Not working nicely with Howdy through PAM

[molguin92]

I have Howdy set up for facial recognition-based auth through PAM, which works flawlessly in my system for stuff such as sudo. However I have yet to figure out a way of making XSecureLock play nicely with this.

I have set up PAM to use Howdy as explained by the authors by adding the relevant lines to PAM Service config files in /etc/pam.d/. For example, /etc/pam.d/xscreensaver:

#%PAM-1.0

# Fedora Core 5:
auth    sufficient  pam_python.so   /lib/security/howdy/pam.py
auth    include     system-auth

Then, I set up the XSECURELOCK_PAM_SERVICE in my ~/.profile to point to said PAM Service file:

# XSecureLock settings
export XSECURELOCK_FONT="Fura Code Nerd Font 10"
export XSECURELOCK_PAM_SERVICE="xscreensaver"
export XSECURELOCK_PASSWORD_PROMPT="time_hex"
export XSECURELOCK_SAVER="saver_xscreensaver"

However, after logging out and back in (and even rebooting), nothing changes in XSecureLock - trying to unlock the computer simply brings up the password prompt and the facial recognition is not triggered. Given that so far I've gotten Howdy to work for every other authentication step in the system (even for TTY login), it makes me suspect something wrong in XSecureLock.

Maybe it is not executing the specified PAM Service for some reason?

Additional information about my system: OS: Arch Linux Kernel Version: 5.5.4-arch1-1 XSecureLock Version: 1.7.0 Installed through the official community repo of the Arch Linux project.

[alexacallmebaka]

+1 For this. Exact same issue, same OS.

[divVerent]

Sorry, I have never tried this combination. Howdy should be writing something into some log to explain why it refuses operation.

Note that there are quite some PAM modules that cannot be used with xsecurelock - namely any that use out of band methods (e.g. the terminal) to communicate with the user, as opposed to PAM's own conversation functions. Howdy may be among those. If you're lucky, you just don't see any prompts shown this way but the module works anyway, and will eventually time out or recognize your face. If you're unlucky, the module may notice right away that there is no terminal and give up. Not sure what Howdy does there.

[cubetastic33]

I'm able to get howdy working with xsecurelock.

From this arch wiki page:

An example with i3lock or betterlockscreen, change permissions for the howdy folder in /lib/security by running the command chmod -R 755 /lib/security/howdy, and edit the i3lock file:

Running the chmod command should get howdy working with xsecurelock (provided you've set up the PAM service like you described).

But that will only allow you to login with howdy, and you won't be able to enter a password. If you want to do that, it's explained in the same wiki page:

... sufficient to any configuration file in /etc/pam.d/ will only prompt for face authentication. This prevents the use of a password if you cannot Ctrl+c face authentication (due to the lack of a shell). In order to use either a password or a face in a graphical interface, add the following line to the top of any files required:

auth      sufficient      pam_unix.so try_first_pass likeauth nullok
auth      sufficient      pam_python.so /lib/security/howdy/pam.py

This will prompt for a password; pressing Enter on a blank field will proceed to face authentication.

So you need to add that line above the howdy line in the PAM service file.