search

hyprwm / hyprlock

Hyprland's GPU-accelerated screen locking utility
BSD 3-Clause "New" or "Revised" License
821 stars 59 forks source link

hyprlock PAM failed for howdy #497

Closed littleblack111 closed 4 days ago

littleblack111 commented 1 month ago

Regression?

Yes, No

Hyprlock Info and Version

Hyprlock version 0.4.1

Hyprlock config ```sh general { immediate_render = true hide_cursor = true } background { monitor = path = ~/.cache/bg.png # only png supported for now color = rgba(25, 20, 20, 1.0) # all these options are taken from hyprland, see https://wiki.hyprland.org/Configuring/Variables/#blur for explanations blur_passes = 0 # 0 disables blurring blur_size = 2 noise = 0 contrast = 0 brightness = 0 vibrancy = 0 vibrancy_darkness = 0.0 # update: 1800000: true } input-field { monitor = size = 300, 30 outline_thickness = 0 dots_size = 0.25 # Scale of input-field height, 0.2 - 0.8 dots_spacing = 0.55 # Scale of dots' absolute size, 0.0 - 1.0 dots_center = true dots_rounding = -1 outer_color = rgba(242, 243, 244, 0) inner_color = rgba(242, 243, 244, 0) font_color = rgba(242, 243, 244, 0.75) fade_on_empty = false placeholder_text = # Text rendered in the input box when it's empty. hide_input = false check_color = rgba(204, 136, 34, 0) fail_color = rgba(204, 34, 34, 0) # if authentication failed, changes outer_color and fail message color fail_text = $FAIL ($ATTEMPTS) # can be set to empty fail_transition = 300 # transition time in ms between normal outer_color and fail_color capslock_color = -1 numlock_color = -1 bothlock_color = -1 # when both locks are active. -1 means don't change outer color (same for above) invert_numlock = true # change color if numlock is off swap_font_color = false # see below position = 0, -468 halign = center valign = center } label { monitor = text = cmd[update:1000] echo "$(~/scripts/song-status)" color = rgba(242, 243, 244, 0.75) font_size = 14 font_family = SF Pro Text position = 20, 1024 halign = left valign = center } label { monitor = text = cmd[update:1000] echo "$(~/scripts/network-status)" color = rgba(242, 243, 244, 0.75) font_size = 16 font_family = SF Pro Text position = -35, 1024 halign = right valign = center } label { monitor = text = cmd[update:1000] echo "$(~/scripts/layout-status)" color = rgba(242, 243, 244, 0.75) font_size = 15 font_family = SF Pro Text position = -150, 1024 halign = right valign = center } label { monitor = text = cmd[update:1000] echo "$(date +"%A, %B %d")" color = rgba(242, 243, 244, 0.75) font_size = 20 font_family = SF Pro Display Bold position = 0, 405 halign = center valign = center } label { monitor = # text = cmd[update:1000] echo "$(date +"%I:%M")" text = cmd[update:1000] enable strftime; strftime '%I:%M' $EPOCHSECONDS # text = $TIME color = rgba(242, 243, 244, 0.75) font_size = 93 font_family = SF Pro Display Bold position = 0, 310 halign = center valign = center } label { monitor = text = Password: color = rgba(242, 243, 244, 0.75) font_size = 10 font_family = SF Pro Display position = 0, -438 halign = center valign = center } ```

Compositor Info and Version

System/Version info ```sh Hyprland, built from branch main at commit 8b86ee8bf08eaf8b57d0a7f12af876216323cc3d (github: encourage usage of --systeminfo if Hyprland won't launch). Date: Wed Sep 25 11:39:33 2024 Tag: v0.43.0-61-g8b86ee8b, commits: 5257 built against aquamarine 0.4.1 flags: (if any) System Information: System name: Linux Node name: ArchLinux Release: 6.10.10-zen1-1-zen Version: #1 ZEN SMP PREEMPT_DYNAMIC Thu, 12 Sep 2024 17:17:51 +0000 GPU information: 00:02.0 VGA compatible controller [0300]: Intel Corporation Raptor Lake-S GT1 [UHD Graphics 770] [8086:a780] (rev 04) (prog-if 00 [VGA controller]) 01:00.0 VGA compatible controller [0300]: NVIDIA Corporation AD103 [GeForce RTX 4080 SUPER] [10de:2702] (rev a1) (prog-if 00 [VGA controller]) NVRM version: NVIDIA UNIX Open Kernel Module for x86_64 560.35.03 Release Build (archlinux-builder@ArchLinux) os-release: NAME="Arch Linux" PRETTY_NAME="Arch Linux" ID=arch BUILD_ID=rolling ANSI_COLOR="38;2;23;147;209" HOME_URL="https://archlinux.org/" DOCUMENTATION_URL="https://wiki.archlinux.org/" SUPPORT_URL="https://bbs.archlinux.org/" BUG_REPORT_URL="https://gitlab.archlinux.org/groups/archlinux/-/issues" PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/" LOGO=archlinux-logo plugins: Hyprspace by KZdkm ver 0.1 hypr-darkwindow by micha4w ver 1.0.0 hyprchroma by alexhulbert ver 1.0.0 ```

