Howdy (简体中文)
Howdy 是 Linux 上一个类似 Windows Hello,通过电脑传感器识别人脸,解锁电脑的程序。
安装
配置
为 Howdy 做一些配置
为了能识别用户,必须对 Howdy 需要用到的 PAM 配置文件做一些小修改,任取其一加入:
auth sufficient pam_python.so /lib/security/howdy/pam.py
示例
为 sudo 启用 Howdy 验证:
/etc/pam.d/sudo
# PAM-1.0 auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-auth account include system-auth session include system-auth
为如 GDM 和 SDDM 的本地图形登录启用 Howdy 验证:
/etc/pam.d/system-local-login
#%PAM-1.0 auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-login account include system-login password include system-login session include system-login
不过,如果使用的是 LightDM 要编辑:
/etc/pam.d/lightdm
#%PAM-1.0 auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-login -auth optional pam_gnome_keyring.so account include system-login password include system-login session include system-login -session optional pam_gnome_keyring.so auto_start
用 i3lock 或 betterlockscreen 的话,运行 chmod -R 755 /lib/security/howdy 命令更改 /lib/security 里 Howdy 文件夹的权限,然后编辑 i3lock 文件:
/etc/pam.d/i3lock
# # PAM configuration file for the i3lock-color screen locker. By default, it includes # the 'system-auth' configuration file (see /etc/pam.d/system-auth) for Arch and Gentoo # and 'login' for Debian. Note that vanilla i3lock upstream uses 'login' instead. # auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-auth # For Arch/Gentoo #auth include login # For Debian
Adding howdy/pam.py as sufficient to any configuration file in /etc/pam.d/ will only prompt for face authentication. This prevents the use of a password if you cannot Ctrl+c face authentication (due to the lack of a shell). In order to use either a password or a face in a graphical interface, add the following line to the top of any files required:
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_python.so /lib/security/howdy/pam.py ...
This will prompt for a password; pressing Enter on a blank field will proceed to face authentication.
添加正确的红外传感器
可以在诸如 cheese、fswebcamAUR 或者 v4l-utils 的程序里找到并确定能连接到红外传感器的正确 /dev/videoX 文件,
以内置于 v4l-utils 软件包的工具为例:
$ v4l2-ctl --list-devices
Integrated_Webcam_HD: Integrate (usb-0000:00:14.0-11):
/dev/video0
/dev/video1
EyeChip: Tobii Video (usb-0000:00:14.0-3.4.3):
/dev/video4
/dev/video5
HD Webcam C525 (usb-0000:00:14.0-3.4.4):
/dev/video2
/dev/video3
在上述例子中,有不止一个网络摄像头,而且每一个摄像头都有好几个不同的 /dev/videoX 路径,一般来说选第一或第二个路径会比较好。
如果摄像头或红外传感器不止一个,使用 /dev/videoX 可能会随着时间的推移而变得不稳定,因为它们的路径可能会随着某些设备的拆卸和装入而改变。这时可以用由 Video 4 Linuxwikipedia:Video4Linux 提供的,更加稳定的 /dev/v4l/by-id/ 路径。
$ ls -l /dev/v4l/by-id total 0 lrwxrwxrwx 1 root root 12 Dec 3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index0 -> ../../video2 lrwxrwxrwx 1 root root 12 Dec 3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index1 -> ../../video3 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index0 -> ../../video0 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index1 -> ../../video1 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index0 -> ../../video4 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index1 -> ../../video5
先验证这些 v4l 路径不随设备的拆卸和装入而改变,然后重列设备目录(re-listing the directory)。
一找到正确的文件名,就用你喜好的编辑器编辑 /lib/security/howdy/config.ini 文件,也可以 root 用户权限使用 howdy config 命令来编辑。
设定 EDITOR 变量来自定义 howdy config 使用的编辑器:
# EDITOR=editor howdy config
补充:修改 config.ini 的内容
英文原文中没有讲清楚要修改的地方在哪,这里译者做一个补充。使用上述任意命令打开 config 文件后,向下浏览找到:
/lib/security/howdy/config.ini
# The path of the device to capture frames from # Should be set automatically by an installer if your distro has one device_path = null
将 device_path = 后面的内容改为找到的文件路径,例如我的是 /dev/video0,那么就是 device_path = /dev/video0。修改完成后使用 Ctrl + X 保存并退出。
向 Howdy 添加面部数据
要想添加面部模型,运行 sudo howdy add。
Secure the installation
有些版本的 Howdy 会在识别用户时拍照,然后保存到 /lib/security/howdy/snapshots。This can be considered a security hole, especially if previous instructions (about changing the permissions of /lib/security/howdy to 0755 recursively) are followed. An attacker who has access could trivially find a snapshot corresponding to a successful login of the target user, print it, and use the printed photo to impersonate the target user, who presumably has more rights. Well, the attacker could also use any other photo of the target user, but Howdy simplifies the process too much.
为了避免这样的攻击,以及突然发现磁盘空间骤减,可以在 /lib/security/howdy/config.ini 中取消拍照:
[snapshots] capture_failed = false capture_successful = false
更多配置
使用 howdy -h 获取更多使用命令。
疑难杂症
红外发射器不工作
已启用红外摄像头而红外发射器不工作,没准是因为你选错了文件。打个比方,可能 /dev/video0 和 /dev/video2 都能识别你的脸部,但是只有 /dev/video2 会启用红外发射器,所以要试试所有的 /dev/videoX 路径,看看有没有哪个能正常工作。
如果还不行,试着跟从 linux-enable-ir-emitter 的指导启用红外发射器。
测试红外摄像头
提前确认红外摄像头能正常运作是个挺不错的主意,用 gstreamer 软件包的以下命令十连拍来测试设备(别忘了用你的红外摄像机的位置替代下面的 IR camera ):
gst-launch-1.0 v4l2src device=IR camera num-buffers=10 ! image/jpeg ! multifilesink location="frame-%02d.jpg"
Howdy 无法正常运转
用 root 权限运行 howdy test 来确保 Howdy 正常工作,如果看起来一切正常,就检查 PAM 配置并确认其正在工作。例如 SDDM [1] 的某些程序不能在 PAM 下正常工作,会造成一些出乎意料的结果。
输入设备识别错误
例如 Thinkpad T480 的某些红外传感器需要在配置文件中定义框架高度和宽度:
frame_width = 400 frame_height = 400
获取传感器输出的高度和宽度: v4l2-ctl --list-devices --all
终端里有 GStreamer warnings
已经让 Howdy 正常工作,但是在终端里收到警告:
# howdy test
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (1756) handleMessage OpenCV | GStreamer warning: Embedded video playback halted; module source reported: Could not read from resource. [ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (886) open OpenCV | GStreamer warning: unable to start pipeline [ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (480) isPipelinePlaying OpenCV | GStreamer warning: GStreamer: pipeline have not been created ...
This is caused by upstream opencv package built with default warning level LOG_LEVEL_WARNING = 3. The cv::utils::logging API in C++ can set log level higher in order to hide lower level warning, but this API is not exposed into python-cv2 yet.
临时解决方案是向全局或者每个用户加入 OPENCV_LOG_LEVEL=ERROR 这个环境变量。
这个问题在 此提交中解决。