Howdy

From LinuxReviews
Jump to navigationJump to search
Howdy
Howdy-logo.jpg
Howdy lets you login using your face. It secretly stores snapshot pictures of failed and successful facial logins
Howdy lets you login using your face.
It secretly stores snapshot pictures of failed and successful facial logins
Original author(s)boltgolt
Initial releaseFebruary 14, 2018; 2 years ago (2018-02-14)
Stable release
2.6.1 / September 3, 2020; 2 months ago (2020-09-03)
Repositorygithub.com /boltgolt/howdy
Written inPython using OpenCV
EngineOpenCV
Operating systemDebian/Ubuntu, Arch Linux, Fedora and openSUSE
System-lock-screen.png

Howdy is a free facial recognition package that makes GNU/Linux systems capable of "Windows Helo" style authentication by showing your face to a web camera. Howdy provides a PAM module for the Linux PAM authentication system. That allows it to be used with common login managers like SDDM for KDE Plasma and LightDM for Xfce and others. It can also be used for things like sudo and anything else using PAM authentication.

Howdy can not be used for anything that is not PAM aware. You can not use it to unlock your system on boot if you use full disk encryption and there is currently no way of using it with things like the KDE Kwallet password manager, the GNOME keyring, GnuPG or other things of that nature.

Howdy can be used with most login managers, screensavers / screen locking programs and everything else that uses the standard Linux PAM authentication mechanism.

Installation

Installing The Package

The project provides source and packages for Debian only.

Debian

Debian users can download a .deb file from the github releases page and install it with apt or gdebi.

Arch Linux

There is a somewhat maintained AUR package for howdy. The ArchWiki has a page with Arch-specific instructions.

Fedora

Howdy is not in the regular Fedora repositories. There are several Copr repositories with Howdy. You can enable one which works:

sudo dnf copr enable principis/howdy
sudo dnf install howdy

Fedora users will, additionally, have to create and install a SELinux module. See Howdy/SELinux.

Ubuntu

There is a PPA for Ubuntu available. You can enable it and install Howdy on Ubuntu with:

sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy

Other distributions

See opensuse.org/SDB:Facial_authentication for OpenSUSE instructions.

System Configuration

Howdy-2.6.1-run-me-as-root.jpg
Howdo will insist that root runs sudo to.. run as.. root.

Howdy is configured using the file /lib/security/howdy/config.ini or /lib64/security/howdy/config.ini depending on what distribution you are using. It should really be configured by a file in /etc/security instead of a random file among the system libraries but that's not the case (this should tell you something).

You can make howdy open the correct file by running

sudo howdy config

and you will have to run sudo howdy config because it will tell you "Please run this command as root:" even if you are root. It's that stupid:

File: /usr/bin/howdy
if os.getenv("SUDO_USER") is None:
        print("Please run this command as root:\n")
        print("\tsudo howdy " + " ".join(sys.argv[1:]))

You will, at minimum, need to set device_path in the [video] section in that file to a valid web camera device. That would be /dev/video0 unless you have more than some cameras for some reason and you prefer a specific one.

File: /lib64/security/howdy/config.ini
[video]
device_path = /dev/video0

You should use a simple web camera viewer like guvcview to check if the device you set actually works. It defaults to using /dev/video0. You can start it with guvcview --device=VIDEO_DEVICE[1] to check if another device works.

Howdy is not very useful if it is not possible actually use it to login using your login manager. You will need to set Howdy up in the PAM files for your login manager and perhaps other PAM files too if you want to use it for things like sudo.

You will generally want to add

auth  sufficient  pam_python.so /lib/security/howdy/pam.py

or, if howdy installed in /lib64/security/howdy/

auth  sufficient  pam_python.so /lib64/security/howdy/pam.py

in the "right" spot. That's typically on a line following

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth	   required    pam_env.so

LightDM

Lightdm using howdy to identify face.jpg
The LightDM login manager using Howdy to identify who's in front of the computers webcam.