Description

[ERR] auth: pam_authenticate failed for hyprlock for howdy(in hyprlock pam:auth sufficient pam_python.so /lib/security/howdy/pam.py as suggested by howdy arch wiki)

How to reproduce

  1. use howdy
  2. add auth sufficient pam_python.so /lib/security/howdy/pam.py and disable auth include login
  3. try unlock hyprlock

Crash reports, logs, images, videos

[ERR] auth: pam_authenticate failed for hyprlock

PaideiaDilemma commented 1 month ago

idk but this is not a problem with hyprlock. The error [ERR] auth: pam_authenticate failed for hyprlock is just what hyprlock logs whenever you fail to authenticate.

littleblack111 commented 1 month ago

it is... everything else works fine with it.

the thing is. my camera light doesnt even turn on... usually, its do sth like sudo, then the camera light indicator lights up, then it authenticate

also i tried verbose, which doesnt seem to give details as well:

[ERR] auth: Authentication failed for hyprlock
[TRACE] timer thread firing
[TRACE] got wl event
[TRACE] timer thread firing
[TRACE] got wl event
[LOG] Failed attempts: 1
[TRACE] render lock
[TRACE] Requesting label resource placeholder:Authentication failed <b>(1)</b>961155979244320.94901960.95294120.956862750.7490196
[TRACE] frame 164
[TRACE] Processing requested resourceID placeholder:Authentication failed <b>(1)</b>961155979244320.94901960.95294120.956862750.7490196
PaideiaDilemma commented 1 month ago

Just for sanity, can you check if hyprlock-git changes anything? Can you check if it works with swaylock?

littleblack111 commented 1 month ago

yep. both doesn't work...

FearlessSpiff commented 1 month ago

I am playing around with howdy the first time. In gdm I have to enter an empty password (which is stupid) for howdy to scan my face. Did you try that in Hyprlock? I would also really want to be able to use Howdy with Hyprlock as I don't have a keyboard with me all the time when using my tablet.

FearlessSpiff commented 1 month ago

I am going to test more stuff with Howdy and Hyprland tomorrow if time allows.

FearlessSpiff commented 1 month ago

I wasn't able to use Howdy with hyprlock. But I might be doing something wrong. Just added what I added for gdm and sudo, which both work, to the top of /etc/pam.d/hyprlock:

auth       sufficient                  pam_unix.so try_first_pass likeauth nullok
auth       sufficient                  pam_python.so /lib/security/howdy/pam.py

I tried with an empty password, but Howdy wasn't triggered. I can't see anything related in the hyprlock logs either.

Alanon202 commented 5 days ago

I’m using howdy beta on Arch and have used the same config on X11 with simple modifications to system-auth. The setup works just fine on every app requiring authorisation, from terminals to graphical apps, except hyprlock. 


auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass likeauth nullok
auth       [success=1 default=bad]     /lib/security/pam_howdy.so          try_first_pass
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Weirdly, with hyprlock’s PAM defaults and the Howdy beta setup above (either with empty input or with any random character typed into the input field) the camera LED seemingly activates but hyprlock unlocks instantly, allowing itself to be completely bypassed. I can literally put my finger over the camera and it will unlock in an instant, regardless of the fact that no password was input and no check was done.

My solution has been to intentionally disable Howdy for hyprlock by copying the vanilla system-auth. This removes Howdy from the picture, but ensures that no one can gain access to the system by typing random stuff and pressing enter.

I’m just writing this in case someone else is on Howdy beta and maybe hasn’t noticed the security hole the setup can create.

PaideiaDilemma commented 5 days ago

Ah right i forgot about this issue. howdy is broken. See https://github.com/boltgolt/howdy/issues/969 and https://github.com/hyprwm/hyprlock/issues/535