[Face recognition login] Trouble with howdy and PAM

My laptop is an Acer Swift 3. It has a fingerprint sensor, but there’s no Linux driver for this one (last time I checked).

So since I like Windows Hello, I decided to set up face recognition. I’m running openSUSE Tumbleweed (up to date). I found out that the way to go about this was to use howdy.

But after (a very painful because of python dependencies issues) installing howdy and adding the 3 files mentioned here in the PAM section (btw I basically followed exactly the instructions from this page to setup my system), I found out that:

  • sudo howdy --user myusername add works (I can save a few faces)

  • sudo howdy test returns errors, as follows:

[ WARN:0@0.374] OpenCV | GStreamer warning: Embedded video playback halted; module source reported: Could not read from resource.
[ WARN:0@0.374] OpenCV | GStreamer warning: unable to start pipeline
[ WARN:0@0.374] OpenCV | GStreamer warning: GStreamer: pipeline have not been created

Opening a window with a test feed

Press ctrl+C in this terminal to quit
Click on the image to enable or disable slow mode

qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

(I did try reinstalling xcb but it didn’t help)

  • after editing howdy.conf so as to allow to run the command without sudo privileges, howdy test works, I can see my face being detected live on the screen.

  • as long as I complete the steps from the tutorial linked above, when I log out howdy doesn’t activate but more importantly I can’t log in anymore, passwords no longer work!!! And if I change TTY even usernames are not valid anymore (not even root!). So my only option was to rollback to a system snapshot generated before I edited PAM config.

About PAM config: I didn’t have the files sddm login and kde in my pam.d directories, so I created empty ones and wrote

auth     sufficient     pam_python.so /usr/lib64/security/howdy/pam.py

into them.
I guess that’s where the problem is, this in my opinion can’t be the right way to configure PAM.

So to sum up, two major problems: 1) how do I configure PAM to have howdy start and work at login? and 2) how can I make sudo howdy test work?

Any help will be greatly appreciated!

Those files exist here. You have not indicated what desktop you are using.

Checking here, it looks as if installing “sddm” should give you “/etc/pam.d/sddm” and installing “kscreenlocker” should give you “/etc/pam.d/kde”

1 Like

I’m using KDE (Plasma I think). I’ll try installing those two packages! What about /etc/pam.d/login?

EDIT: “nothing to do”, they’re both installed all right. Yet /etc/pam.d/ does not contain neither login nor sddm, and /usr/etc/pam.d/ is simply empty (so no kde file).

What do you think?

You do not say which directories; are we supposed to guess what you did?

Assuming you are talking about /etc/pam.d - congratulations, you completely disabled any authentication except howdy.

Default PAM configuration for most components is shipped in /usr/lib/pam.d (which you are not supposed to edit). Most PAM services that deal with user authentication include common-auth PAM module. By default it is managed by pam-config tool which writes its result in /etc/pam.d as common-auth-pc and creates links /etc/pam.d/common-auth to it. So if you want to change configuration of any PAM service you should copy it from /usr/lib/pam.d to /etc/pam.d and modify there.

And when you describe what you did - step back, read what you wrote and ask yourself - would you understand what happened if you saw it for the first time? Always provide exact details, do not write “in well known place” or “in my directories” because others may have different idea what is “theirs” and what is “well known”.

Yes, sorry for the inprecision. For sddmand login I’m talking /etc/pam.d/ and for kde I’m talking /usr/etc/pam.d/.

Yes I figured out I did something of that order. I broke completly my Linux right now, but for later can you specify how to use the pam-config command? I didn’t understand the man page and explainations online.

So I guess I sould use that command to add my howdy config to common-auth? How would that look like exactly?


pam-config is used to manage known PAM modules and is called automatically when package with such supported module is installed/updated. It has hardcoded list of modules it supports, so unfortunately you cannot use it to manage unknown modules like howdy. If you want to add howdy to common-auth, you should remove the link, copy common-auth-pc as common-auth and edit. From now on any future changes in common-auth-pc will be invisible. All of this is described in even more details in comments in common-auth-pc (or for that matter any *-pc file in /etc/pam.d).

I see, thanks. Any more advice? common-auth now contains:

auth    required        pam_env.so
auth    optional        pam_kwallet5.so
auth    required        pam_unix.so     try_first_pass

Sould I just append auth sufficient pam_python.so /usr/lib64/security/howdy/pam.py at the end? Or the beginning? And should I remove one of the old entries?


And to the others, any idea why howdy doesn’t activate? It should work out of the box…

Logically you use face recognition to avoid entering password so you certainly do not want to have it after pam_unix. Because successful sufficient module execution will not process further modules, you probably do not want it to be the first. So I’d say - immediately before pam_unix.

It is entirely up to you. If you do not want to have password as fallback, you can of course remove pam_unix … but have not you already effectively tried it?

It sounds like it is graphical application which fails to access your $DISPLAY. So you need to make sure sudo preserves $DISPLAY environment variable and user root is allowed to access it. For the former look at /etc/sudoers and man sudoers, specifically env_keep. For the latter you can (for one off) just do xhost + or add pam_xauth to sudo PAM configuration or tell sudo to preserve $XAUTHORITY variable or do xhost +si:localuser:root and I am sure this list is not complete.

Mmh, ok. Would you mind explaining what auth required pam_env.so does though? Since it’s going to be first again in that case.

Here’s what I got:

sudo xhost +si:localuser:root                
> xhost:  unable to open display ""

Looks familiar…

You’ve gone a little fast for me in your other instructions, could you be more explicit, show me what the commands would look like? Please :slightly_smiling_face:

Where did I say “sudo”?

Did you try

man pam_env

Ah, yes, it worked without sudo. However still no webcam turning on at login though.

It did something different. Never do things as root which should not be done as root.

In this case doing this “as root” most probably is harmless, but that will not always be the case when you are not careful.

I assume your software has some logs and options to enable more verbose/debug logging. You probably have more luck asking on dedicated support channels for your software but if you post logs from it, someone may try to guess what happens.

Unfortunately I found no logs anywhere on my system… But I will try to submit an issue on Github.