Howdy is a program that imitates Windows Hello on Linux. It uses a computer's IR sensors and camera to verify a user's face.
Install the AUR package.
Setup Howdy to start when needed
In order for Howdy to authenticate a user, a small change must be added to any PAM configuration file where Howdy might want to be used. The following line must be added to any configuration file:
auth sufficient pam_python.so /lib/security/howdy/pam.py
This example enables howdy authentication for
# PAM-1.0 auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-auth account include system-auth session include system-auth
#%PAM-1.0 auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-login account include system-login password include system-login session include system-login
However, for LightDM you should edit:
#%PAM-1.0 auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-login -auth optional pam_gnome_keyring.so account include system-login password include system-login session include system-login -session optional pam_gnome_keyring.so auto_start
An example with i3lock or betterlockscreen, change permissions for the howdy folder in /lib/security by running the command
chmod -R 755 /lib/security/howdy, and edit the i3lock file:
# # PAM configuration file for the i3lock-color screen locker. By default, it includes # the 'system-auth' configuration file (see /etc/pam.d/system-auth) for Arch and Gentoo # and 'login' for Debian. Note that vanilla i3lock upstream uses 'login' instead. # auth sufficient pam_python.so /lib/security/howdy/pam.py auth include system-auth # For Arch/Gentoo #auth include login # For Debian
howdy/pam.py as sufficient to any configuration file in
/etc/pam.d/ will only prompt for face authentication. This prevents the use of a password if you cannot
Ctrl+c face authentication (due to the lack of a shell). In order to use either a password or a face in a graphical interface, add the following line to the top of any files required:
auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_python.so /lib/security/howdy/pam.py ...
This will prompt for a password; pressing
Enter on a blank field will proceed to face authentication.
Add correct IR sensor
Determine the correct
/dev/videoX file connected to the IR sensor. This can be done through various programs such as , AUR or .
An example of doing this with a tool included in thepackage:
$ v4l2-ctl --list-devices Integrated_Webcam_HD: Integrate (usb-0000:00:14.0-11): /dev/video0 /dev/video1 EyeChip: Tobii Video (usb-0000:00:14.0-3.4.3): /dev/video4 /dev/video5 HD Webcam C525 (usb-0000:00:14.0-3.4.4): /dev/video2 /dev/video3
As seen in the example above, the command may show more than one webcam device, and for each device it may show multiple
/dev/videoX paths. Generally picking the first of the two paths will work fine.
If you have more than one webcam and/or IR sensor using a
/dev/videoX may be somewhat unstable overtime, as it may be prone to change paths if certain devices are unplugged and replugged back in. In this can consider using a more consistent path name supplied by Video 4 Linuxwikipedia:Video4Linux in the
$ ls -l /dev/v4l/by-id total 0 lrwxrwxrwx 1 root root 12 Dec 3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index0 -> ../../video2 lrwxrwxrwx 1 root root 12 Dec 3 15:01 usb-046d_HD_Webcam_C525_BE4703F0-video-index1 -> ../../video3 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index0 -> ../../video0 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-CNFGH19N306021000582_Integrated_Webcam_HD-video-index1 -> ../../video1 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index0 -> ../../video4 lrwxrwxrwx 1 root root 12 Dec 3 14:47 usb-Tobii_Technology_AB_EyeChip_IS404-100109244721-video-index1 -> ../../video5
You can validate that these
v4l paths do not change by unplugging and replugging your devices and then re-listing the directory.
Once the correct filename is found, edit
/lib/security/howdy/config.ini using either your preferred editor or with
howdy config (run as the root user).
To customize which editor
howdy config uses, set the
# EDITOR=editor howdy config
Add face to Howdy
In order to add a face model to Howdy, run
sudo howdy add.
Secure the installation
Some versions of Howdy take webcam snapshots when authenticating a user, and save them in
/lib/security/howdy/snapshots. This can be considered a security hole, especially if previous instructions (about changing the permissions of
0755 recursively) are followed. An attacker who has access could trivially find a snapshot corresponding to a successful login of the target user, print it, and use the printed photo to impersonate the target user, who presumably has more rights. Well, the attacker could also use any other photo of the target user, but Howdy simplifies the process too much.
To avoid this attack and also surprises about the disk space, disable taking snapshots in
[snapshots] capture_failed = false capture_successful = false
IR emitter does not work
If the IR camera is on and the IR emitter does not work, one possible situation is that you chose the wrong file. For example,
/dev/video2 both work fine to recognize your face, but only
/dev/video2 will turn on the IR emitter. So make sure you have checked all
Otherwise you should follow the instructions from linux-enable-ir-emitter to enable the IR emitter.
Testing your IR camera
It can be useful to first make verify that your IR camera functions correctly. A set of 10 jpg photos can be taken to test your device using the
IR camera with the location of your IR camera):
gst-launch-1.0 v4l2src device=IR camera num-buffers=10 ! image/jpeg ! multifilesink location="frame-%02d.jpg"
Howdy does not seem to work
Verify that Howdy is properly working by running
howdy test as root. If that seems to work, check any PAM configuration files and verify they are working. Some programs, such as SDDM , do not work properly with PAM, which may result in unexpected results.
Errors recognizing an input device
Some IR sensors (for example of the Thinkpad T480) need to have the frame width and height defined in the configuration file:
frame_width = 400 frame_height = 400
The width and height of your sensor output:
v4l2-ctl --list-devices --all.
GStreamer warnings in shell
You might have howdy working but get warning like this in shell:
# howdy test
[ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (1756) handleMessage OpenCV | GStreamer warning: Embedded video playback halted; module source reported: Could not read from resource. [ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (886) open OpenCV | GStreamer warning: unable to start pipeline [ WARN:0] global /build/opencv/src/opencv-4.1.1/modules/videoio/src/cap_gstreamer.cpp (480) isPipelinePlaying OpenCV | GStreamer warning: GStreamer: pipeline have not been created ...
This is caused by upstream
LOG_LEVEL_WARNING = 3. The cv::utils::logging API in C++ can set log level higher in order to hide lower level warning, but this API is not exposed into python-cv2 yet.
A temporary solution for this is adding an environment variable
OPENCV_LOG_LEVEL=ERROR to your system per user or globally.
This issue was fixed in this commit.