Please describe the issue in as much detail as possible, including any errors and traces.If your issue is a camera issue, be sure to also post the image generated by running sudo howdy snapshot.
[x] I've searched for similar issues already, and my issue has not been reported yet.
Linux distribution (if applicable): Fedora 40 (modified silverblue, howdy is installed via this treefile
Howdy version (sudo howdy version):
sudo LANG=C howdy version
Howdy 3.0.0 BETA
Installed via Copr, I noticed with the issue with version tagged as git344eb34. But I can't tell if previous version have same problem.
Problem
When abort_if_ssh = true is set, howdy still gets activated in ssh session.
I understand this code is responsible for checking if the authenicate request is from ssh session by getting the SSH related environment variables. But this did not work on my machine. I am unfamiliar with PAM so I need help troubleshooting this.
Howdy config.inf
Click me
# Howdy config file
# Press CTRL + X to save in the nano editor
[core]
# Print that face detection is being attempted
detection_notice = true
# Print that face detection has timed out
timeout_notice = true
# Do not print anything when a face verification succeeds
no_confirmation = true
# When a user without a known face model tries to use this script, don't
# show an error but fail silently
suppress_unknown = false
# Disable Howdy in remote shells
abort_if_ssh = true
# Disable Howdy if lid is closed
abort_if_lid_closed = true
# Disable howdy in the PAM
# The howdy command will still function
disabled = false
# Use CNN instead of HOG
# CNN model is much more accurate than the HOG based model, but takes much more
# power to run, and is meant to be executed on a GPU to attain reasonable speed.
use_cnn = false
# Set a workaround to do face and password authentication at the same time
# off user will have to press enter themselves after a Howdy timeout
# input will send an enter keypress to stop the password prompt
# native will stop the prompt at PAM level (can lead to instability!)
workaround = native
[video]