Edit /etc/pam.d/lightdm to add a line with

auth       sufficient  pam_python.so /lib64/security/howdy/pam.py

or

auth       sufficient  pam_python.so /lib/security/howdy/pam.py

depending on where your package installed Howdy. That line should be added after

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth	   required    pam_env.so

The first few lines of /etc/pam.d/lightdm with Howdy added on Fedora looks like:

File: /etc/pam.d/lightdm
#%PAM-1.0
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth	   required    pam_env.so
auth       sufficient  pam_python.so /lib64/security/howdy/pam.py
auth       substack    system-auth

LightDM will activate Howdy and try to identify you the moment you select a user-name. You can make it check the camera again by smashing the Login button without entering a password.

ssdm (The KDE login manager)

Edit /etc/pam.d/sddm and add:

auth  sufficient  pam_python.so /lib64/security/howdy/pam.py

to the first line in that file after #%PAM-1.0:

so the first few lines look something like:

File: /etc/pam.d/lightdm
#%PAM-1.0
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       sufficient      pam_python.so /lib64/security/howdy/pam.py
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so

Note that ssdm will not not activate the web camera and try to identify the user in front of it before a user account is selected and the > button to login is pressed.

sudo

Sudo with howdy identified face.jpg
sudo access authenticated using a laptops built-in web camera.

Add

auth  sufficient  pam_python.so /lib64/security/howdy/pam.py

To the line immediately below #%PAM-1.0 in /etc/pam.d/sudo so the first lines look like:

File: /etc/pam.d/lightdm
#%PAM-1.0
auth  sufficient  pam_python.so /lib64/security/howdy/pam.py
auth       include      system-auth
account    include      system-auth

xscreenaver

Using Howdy with the xscreensaver screen locker is possible but it requires opening a gaping security hole.

Howdy will try to authenticate with this line at the beginning of /etc/pam.d/xscreensaver:

auth     sufficient  pam_python.so /lib64/security/howdy/pam.py

That alone will fail. Running xscreensaver & and xscreensaver-command -prefs in a terminal shows why:

Traceback (most recent call last):
  File "/lib64/security/howdy/compare.py", line 95, in <module>
    models = json.load(open(PATH + "/models/" + user + ".dat"))
PermissionError: [Errno 13] Permission denied: '/lib64/security/howdy/models/chaekyung.dat'

It is possible to by-pass/"fix" this permission problem with:

chmod o+rx /lib64/security/howdy/models

You may or may not want to do that to make facial authentication with xscreensaver work. /models is where all the facial recognition data is stored. Giving any and all users read access to that folder may be fine and it may be something you see as a security risk.

Adding And Managing Faces

Howdy lacks any kind of user-friendly way to add or mange facial images. The correct not very user-friendly procedure for adding a facial image for a given user-account is to login to that user-account and run howdo add with sudo to give it root permissions. You must use sudo.

There is a -U option you can use to specify -U username but you can't just run howdy -U someusername as either a regular user or root. That would clearly be too simple so it is now allowed. You must login to a regular user account and run:

sudo howdy add

or, if you want to add a face for some other persons user-account:

sudo howdy -U yourex add

You of course add face login images to anyone's account as long as you sudo and use -U because preventing that would be basic security.

You may want to run a simple webcam program like guvcview too see what your camera sees before you run this command. It may abort and say "Multiple faces detected, aborting" if there is noise like a painting in the background.

Howdy will ask you "Enter a label for this new model". That means it wants you to give the picture some description like "longbeard" or "shaved".

There is no way simple way to the howdy python script to test it the picture you set is recognized or not because that would be very useful before you start trying to make it work with login-managers and screensavers and things like that.

You can of course test it by starting or returning to the login manager you use and see if it turns the camera on and tries to identify your face. You can also test if by running sudo if you set Howdy up to allow sudo authentication.

