# PAM authentication with Howdy, fingerprint and password Languages => /posts/pam-authentication-with-howdy-fingerprint-and-password/ 🇬🇧English On Windows 10 laptops, you might know Windows Hello, which allows you to login using Face Identification. There is an equivalent software for Linux, called Howdy¹. GitHub - boltgolt/howdy: 🛡️ Windows Hello™ style facial authentication for Linux² But it's not that secure, so i want to combine it with something else, like a fingerprint reader, but without entering a password. Here's what I want * Face ID AND Touch ID * Password as a fallback The reverse (password then other login methods) is very simple, but i don't want to enter an empty password just to use the fancy tech :) The hard part is to refuse Fingerprint login if Howdy failed to recognize your face. ⚠️ A misconfiguration in PAM can lock you out of your computer ! Be sure to open a root terminal just in case, and always test all authentification scenarios before logging out Here's what I came up with: ```shell {.kg-width-wide} auth [success=ok default=1] pam_python.so /lib/security/howdy/pam.py auth [success=3 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug auth sufficient pam_unix.so try_first_pass likeauth nullok auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config ``` So, if Howdy fails, PAM will skip (`default=1`) the next module (fingerprint) ## => github.com/boltgolt/howdy 🔗 [1]: Howdy => https://github.com/boltgolt/howdy 🔗 [2]: GitHub - boltgolt/howdy: 🛡️ Windows Hello™ style facial authentication for Linux Navigation => / Home => /posts/ Posts => /search/ Search