Howdy

From ArchWiki

Howdy is a program that imitates Windows Hello on Linux. It uses a computer's IR sensors and camera to verify a user's face.

Installation

Install the howdyAUR package.

Configuration

Setup Howdy to start when needed

In order for Howdy to authenticate a user, a small change must be added to any PAM configuration file where Howdy might want to be used. The following line must be added to any configuration file:

auth sufficient pam_python.so /lib/security/howdy/pam.py

Adding howdy/pam.py as sufficient to any configuration file in /etc/pam.d/ will only prompt for face authentication. This prevents the use of a password if you cannot Ctrl+c face authentication (due to the lack of a shell). In order to use either a password or a face in a graphical interface, add the following line to the top of any files required:

auth sufficient pam_unix.so try_first_pass likeauth nullok

Add correct IR sensor

Determine the correct /dev/videoX file connected to the IR sensor. This can be done through various programs such as cheese, fswebcamAUR or v4l-utils.

An example of doing this with a tool included in the v4l-utils package:

$ v4l2-ctl --list-devices
Integrated_Webcam_HD: Integrate (usb-0000:00:14.0-11):
        /dev/video0
        /dev/video1

EyeChip: Tobii Video (usb-0000:00:14.0-3.4.3):
        /dev/video4
        /dev/video5

HD Webcam C525 (usb-0000:00:14.0-3.4.4):
        /dev/video2
        /dev/video3

As seen in the example above, the command may show more than one webcam device, and for each device it may show multiple /dev/videoX paths. Generally picking the first of the two paths will work fine.

If you have more than one webcam and/or IR sensor using a /dev/videoX may be somewhat unstable overtime, as it may be prone to change paths if certain devices are unplugged and replugged back in. In this can consider using a more consistent path name supplied by Video4Linux in the /dev/v4l/by-id/ path.

$ ls -l /dev/v4l/by-id
total 0
lrwxrwxrwx 1 root root 12 Dec  3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index0 -> ../../video2
lrwxrwxrwx 1 root root 12 Dec  3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index1 -> ../../video3
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index0 -> ../../video0
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index1 -> ../../video1
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index0 -> ../../video4
lrwxrwxrwx 1 root root 12 Dec  3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index1 -> ../../video5

You can validate that these v4l paths do not change by unplugging and replugging your devices and then re-listing the directory.

Once the correct filename is found, edit /lib/security/howdy/config.ini using either your preferred editor or with howdy config (run as the root user). Change device_path = null to device_path = path_to_device:

/lib/security/howdy/config.ini
# The path of the device to capture frames from
# Should be set automatically by an installer if your distro has one
device_path = path_to_device

To customize which editor howdy config uses, set the EDITOR variable:

# EDITOR=editor howdy config

Add face to Howdy

In order to add a face model to Howdy, run howdy add as the root user.

Secure the installation

Some versions of Howdy take webcam snapshots when authenticating a user, and save them in /lib/security/howdy/snapshots. This can be considered a security hole, especially if previous instructions (about changing the permissions of /lib/security/howdy to 0755 recursively) are followed. An attacker who has access could trivially find a snapshot corresponding to a successful login of the target user, print it, and use the printed photo to impersonate the target user, who presumably has more rights. Well, the attacker could also use any other photo of the target user, but Howdy simplifies the process too much.

To avoid this attack and also surprises about the disk space, disable taking snapshots in /lib/security/howdy/config.ini:

[snapshots]
capture_failed = false
capture_successful = false

Troubleshooting

IR emitter does not work

If the IR camera is on and the IR emitter does not work, one possible situation is that you chose the wrong file. For example, /dev/video0 and /dev/video2 both work fine to recognize your face, but only /dev/video2 will turn on the IR emitter. So make sure you have checked all /dev/videoX.

Otherwise you should follow the instructions from linux-enable-ir-emitter to enable the IR emitter. Install the linux-enable-ir-emitterAUR package.

Note: Because of the upstream code, recent versions of the linux-enable-ir-emitterAUR package generates the systemd service file by running its own script after package is installed. This behaviour may not be what you want, because it modifies the filesystem root through a custom script. It is known that, up until version 3.2.0-2, the package comes with the systemd service, so you may want to pick the version that suits you.

Testing your IR camera

It can be useful to first make verify that your IR camera functions correctly. A set of 10 jpg photos can be taken to test your device using the gstreamer package with the following command:

gst-launch-1.0 v4l2src device=path_to_device num-buffers=10 ! image/jpeg ! multifilesink location="frame-%02d.jpg"

Howdy does not seem to work

Verify that Howdy is properly working by running howdy test as root. If that seems to work, check any PAM configuration files and verify they are working. Some programs, such as SDDM [1], do not work properly with PAM, which may result in unexpected results.

Errors recognizing an input device

Some IR sensors (for example of the Thinkpad T480) need to have the frame width and height defined in the configuration file:

frame_width = 400
frame_height = 400

The width and height of your sensor output: v4l2-ctl --list-devices --all.