# The certainty of the detected face belonging to the user of the account
# On a scale from 1 to 10, values above 5 are not recommended
# The lower, the more accurate
certainty = 3.5
# The number of seconds to search before timing out
timeout = 10
# The path of the device to capture frames from
# Video devices are usually found in /dev/v4l/by-path/
device_path = /dev/v4l/by-path/pci-0000:00:14.0-usb-0:6:1.2-video-index0
# Print a warning if the the video device is not found
warn_no_device = true
# Scale down the video feed to this maximum height
# Speeds up face recognition but can make it less precise
max_height = 320
# Set the camera input profile to this width and height
# The largest profile will be used if set to -1
# Automatically ignored if not a valid profile
frame_width = -1
frame_height = -1
# Because of flashing IR emitters, some frames can be completely unlit
# Skip the frame if the lowest 1/8 of the histogram is above this percentage
# of the total
# The lower this setting is, the more dark frames are ignored
dark_threshold = 60
# The recorder to use. Can be either opencv (default), ffmpeg or pyv4l2.
# Switching from the default opencv to ffmpeg can help with grayscale issues.
recording_plugin = opencv
# Video format used by ffmpeg. Options include vfwcap or v4l2.
# FFMPEG only.
device_format = v4l2
# Force the use of Motion JPEG when decoding frames, fixes issues with YUYV
# raw frame decoding.
# OPENCV only.
force_mjpeg = false
# Specify exposure value explicitly. This disables autoexposure.
# Use qv4l2 to determine an appropriate value.
# OPENCV only.
exposure = -1
# Specify frame rate of the capture device.
# Some IR emitters will not function properly at the default framerate.
# Use qv4l2 to determine an appropriate value.
# OPENCV only.
device_fps = -1
# Rotate captured frames so faces are upright.
# 0 Check landscape orientation only
# 1 Check both landscape and portrait orientation
# 2 Check portrait orientation only
rotate = 0
[snapshots]
# Capture snapshots of failed login attempts and save them to disk with metadata
# Snapshots are saved to /var/log/howdy/snapshots
save_failed = false
# Do the same as the option above but for successful attempts
save_successful = false
[rubberstamps]
# Enable specific extra checks after the user has been recognised
enabled = false
# What type of stamps to run and with what options. The type, timeout and
# failure mode are required. One line per stamp. Rule syntax:
# stamptype timeout (failsafe | faildeadly) [extra_argument=value]
stamp_rules =
nod 10s faildeadly min_directions=4
[debug]
# Show a short but detailed diagnostic report in console
# Enabling this can cause some UI apps to fail, only enable it to debug
end_report = false
# More verbose logging from the rubberstamps system
verbose_stamps = false
# Pass output of the GTK auth window to the terminal
gtk_stdout = false
pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
auth sufficient pam_howdy.so
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so
password sufficient pam_unix.so yescrypt shadow nullok use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
tokox
commented
5 months ago
Please describe the issue in as much detail as possible, including any errors and traces. If your issue is a camera issue, be sure to also post the image generated by running
sudo howdy snapshot.Linux distribution (if applicable): Fedora 40 (modified silverblue, howdy is installed via this treefile
Howdy version (
sudo howdy version):Installed via Copr, I noticed with the issue with version tagged as
git344eb34. But I can't tell if previous version have same problem.Problem
When
abort_if_ssh = trueis set, howdy still gets activated in ssh session.I understand this code is responsible for checking if the authenicate request is from ssh session by getting the SSH related environment variables. But this did not work on my machine. I am unfamiliar with PAM so I need help troubleshooting this.
Howdy
config.infClick me
# Howdy config file # Press CTRL + X to save in the nano editor [core] # Print that face detection is being attempted detection_notice = true # Print that face detection has timed out timeout_notice = true # Do not print anything when a face verification succeeds no_confirmation = true # When a user without a known face model tries to use this script, don't # show an error but fail silently suppress_unknown = false # Disable Howdy in remote shells abort_if_ssh = true # Disable Howdy if lid is closed abort_if_lid_closed = true # Disable howdy in the PAM # The howdy command will still function disabled = false # Use CNN instead of HOG # CNN model is much more accurate than the HOG based model, but takes much more # power to run, and is meant to be executed on a GPU to attain reasonable speed. use_cnn = false # Set a workaround to do face and password authentication at the same time # off user will have to press enter themselves after a Howdy timeout # input will send an enter keypress to stop the password prompt # native will stop the prompt at PAM level (can lead to instability!) workaround = native [video] # The certainty of the detected face belonging to the user of the account # On a scale from 1 to 10, values above 5 are not recommended # The lower, the more accurate certainty = 3.5 # The number of seconds to search before timing out timeout = 10 # The path of the device to capture frames from # Video devices are usually found in /dev/v4l/by-path/ device_path = /dev/v4l/by-path/pci-0000:00:14.0-usb-0:6:1.2-video-index0 # Print a warning if the the video device is not found warn_no_device = true # Scale down the video feed to this maximum height # Speeds up face recognition but can make it less precise max_height = 320 # Set the camera input profile to this width and height # The largest profile will be used if set to -1 # Automatically ignored if not a valid profile frame_width = -1 frame_height = -1 # Because of flashing IR emitters, some frames can be completely unlit # Skip the frame if the lowest 1/8 of the histogram is above this percentage # of the total # The lower this setting is, the more dark frames are ignored dark_threshold = 60 # The recorder to use. Can be either opencv (default), ffmpeg or pyv4l2. # Switching from the default opencv to ffmpeg can help with grayscale issues. recording_plugin = opencv # Video format used by ffmpeg. Options include vfwcap or v4l2. # FFMPEG only. device_format = v4l2 # Force the use of Motion JPEG when decoding frames, fixes issues with YUYV # raw frame decoding. # OPENCV only. force_mjpeg = false # Specify exposure value explicitly. This disables autoexposure. # Use qv4l2 to determine an appropriate value. # OPENCV only. exposure = -1 # Specify frame rate of the capture device. # Some IR emitters will not function properly at the default framerate. # Use qv4l2 to determine an appropriate value. # OPENCV only. device_fps = -1 # Rotate captured frames so faces are upright. # 0 Check landscape orientation only # 1 Check both landscape and portrait orientation # 2 Check portrait orientation only rotate = 0 [snapshots] # Capture snapshots of failed login attempts and save them to disk with metadata # Snapshots are saved to /var/log/howdy/snapshots save_failed = false # Do the same as the option above but for successful attempts save_successful = false [rubberstamps] # Enable specific extra checks after the user has been recognised enabled = false # What type of stamps to run and with what options. The type, timeout and # failure mode are required. One line per stamp. Rule syntax: # stamptype timeout (failsafe | faildeadly) [extra_argument=value] stamp_rules = nod 10s faildeadly min_directions=4 [debug] # Show a short but detailed diagnostic report in console # Enabling this can cause some UI apps to fail, only enable it to debug end_report = false # More verbose logging from the rubberstamps system verbose_stamps = false # Pass output of the GTK auth window to the terminal gtk_stdout = falsepam.d/sudo