Adding a lot of different pictures with your head tilted slightly makes it recognize you more easily than if you just add a single picture.

You can list all the faces you have stored with

sudo howdy list

(again, running with sudo is a requirement).

The list will show an ID number for each picture it has taken. A specific face model/image can be removed with

sudo remove #

where # is a ID number. You can also eradicate all the pictures it has stored with:

sudo howdy clear

Do note that it really will eradicate all the facial recognition data, not just your own, when you ask it to clear.

Security

The following does not work:

  1. Take a picture with a laptops web camera
  2. Copy that picture to a desktop computer
  3. Display the picture on the desktop computers screen
  4. Place the laptop in front of the desktop computers screen
  5. Verify with guvcview on the laptop's camera is pointing at the display
  6. Logout and try to authenticate using the picture on the monitor

This doesn't mean it's such secure. It just means that you can't just show a picture of someone on the computer screen and use that to fake facial recognition.

Other Useful Features

You can temporarily turn facial recognition authentication off if/when you leave home with:

sudo howdy disable 1

and re-enable it when you are in a safe location with:

sudo howdy disable 0

How much benefit there is to occasionally temporarily disabling face authentication is a bit questionable. You can't really rely on always running sudo howdy disable 1 when some stranger rings your door-bell.

Facial Log

Howdy webcam snapshot images.jpg
Howdy stores snapshots of all failed and successful logins using Howdy.

Looking at the various files and folders Howdy interacts with after playing around with it lead to one somewhat surprising discovery:

Howdy stores a picture in /usr/lib64/security/howdy/snapshots/ every time you use it!

More disturbing, that folder has permissions set to 755 (drwxr-xr-x.) and the images stored in that folder have the permission 644 (-rw-r--r--.).

What this means is that anyone with a user account on a system using Howdy can browse a growing collection of pictures taken every single time someone used Howdy to authenticate!

Verdict And Conclusion

Howdy works and it can be a nice addition to a laptop if you are a wizard capable of installing it and setting it up correctly and you spend some doing so. It does work with the SDDM KDE login manager, LightDM and sudo and it will likely work with other login managers and screensavers.

Facial authentication works fine most of the time. It's not perfect. It will not recognize you if there is too little light in the room or if the angle is bad or if you're wearing a hat - unless you trained it with a few pictures of you in a hat.

There are a few problems with it that one may want to consider beyond the pure facial recognition functionality.

Howdy takes snapshots and stores them both when someone fails to authenticate and when someone successfully authenticates. That is a security concern and a potential problem. That is specially true since all users have read access to those pictures by default. That these images are stored in a folder in /usr/lib64/ or /usr/lib/ raises another big red flag: Why on earth is this program storing any user data in /usr/lib when $HOME/.config, $HOME/.local and /var exist? The right thing to do would be to store the per-user facial recognition data in the home folder of the user that data belongs to. Storing it in /var would be the second choice. Storing user-data in /usr/lib is very poor taste and, quite frankly, border-line disgusting.

There are some general serious security problems with using your face as a login password. Someone could tie you to a chair and hold the laptop up in front of you and use your face to login without your permission. You may or may not have bigger problems to worry about if you find yourself in that situation. It may also be possible to fool Howdy into thinking something else is you. Just showing a picture of yourself on a computer screen and pointing the camera at that isn't enough, though. We just had to test that one and it doesn't work.

Using facial recognition should, in general, at best be seen as something closer to no password than a good password in terms of security. It may be convenient but it is not the best you can do in terms of security. That being said, if face recognition similar to "Windows Hello" is what you when then Howdy is likely for you. It works fine once you have installed and configured it and it will recognize you most of the time as long as there is enough light in the room and your face is actually with the frame web camera captures.

Footnotes

  1. man.linuxreviews.org: guvcview.1

Links

The Howdy GitHub repository / homepage is at github.com/boltgolt/howdy.

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.