Howdy (简体中文)

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
翻译状态:本文是 Howdy翻译。上次翻译日期:2021-08-07。如果英文版本有所更改,则您可以帮助同步翻译。

Howdy 是 Linux 上一个类似 Windows Hello,通过电脑传感器识别人脸,解锁电脑的程序。

安装

安装 howdyAUR 软件包。

注意: 在该软件包的使用过程中会从 GitHub 的 raw 服务器下载文件,而中国大陆用户连接该服务器网络不通畅,请确保你的网络能正常连接。

配置

为 Howdy 做一些配置

为了能识别用户,必须对 Howdy 需要用到的 PAM 配置文件做一些小修改,任取其一加入:

auth sufficient pam_python.so /lib/security/howdy/pam.py

示例

sudo 启用 Howdy 验证:

/etc/pam.d/sudo
# PAM-1.0
auth    sufficient pam_python.so /lib/security/howdy/pam.py
auth    include    system-auth
account include    system-auth
session include    system-auth

为如 GDM 和 SDDM 的本地图形登录启用 Howdy 验证:

/etc/pam.d/system-local-login
#%PAM-1.0

auth      sufficient   pam_python.so /lib/security/howdy/pam.py
auth      include      system-login
account   include      system-login
password  include      system-login
session   include      system-login

不过,如果使用的是 LightDM 要编辑:

/etc/pam.d/lightdm
#%PAM-1.0
auth        sufficient  pam_python.so /lib/security/howdy/pam.py
auth        include     system-login
-auth       optional    pam_gnome_keyring.so
account     include     system-login
password    include     system-login
session     include     system-login
-session    optional    pam_gnome_keyring.so auto_start

用 i3lock 或 betterlockscreen 的话,运行 chmod -R 755 /lib/security/howdy 命令更改 /lib/security 里 Howdy 文件夹的权限,然后编辑 i3lock 文件:

/etc/pam.d/i3lock
#
# PAM configuration file for the i3lock-color screen locker. By default, it includes
# the 'system-auth' configuration file (see /etc/pam.d/system-auth) for Arch and Gentoo
# and 'login' for Debian. Note that vanilla i3lock upstream uses 'login' instead.
#

auth sufficient pam_python.so /lib/security/howdy/pam.py
auth include system-auth # For Arch/Gentoo
#auth include login # For Debian

Adding howdy/pam.py as sufficient to any configuration file in /etc/pam.d/ will only prompt for face authentication. This prevents the use of a password if you cannot Ctrl+c face authentication (due to the lack of a shell). In order to use either a password or a face in a graphical interface, add the following line to the top of any files required:

auth		sufficient  	pam_unix.so try_first_pass likeauth nullok
auth		sufficient  	pam_python.so /lib/security/howdy/pam.py
...

This will prompt for a password; pressing Enter on a blank field will proceed to face authentication.

添加正确的红外传感器

可以在诸如 cheesefswebcamAUR 或者 v4l-utils 的程序里找到并确定能连接到红外传感器的正确 /dev/videoX 文件,

以内置于 v4l-utils 软件包的工具为例:

$ v4l2-ctl --list-devices
Integrated_Webcam_HD: Integrate (usb-0000:00:14.0-11):
        /dev/video0
        /dev/video1

EyeChip: Tobii Video (usb-0000:00:14.0-3.4.3):
        /dev/video4
        /dev/video5

HD Webcam C525 (usb-0000:00:14.0-3.4.4):
        /dev/video2
        /dev/video3

在上述例子中,有不止一个网络摄像头,而且每一个摄像头都有好几个不同的 /dev/videoX 路径,一般来说选第一或第二个路径会比较好。

如果摄像头或红外传感器不止一个,使用 /dev/videoX 可能会随着时间的推移而变得不稳定,因为它们的路径可能会随着某些设备的拆卸和装入而改变。这时可以用由 Video 4 Linuxwikipedia:Video4Linux 提供的,更加稳定的 /dev/v4l/by-id/ 路径。

