On Windows 10 laptops, you might know Windows Hello, which allows you to login using Face Identification.
There is an equivalent software for Linux, called Howdy.
But it's not that secure, so i want to combine it with something else, like a fingerprint reader, but without entering a password.
Here's what I want
- Face ID AND Touch ID
- Password as a fallback
The reverse (password then other login methods) is very simple, but i don't want to enter an empty password just to use the fancy tech :)
The hard part is to refuse Fingerprint login if Howdy failed to recognize your face.
Be sure to open a root terminal just in case, and always test all authentification scenarios before logging out
Here's what I came up with:
auth [success=ok default=1] pam_python.so /lib/security/howdy/pam.py
auth [success=3 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
So, if Howdy fails, PAM will skip (
default=1) the next module (fingerprint)