My laptop is an Acer Swift 3. It has a fingerprint sensor, but there’s no Linux driver for this one (last time I checked).
So since I like Windows Hello, I decided to set up face recognition. I’m running openSUSE Tumbleweed (up to date). I found out that the way to go about this was to use howdy.
But after (a very painful because of python dependencies issues) installing howdy and adding the 3 files mentioned here in the PAM section (btw I basically followed exactly the instructions from this page to setup my system), I found out that:
sudo howdy --user myusername add works (I can save a few faces)
sudo howdy test returns errors, as follows:
[ WARN:0@0.374] OpenCV | GStreamer warning: Embedded video playback halted; module source reported: Could not read from resource.
[ WARN:0@0.374] OpenCV | GStreamer warning: unable to start pipeline
[ WARN:0@0.374] OpenCV | GStreamer warning: GStreamer: pipeline have not been created
Opening a window with a test feed
Press ctrl+C in this terminal to quit
Click on the image to enable or disable slow mode
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.
Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.
(I did try reinstalling xcb but it didn’t help)
after editing howdy.conf so as to allow to run the command without sudo privileges, howdy test works, I can see my face being detected live on the screen.
as long as I complete the steps from the tutorial linked above, when I log out howdy doesn’t activate but more importantly I can’t log in anymore, passwords no longer work!!! And if I change TTY even usernames are not valid anymore (not even root!). So my only option was to rollback to a system snapshot generated before I edited PAM config.
About PAM config: I didn’t have the files sddmlogin and kde in my pam.d directories, so I created empty ones and wrote
I’m using KDE (Plasma I think). I’ll try installing those two packages! What about /etc/pam.d/login?
EDIT: “nothing to do”, they’re both installed all right. Yet /etc/pam.d/ does not contain neither login nor sddm, and /usr/etc/pam.d/ is simply empty (so no kde file).
You do not say which directories; are we supposed to guess what you did?
Assuming you are talking about /etc/pam.d - congratulations, you completely disabled any authentication except howdy.
Default PAM configuration for most components is shipped in /usr/lib/pam.d (which you are not supposed to edit). Most PAM services that deal with user authentication include common-auth PAM module. By default it is managed by pam-config tool which writes its result in /etc/pam.d as common-auth-pc and creates links /etc/pam.d/common-auth to it. So if you want to change configuration of any PAM service you should copy it from /usr/lib/pam.d to /etc/pam.d and modify there.
And when you describe what you did - step back, read what you wrote and ask yourself - would you understand what happened if you saw it for the first time? Always provide exact details, do not write “in well known place” or “in my directories” because others may have different idea what is “theirs” and what is “well known”.
Yes, sorry for the inprecision. For sddmand login I’m talking /etc/pam.d/ and for kde I’m talking /usr/etc/pam.d/.
Yes I figured out I did something of that order. I broke completly my Linux right now, but for later can you specify how to use the pam-config command? I didn’t understand the man page and explainations online.
So I guess I sould use that command to add my howdy config to common-auth? How would that look like exactly?
pam-config is used to manage known PAM modules and is called automatically when package with such supported module is installed/updated. It has hardcoded list of modules it supports, so unfortunately you cannot use it to manage unknown modules like howdy. If you want to add howdy to common-auth, you should remove the link, copy common-auth-pc as common-auth and edit. From now on any future changes in common-auth-pc will be invisible. All of this is described in even more details in comments in common-auth-pc (or for that matter any *-pc file in /etc/pam.d).
Sould I just append auth sufficient pam_python.so /usr/lib64/security/howdy/pam.py at the end? Or the beginning? And should I remove one of the old entries?
Logically you use face recognition to avoid entering password so you certainly do not want to have it after pam_unix. Because successful sufficient module execution will not process further modules, you probably do not want it to be the first. So I’d say - immediately before pam_unix.
It is entirely up to you. If you do not want to have password as fallback, you can of course remove pam_unix … but have not you already effectively tried it?
It sounds like it is graphical application which fails to access your $DISPLAY. So you need to make sure sudo preserves $DISPLAY environment variable and user root is allowed to access it. For the former look at /etc/sudoers and man sudoers, specifically env_keep. For the latter you can (for one off) just do xhost + or add pam_xauth to sudo PAM configuration or tell sudo to preserve $XAUTHORITY variable or do xhost +si:localuser:root and I am sure this list is not complete.
I assume your software has some logs and options to enable more verbose/debug logging. You probably have more luck asking on dedicated support channels for your software but if you post logs from it, someone may try to guess what happens.
