Howdy - Face authentication for Linux
A few days ago I've added a little bit of OpenCV-based Artificial Intelligence to my Linux laptop.
I've been wondering about the password prompt and ever and ever typing in this password after resume from sleep. But auto-login without password doesn't seem to be a good idea for a laptop.
So there is this small web cam above the display and I've found the Howdy-project which provides a plugin for the PAM-framework of Linux. At the moment there is only a Python version, but it is quite performant and works.
Howdy detects users' faces in front of their computer with the help of a webcam and log them in without password.
Well, on OpenSUSE not just out of the box.
There is a link to OpenSUSE wiki which points to this OBS RPM repository.
But these packages doesn't work at the moment of writing this in my environment. The python-dlib version is outdated and there are some other bugs in packaging.
So I've fixed this in my repository branch.
My branch would be merged to dmafanasyev with requests 903870 and 903869.
Because you could also install python-dlib with pip3 the python3-dlib RPM is only a recommendation. But the RPM is comfortable.
Now you can install the 2 fixed RPMs with your package manager.
It will provide the howdy command line tool and the PAM plugin.
The users in need for video/face auth have to be allowed to access the webcam device. This should be done with adding them to the Unix group video (if not already done).
sudo config (default variant)
Also by default howdy needs
sudo permission to run it as root by the user.
This could be done with the line
%wheel ALL=(root) NOPASSWD: /usr/bin/howdy *
With this example the user needs to be also in the wheel group.
pkexec script (alternative variant)
#!/bin/sh export PATH="/usr/bin:/bin" pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY howdy "$@" exit $?
Configuration of howdy
The config is in
The following settings I've changed from the default values:
# Print that face detection is being attempted detection_notice = false # Do not print anything when a face verification succeeds no_confirmation = true
These two settings make problems with the xfce4-screensaver locking if you use it with defaults.
And of course set the
# The path of the device to capture frames from # Should be set automatically by an installer if your distro has one device_path = /dev/video0
for your device.
Test your setup
howdy test or your pkexec script.
A small window should pop up and your webcam should be activated and its view should be shown in the window. A red circle is going around detected faces.
Detect your own user face
Enter the command
howdy add and follow the description on screen to add some recording data of your face to a local database
I've also created a symbolic link
root.dat -> $USER.dat on my laptop.
Some traps of face recognition
It is good practice to repeat the
howdy add at least 5-10 times for each situation.
In situations I understand...
- With/without glasses
- Different spatial environments
- Different day time/light situations
- Different makeup, stylings
If the beard is shaved you'll need your password and
howdy add your new look. ;-)
I've now around 25 face models added for my user. The list can be shown with
howdy list. (Help with
It is recognizing my face about 90% at the first try, and for sure I'll need to add some more records to be always faster then with my password.
You are not yet finished with your setup...
You should prefer to add this face recognition authentication to a bunch of auth variants where it makes mostly sense.
I've choosen (which depends a little bit on your graphical environment)...
/etc/pam.d/gnomesu-pam /etc/pam.d/polkit-1 /etc/pam.d/sudo /etc/pam.d/sudo-i /etc/pam.d/xdm /etc/pam.d/xfce4-screensaver
Just add the line
auth sufficient pam_python.so /usr/lib64/security/howdy/pam.py
as first entry to your PAM config files.
Disable passwordless sudo afterwards
As now we have setup a fast option to authenticate your sudo commands with your face, you can disable the often used passwordless sudo config.
So remove the
NOPASSWD from your line in
%wheel ALL=(ALL) NOPASSWD ALL
%wheel ALL=(ALL) ALL
The fallback option is happening out of the box.
If your face is not recognized as a valid user, your login is enabled to enter a password or for your other configured PAM methods.
Howdy provides a nice modernisation for your Linux desktop.
If you are in need of top safe, hack proof box you should go the way with hardware cryptographic tokens or stay at least with secure passwords.
For the normal day to day Linux user it is a more than welcome diversion.