$ ls -l /dev/v4l/by-id
total 0
lrwxrwxrwx 1 root root 12 Dec  3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index0 -> ../../video2
lrwxrwxrwx 1 root root 12 Dec  3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index1 -> ../../video3
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index0 -> ../../video0
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index1 -> ../../video1
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index0 -> ../../video4
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index1 -> ../../video5

先验证这些 v4l 路径不随设备的拆卸和装入而改变,然后重列设备目录(re-listing the directory)。

一找到正确的文件名,就用你喜好的编辑器编辑 /lib/security/howdy/config.ini 文件,也可以 root 用户权限使用 howdy config 命令来编辑。

设定 EDITOR 变量来自定义 howdy config 使用的编辑器:

# EDITOR=editor howdy config

补充:修改 config.ini 的内容

英文原文中没有讲清楚要修改的地方在哪,这里译者做一个补充。使用上述任意命令打开 config 文件后,向下浏览找到:

/lib/security/howdy/config.ini
# The path of the device to capture frames from
# Should be set automatically by an installer if your distro has one
device_path = null

device_path = 后面的内容改为找到的文件路径,例如我的是 /dev/video0,那么就是 device_path = /dev/video0。修改完成后使用 Ctrl + X 保存并退出。

向 Howdy 添加面部数据

要想添加面部模型,运行 sudo howdy add

Secure the installation

有些版本的 Howdy 会在识别用户时拍照,然后保存到 /lib/security/howdy/snapshots。This can be considered a security hole, especially if previous instructions (about changing the permissions of /lib/security/howdy to 0755 recursively) are followed. An attacker who has access could trivially find a snapshot corresponding to a successful login of the target user, print it, and use the printed photo to impersonate the target user, who presumably has more rights. Well, the attacker could also use any other photo of the target user, but Howdy simplifies the process too much.

为了避免这样的攻击,以及突然发现磁盘空间骤减,可以在 /lib/security/howdy/config.ini 中取消拍照:

[snapshots]
capture_failed = false
capture_successful = false

更多配置

使用 howdy -h 获取更多使用命令。

疑难杂症

红外发射器不工作

已启用红外摄像头而红外发射器不工作,没准是因为你选错了文件。打个比方,可能 /dev/video0/dev/video2 都能识别你的脸部,但是只有 /dev/video2 会启用红外发射器,所以要试试所有的 /dev/videoX 路径,看看有没有哪个能正常工作。

如果还不行,试着跟从 linux-enable-ir-emitter 的指导启用红外发射器。

测试红外摄像头

提前确认红外摄像头能正常运作是个挺不错的主意,用 gstreamer 软件包的以下命令十连拍来测试设备(别忘了用你的红外摄像机的位置替代下面的 IR camera ):

gst-launch-1.0 v4l2src device=IR camera num-buffers=10 ! image/jpeg ! multifilesink location="frame-%02d.jpg"

Howdy 无法正常运转

用 root 权限运行 howdy test 来确保 Howdy 正常工作,如果看起来一切正常,就检查 PAM 配置并确认其正在工作。例如 SDDM [1] 的某些程序不能在 PAM 下正常工作,会造成一些出乎意料的结果。

输入设备识别错误

例如 Thinkpad T480 的某些红外传感器需要在配置文件中定义框架高度和宽度:

frame_width = 400
frame_height = 400

获取传感器输出的高度和宽度: v4l2-ctl --list-devices --all

终端里有 GStreamer warnings

已经让 Howdy 正常工作,但是在终端里收到警告:

# howdy test
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (1756) handleMessage OpenCV | GStreamer warning: Embedded video playback halted; module source reported: Could not read from resource.
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (886) open OpenCV | GStreamer warning: unable to start pipeline
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (480) isPipelinePlaying OpenCV | GStreamer warning: GStreamer: pipeline have not been created
...

This is caused by upstream opencv package built with default warning level LOG_LEVEL_WARNING = 3. The cv::utils::logging API in C++ can set log level higher in order to hide lower level warning, but this API is not exposed into python-cv2 yet.

临时解决方案是向全局或者每个用户加入 OPENCV_LOG_LEVEL=ERROR 这个环境变量。

注意: 警告消失的同时可能掩盖其它问题。

这个问题在 此提交中解决。