How to use your Windows Hello IR Camera as PAM auth in Linux and KDE/Gnome with Howdy
I recently acquired a new HP Elitebook 835 G8, and it came with one of those Windows Hello infrared projector + sensors in the screen bezel that map your face as a login method. They’re quite nifty little things that appear to work somewhat like the Xbox Kinect used to work, so maybe some day we’ll figure out to use it as 3D scanner or something. But for now, lets at least get it to work as authentication device under Linux.
Note that Howdy uses general face detection algorithms, some webcams also work, although the IR webcam yields much faster and more stable results.
Howdy, partner
The central component in making this work this way is Howdy, which is a Python application that works more or less how Windows Hello works, and provides a module to use with PAM.
You can find more information about this project here: https://github.com/boltgolt/howdy
The Github readme itself explains a good part of the installation and set up, although it depends a little on the distro you have whether everything will work out of the box or require a bit more tweaking. I run Fedora myself, so I’ll write down a few notes regarding that below, as nothing will be done for you beyond the installation of the package files, and you have to set up the config manually.
Manual config of Howdy
If perchance not everything works out of the box, the Github page provides a good Common Issues page that explains how to fix a good deal of problems.
They also provide a bash script to automatically configure a good deal of the application if you’re on Fedora, but for me not everything was in place after that, PAM didn’t work with KDE for example (explained in next section) but you also still have to set the device manually;
run sudo howdy config to open the config in the default editor, and search for ‘device’. device_path should be set to something like /dev/video2, but it may differ per laptop. Note that /dev/video0 is probably your main webcam, which will also work, but not well, and can be spoofed much more easily. If you don’t see any video devices you may be missing some drivers, which is unfortunately out of scope for this blog.
Setting up PAM correctly
To actually make use of Howdy when authenticating, you must alter the PAM (Pluggable Authentication Modules) configuration to check with Howdy and either deem it sufficient to automatically log you in (see security note at the bottom), or use it in addition to your password or fingerprint reader.
PAM stores its configs in /etc/pam.d/. The file you have to edit depends on what you want to do;
If you want to:
- unlock your KDE Plasma screen locker, you need to edit
/etc/pam.d/kdeand/etc/pam.d/sddm - unlock your Gnome screen locker, you need to edit
/etc/pam.d/gdm-password - use it to authenticate your sudo attempts, you need to edit
/etc/pam.d/sudo
If your DM or auth-requiring application isn’t mentioned, try look in the directory, the naming should be fairly logical, and the idea is the same for all window managers I know of. Also note the last two won’t be needed if you ran the above bash script they provided.
You need to add the following line:
auth sufficient pam_python.so /lib64/security/howdy/pam.py
BEFORE the other auth lines. They are evaluated in order, and override each other as such.
Also note that if you want to use it in addition to your password you need to replace sufficient with [success=ok default=bad] (this took me some time to figure out, PAM is complex holy sh*t)
.. though I’m not sure if I recommend that until you got Howdy to run 100% smoothly and never not detect you. You can also only alter certain PAM files to do this, such as the screen locker, as you can circumvent that with a different terminal such as ctrl+alt+f3 and fix your config. Be careful with sudo though, obviously.
Notes on security
Howdy simply uses facial recognition algorithms to recognize your face, by default it uses HOG for this, if you configure it to use CNN it’s slightly more accurate but it requires GPU acceleration to run smoothly (it worked in 2-3 seconds on my elitebook so I’ll keep using it, though HOG is < 1 second).
If you have an infrared camera, you definitely yield harder to fake unique pictures, but at the end of the day an attacker who’s crafty enough may still be able to get it done. Beware of this.
The Github page for Howdy says explicitly not to use it as single authentication method, although depending on your environment and personal security needs it may be secure enough to unlock your screen, although stuff like sudo may be more sensitive to abuse.
It can also definitely provide some extra security by using it as a second factor in your authentication chain, combined with e.g a password, fingerprint reader, smartcard, external U2F dongle, etc (PAM is quite flexible)