Using AUR Howdy with Mabox (PAM entries)

Greetings. The Howdy package allows you to authenticate using a webcam. An algorithm stores your face profile and it can do a pretty good job of recognizing you and not your cat.

It is simple to install from the AUR, however it does not auto-configure in Mabox like it apparently does on some other distributions. Administration is also command-line-only, so maybe not the best choice for a novice. At the bare minimum, you’ll need to edit /lib/security/howdy/config.ini which is fully documented on the web, and /etc/pam.d/somefile..., which has much less documentation.

Most sites (including Arch) say that the following needs changed/added to a PAM file to allow Howdy to work:

auth sufficient try_first_pass likeauth nullok
auth sufficient /lib/security/howdy/

Now if you look in /etc/pam.d/ there are many files in there, for many different types of authentication. Looking at the sudo file, it calls the system-auth file. So I figured, why not try there first. Maybe that was a naive decision.

I probably tried a hundred different things. Had six terminals open, one being an open editor to /etc/pam.d/system-auth so I could revert changes before being entirely locked out of the system! All combinations of the following were encountered: Not taking password, taking password but saying it was wrong, not taking photo, taking photo but returning Sorry, try again., etc. Each attempt, a new terminal was opened, sudo grep -V tested, terminal closed, then system-auth edited again. Lets just say I got into the habit of running faillock --user me --reset on one of those other terminals occasionally, just to keep the number of wrong password attempts sane.

After much struggle, I finally found the following to work. Keep in mind this isn’t documented in any of the Howdy information I could find. The /etc/pam.d/system-auth file was edited, and the line

auth [success=1 default=bad]   try_first_pass nullok

was replaced with the following:

auth [success=2 default=ignore]   try_first_pass likeauth nullok
auth [success=1 default=ignore] /lib/security/howdy/

Everything out there about Howdy says to use sufficient with PAM, but apparently that will bypass any trailing auth statements, and always caused problems. This was the only text I found which allows actually using the password successfully (and not activating the webcam), or pressing enter and using the webcam successfully (and not needing the password.)

Truth be told, I have no idea what [success=1 default=ignore] is doing, but want to make sure this is ok and not opening up some gigantic security hole. Does this look ok?