v4l2-ctl --list-devices
Integrated_Webcam_HD: Integrate (usb-0000:00:14.0-11):
        /dev/video0
        /dev/video1

EyeChip: Tobii Video (usb-0000:00:14.0-3.4.3):
        /dev/video4
        /dev/video5

HD Webcam C525 (usb-0000:00:14.0-3.4.4):
        /dev/video2
        /dev/video3

As seen in the example above, the command may show more than one webcam device, and for each device it may show multiple /dev/videoX paths. Generally picking the first of the two paths will work fine.

If you have more than one webcam and/or IR sensor using a /dev/videoX may be somewhat unstable overtime, as it may be prone to change paths if certain devices are unplugged and replugged back in. In this can consider using a more consistent path name supplied by Video 4 Linuxwikipedia:Video4Linux in the /dev/v4l/by-id/ path. 

$ ls -l /dev/v4l/by-id
total 0
lrwxrwxrwx 1 root root 12 Dec  3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index0 -> ../../video2
lrwxrwxrwx 1 root root 12 Dec  3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index1 -> ../../video3
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index0 -> ../../video0
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index1 -> ../../video1
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index0 -> ../../video4
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index1 -> ../../video5

You can validate that these v4l paths do not change by unplugging and replugging your devices and then re-listing the directory.

Once the correct filename is found, edit /lib/security/howdy/config.ini using either your preferred editor or with howdy config (run as the root user).

To customize which editor howdy config uses, set the EDITOR variable: 

# EDITOR=editor howdy config

Add face to Howdy

In order to add a face model to Howdy, run sudo howdy add.

Secure the installation

Some versions of Howdy take webcam snapshots when authenticating a user, and save them in /lib/security/howdy/snapshots. This can be considered a security hole, especially if previous instructions (about changing the permissions of /lib/security/howdy to 0755 recursively) are followed. An attacker who has access could trivially find a snapshot corresponding to a successful login of the target user, print it, and use the printed photo to impersonate the target user, who presumably has more rights. Well, the attacker could also use any other photo of the target user, but Howdy simplifies the process too much.

To avoid this attack and also surprises about the disk space, disable taking snapshots in /lib/security/howdy/config.ini: 

[snapshots]
capture_failed = false
capture_successful = false

Troubleshooting

IR emitter does not work

If the IR camera is on and the IR emitter does not work, one possible situation is that you chose the wrong file. For example, /dev/video0 and /dev/video2 both work fine to recognize your face, but only /dev/video2 will turn on the IR emitter. So make sure you have checked all /dev/videoX.

Otherwise you should follow the instructions from linux-enable-ir-emitter to enable the IR emitter.

Note that because of the upstream code, recent versions of the linux-enable-ir-emitter package generates the systemd service file by running its own script after package is installed. This behaviour may not be what you want, because it modifies the filesystem root through a custom script. It is known that, up until version 3.2.0-2, the package comes with the systemd service, so you may want to pick the version that suits you.

Testing your IR camera

It can be useful to first make verify that your IR camera functions correctly. A set of 10 jpg photos can be taken to test your device using the gstreamer package with the following command (replacing IR camera with the location of your IR camera): 

gst-launch-1.0 v4l2src device=IR camera num-buffers=10 ! image/jpeg ! multifilesink location="frame-%02d.jpg"

Howdy does not seem to work

Verify that Howdy is properly working by running howdy test as root. If that seems to work, check any PAM configuration files and verify they are working. Some programs, such as SDDM [1], do not work properly with PAM, which may result in unexpected results.

Errors recognizing an input device

Some IR sensors (for example of the Thinkpad T480) need to have the frame width and height defined in the configuration file: 

frame_width = 400
frame_height = 400

The width and height of your sensor output: v4l2-ctl --list-devices --all.

GStreamer warnings in shell

You might have howdy working but get warning like this in shell: 

# howdy test
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (1756) handleMessage OpenCV | GStreamer warning: Embedded video playback halted; module source reported: Could not read from resource.
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (886) open OpenCV | GStreamer warning: unable to start pipeline
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (480) isPipelinePlaying OpenCV | GStreamer warning: GStreamer: pipeline have not been created
...

This is caused by upstream opencv package built with default warning level LOG_LEVEL_WARNING = 3. The cv::utils::logging API in C++ can set log level higher in order to hide lower level warning, but this API is not exposed into python-cv2 yet.

A temporary solution for this is adding an environment variable OPENCV_LOG_LEVEL=ERROR to your system per user or globally.

Note: This will make the warning disappear but might hide other potential problems.

This issue was fixed in this commit.