On Windows 10 laptops, you might know Windows Hello, which allows you to login using Face Identification. There is an equivalent software for Linux, called Howdy.
GitHub - boltgolt/howdy: 🛡️ Windows Hello™ style facial authentication for Linux
But it’s not that secure, so i want to combine it with something else, like a fingerprint reader, but without entering a password.
Here’s what I want
- Face ID AND Touch ID
- Password as a fallback
The reverse (password then other login methods) is very simple, but i don’t want to enter an empty password just to use the fancy tech :) The hard part is to refuse Fingerprint login if Howdy failed to recognize your face.
⚠️
A misconfiguration in PAM can lock you out of your computer ! Be sure to open a root terminal just in case, and always test all authentification scenarios before logging out
Here’s what I came up with:
auth [success=ok default=1] pam_python.so /lib/security/howdy/pam.py
auth [success=3 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
So, if Howdy fails, PAM will skip (default=1) the next module (fingerprint)