Howdy
Howdy lets you login using your face. It secretly stores snapshot pictures of failed and successful facial logins | |
Original author(s) | boltgolt |
---|---|
Initial release | February 14, 2018 |
Stable release | 2.6.1
/ September 3, 2020 |
Repository | github.com /boltgolt/howdy |
Written in | Python using OpenCV |
Engine | OpenCV |
Operating system | Debian/Ubuntu, Arch Linux, Fedora and openSUSE |
Howdy is a free facial recognition package that makes GNU/Linux systems capable of "Windows Helo" style authentication by showing your face to a web camera. Howdy provides a PAM module for the Linux PAM authentication system. That allows it to be used with common login managers like SDDM for KDE Plasma and LightDM for Xfce and others. It can also be used for things like sudo
and anything else using PAM authentication.
Howdy can not be used for anything that is not PAM aware. You can not use it to unlock your system on boot if you use full disk encryption and there is currently no way of using it with things like the KDE Kwallet password manager, the GNOME keyring, GnuPG or other things of that nature.
Howdy can be used with most login managers, screensavers / screen locking programs and everything else that uses the standard Linux PAM authentication mechanism.
Installation[edit]
Installing The Package[edit]
The project provides source and packages for Debian only.
Debian[edit]
Debian users can download a .deb file from the github releases page and install it with apt
or gdebi
.
Arch Linux[edit]
There is a somewhat maintained AUR package for howdy. The ArchWiki has a page with Arch-specific instructions.
Fedora[edit]
Howdy is not in the regular Fedora repositories. There are several Copr repositories with Howdy. You can enable one which works:
sudo dnf copr enable principis/howdy
sudo dnf install howdy
Fedora users will, additionally, have to create and install a SELinux module. See Howdy/SELinux.
Ubuntu[edit]
There is a PPA for Ubuntu available. You can enable it and install Howdy on Ubuntu with:
sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy
Other distributions[edit]
See opensuse.org/SDB:Facial_authentication for OpenSUSE instructions.
System Configuration[edit]
Howdo will insist that root
runs sudo
to.. run as.. root.
Howdy is configured using the file /lib/security/howdy/config.ini
or /lib64/security/howdy/config.ini
depending on what distribution you are using. It should really be configured by a file in /etc/security
instead of a random file among the system libraries but that's not the case (this should tell you something).
You can make howdy open the correct file by running
sudo howdy config
and you will have to run sudo howdy config
because it will tell you "Please run this command as root:" even if you are root. It's that stupid:
if os.getenv("SUDO_USER") is None:
print("Please run this command as root:\n")
print("\tsudo howdy " + " ".join(sys.argv[1:]))
You will, at minimum, need to set device_path
in the [video]
section in that file to a valid web camera device. That would be /dev/video0
unless you have more than some cameras for some reason and you prefer a specific one.
[video]
device_path = /dev/video0
You should use a simple web camera viewer like guvcview to check if the device you set actually works. It defaults to using /dev/video0
. You can start it with guvcview --device=VIDEO_DEVICE
[1] to check if another device works.
Howdy is not very useful if it is not possible actually use it to login using your login manager. You will need to set Howdy up in the PAM files for your login manager and perhaps other PAM files too if you want to use it for things like sudo
.
You will generally want to add
auth sufficient pam_python.so /lib/security/howdy/pam.py
or, if howdy installed in /lib64/security/howdy/
auth sufficient pam_python.so /lib64/security/howdy/pam.py
in the "right" spot. That's typically on a line following
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
LightDM[edit]
The LightDM login manager using Howdy to identify who's in front of the computers webcam.
Edit /etc/pam.d/lightdm
to add a line with
auth sufficient pam_python.so /lib64/security/howdy/pam.py
or
auth sufficient pam_python.so /lib/security/howdy/pam.py
depending on where your package installed Howdy. That line should be added after
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
The first few lines of /etc/pam.d/lightdm
with Howdy added on Fedora looks like:
#%PAM-1.0
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_env.so
auth sufficient pam_python.so /lib64/security/howdy/pam.py
auth substack system-auth
LightDM will activate Howdy and try to identify you the moment you select a user-name. You can make it check the camera again by smashing the
button without entering a password.ssdm (The KDE login manager)[edit]
Edit /etc/pam.d/sddm
and add:
auth sufficient pam_python.so /lib64/security/howdy/pam.py
to the first line in that file after #%PAM-1.0
:
so the first few lines look something like:
#%PAM-1.0
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth sufficient pam_python.so /lib64/security/howdy/pam.py
auth substack system-auth
auth include postlogin
account required pam_nologin.so
Note that ssdm will not not activate the web camera and try to identify the user in front of it before a user account is selected and the
button to login is pressed.sudo[edit]
sudo access authenticated using a laptops built-in web camera.
Add
auth sufficient pam_python.so /lib64/security/howdy/pam.py
To the line immediately below #%PAM-1.0
in /etc/pam.d/sudo
so the first lines look like:
#%PAM-1.0
auth sufficient pam_python.so /lib64/security/howdy/pam.py
auth include system-auth
account include system-auth
[edit]
Using Howdy with the xscreensaver screen locker is possible but it requires opening a gaping security hole.
Howdy will try to authenticate with this line at the beginning of /etc/pam.d/xscreensaver
:
auth sufficient pam_python.so /lib64/security/howdy/pam.py
That alone will fail. Running xscreensaver &
and xscreensaver-command -prefs
in a terminal shows why:
Traceback (most recent call last):
File "/lib64/security/howdy/compare.py", line 95, in <module>
models = json.load(open(PATH + "/models/" + user + ".dat"))
PermissionError: [Errno 13] Permission denied: '/lib64/security/howdy/models/chaekyung.dat'
It is possible to by-pass/"fix" this permission problem with:
chmod o+rx /lib64/security/howdy/models
You may or may not want to do that to make facial authentication with xscreensaver work. /models
is where all the facial recognition data is stored. Giving any and all users read access to that folder may be fine and it may be something you see as a security risk.
Adding And Managing Faces[edit]
Howdy lacks any kind of user-friendly way to add or mange facial images. The correct not very user-friendly procedure for adding a facial image for a given user-account is to login to that user-account and run howdo add
with sudo
to give it root permissions. You must use sudo
.
There is a -U
option you can use to specify -U username
but you can't just run howdy -U someusername
as either a regular user or root. That would clearly be too simple so it is now allowed. You must login to a regular user account and run:
sudo howdy add
or, if you want to add a face for some other persons user-account:
sudo howdy -U yourex add
You of course add face login images to anyone's account as long as you sudo
and use -U
because preventing that would be basic security.
You may want to run a simple webcam program like guvcview too see what your camera sees before you run this command. It may abort and say "Multiple faces detected, aborting" if there is noise like a painting in the background.
Howdy will ask you "Enter a label for this new model". That means it wants you to give the picture some description like "longbeard" or "shaved".
There is no way simple way to the howdy python script to test it the picture you set is recognized or not because that would be very useful before you start trying to make it work with login-managers and screensavers and things like that.
You can of course test it by starting or returning to the login manager you use and see if it turns the camera on and tries to identify your face. You can also test if by running sudo
if you set Howdy up to allow sudo
authentication.
Adding a lot of different pictures with your head tilted slightly makes it recognize you more easily than if you just add a single picture.
You can list all the faces you have stored with
sudo howdy list
(again, running with sudo
is a requirement).
The list will show an ID number for each picture it has taken. A specific face model/image can be removed with
sudo remove #
where # is a ID number. You can also eradicate all the pictures it has stored with:
sudo howdy clear
Do note that it really will eradicate all the facial recognition data, not just your own, when you ask it to clear
.
Security[edit]
The following does not work:
- Take a picture with a laptops web camera
- Copy that picture to a desktop computer
- Display the picture on the desktop computers screen
- Place the laptop in front of the desktop computers screen
- Verify with guvcview on the laptop's camera is pointing at the display
- Logout and try to authenticate using the picture on the monitor
This doesn't mean it's such secure. It just means that you can't just show a picture of someone on the computer screen and use that to fake facial recognition.
Other Useful Features[edit]
You can temporarily turn facial recognition authentication off if/when you leave home with:
sudo howdy disable 1
and re-enable it when you are in a safe location with:
sudo howdy disable 0
How much benefit there is to occasionally temporarily disabling face authentication is a bit questionable. You can't really rely on always running sudo howdy disable 1
when some stranger rings your door-bell.
Facial Log[edit]
Howdy stores snapshots of all failed and successful logins using Howdy.
Looking at the various files and folders Howdy interacts with after playing around with it lead to one somewhat surprising discovery:
Howdy stores a picture in /usr/lib64/security/howdy/snapshots/
every time you use it!
More disturbing, that folder has permissions set to 755
(drwxr-xr-x.
) and the images stored in that folder have the permission 644
(-rw-r--r--.
).
What this means is that anyone with a user account on a system using Howdy can browse a growing collection of pictures taken every single time someone used Howdy to authenticate!
Verdict And Conclusion[edit]
Howdy works and it can be a nice addition to a laptop if you are a wizard capable of installing it and setting it up correctly and you spend some doing so. It does work with the SDDM KDE login manager, LightDM and sudo and it will likely work with other login managers and screensavers.
Facial authentication works fine most of the time. It's not perfect. It will not recognize you if there is too little light in the room or if the angle is bad or if you're wearing a hat - unless you trained it with a few pictures of you in a hat.
There are a few problems with it that one may want to consider beyond the pure facial recognition functionality.
Howdy takes snapshots and stores them both when someone fails to authenticate and when someone successfully authenticates. That is a security concern and a potential problem. That is specially true since all users have read access to those pictures by default. That these images are stored in a folder in /usr/lib64/
or /usr/lib/
raises another big red flag: Why on earth is this program storing any user data in /usr/lib
when $HOME/.config
, $HOME/.local
and /var
exist? The right thing to do would be to store the per-user facial recognition data in the home folder of the user that data belongs to. Storing it in /var
would be the second choice. Storing user-data in /usr/lib
is very poor taste and, quite frankly, border-line disgusting.
There are some general serious security problems with using your face as a login password. Someone could tie you to a chair and hold the laptop up in front of you and use your face to login without your permission. You may or may not have bigger problems to worry about if you find yourself in that situation. It may also be possible to fool Howdy into thinking something else is you. Just showing a picture of yourself on a computer screen and pointing the camera at that isn't enough, though. We just had to test that one and it doesn't work.
Using facial recognition should, in general, at best be seen as something closer to no password than a good password in terms of security. It may be convenient but it is not the best you can do in terms of security. That being said, if face recognition similar to "Windows Hello" is what you when then Howdy is likely for you. It works fine once you have installed and configured it and it will recognize you most of the time as long as there is enough light in the room and your face is actually with the frame web camera captures.
Footnotes[edit]
- ↑ man.linuxreviews.org: guvcview.1
Links[edit]
The Howdy GitHub repository / homepage is at github.com/boltgolt/howdy.
Enable comment auto-refresher