…to almost every file in /etc/pam.d (here are these files (ProtonDrive readonly share)) – and rebooting, I don’t have any display anymore (I get a black screen on all displays instead of the login graphic page – terminals on other tty work fine though)…
Restoring the original contents of /etc/pam.d (thanks to non-graphic other tty) also restores the display.
So I need a more… erm, maybe I need someone to tell me which PAM files to modify and which not to? I know what I did will seem very stupid to most readers, but that’s how I did it in my previous distros, and it always worked out fine ^^’
So if someone knows PAM and howdy enough to answer… Thanks!
Very bad idea – you need add these lines only to these files where you want to use this. If you want use this with sudo add only to /etc/pam.d/sudo. I personally recommend add lines only for sudo, polkit-1 (= all popups for authorization) and kde (= lockscreen) – I have similar setup with Yubikey and it works perfectly
Also keep in mind that some programs – like sddm – may not work with howdy (but if you insist add lines to /etc/pam.d/sddm)
…also in your PAM files? First time I try to use it, maybe that’s the problem? Or maybe I should also add the two lines in system-auth, system-login, or both (or something else)…? Thanks!
It is in several places, but none added by myself. This module is for asking user’s password. Let’s explain on example. This is your pam for sudo:
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_python.so /lib/security/howdy/pam.py
auth include system-auth
account include system-auth
session include system-auth
What it do:
ask user for password → auth sufficient pam_unix.so try_first_pass likeauth nullok
use howdy for authentication if password is bad → auth sufficient pam_python.so /lib/security/howdy/pam.py
use system-auth → auth include system-auth – entries in /etc/pam.d/system-auth:
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
check if user is locked → auth required pam_faillock.so preauth
optionally if systemd homed is used and exist in system (not in Manjaro by default) → -auth [success=2 default=ignore] pam_systemd_home.so
ask user for password if previous auth methods failed (first asking about password and howdy) – try_first_pass option say about that, also success=1 mean skip next line if success → auth [success=1 default=bad] pam_unix.so try_first_pass nullok
I think his point is that SDDM (which is the default display manager for KDE) seems to be a bit flaky with any alternative authentication method. Fingerprint, Yubikey, whatever. The issue linked on the Howdy arch wiki page about SDDM fingerprint login has been been open for 10 years.
Supposedly this is all going to be improved in KDE Plasma 6 (due in Feb 2024)… or you could try GNOME.
Doesn’t provide face auth, but there is no big difference in PAM configuration
Indeed, I don’t use Yubikey for login though I’s possible, because with paswordless login you have to provide password for unlock keyring. As second factor it’s more reasonable and also possible, but I didn’t want it.
I doubt. There is one issue common for all DE – keyring. Only passwords works well with it. I know you can leave empty password and get rid security, but that’s not solution for me. Plasma 6 won’t solve this issue. Also SDDM is developed independently of KDE so it won’t improve PAM support with Plasma 6
In fact, I managed to have Plasma 5 and howdy work together on openSUSE Tumbleweed… However PAM was a bit different (the important files were in /usr/lib/pam.d instead of /etc/pam.d, and I added the auth sufficient [...]howdy[...] to almost every file — I did not have to think too much about, I admit, I may be lucky it worked).
So unless Plasma and Manjaro work differently than Plasma with oS-Tw, I guess we may find a way…?
No way haha I prefer keeping passwords a thousand times once I tried Plasma there was not going back
Because of this, we’re going to bring SDDM closer and incubate it in KDE for Plasma 6! Once completed, this project will see SDDM release at the same time as Plasma and use Plasma technologies to add many new features, such as management of network and Bluetooth devices on the login screen, and tighter integration with user settings.
After trying almost all the /etc/pam.d files (one by one, except passwd and su (in case sudo get blocked)…), I didn’t find any configuration were howdy pops up.
On oS, there was 1 difference though: I managed to bypass the need for sudo to launch howdy commands. The fact that no amount of tweaking the script /usr/bin/howdy (commenting out the lines that exit the script if I’m not sudo) allows me to do this on Manjaro, makes me think howdy never launches “alone” (other than running sudo howdy %command%) because it needs you to be authenticated as root in the background… Which is problematic when you want to use it to authenticate as root.
What do you think? Does that make sense? And if it does, is there any way to allow my system to run howdy commands without root authentication?
Thanks a lot for taking the time to look this up for me! Unfortunetaly even though I could change the line it didn’t make howdy pop up any more than before…
But in the process of modifying PAM little by little I’ve typed my passord so many times I got quite fast… That’s how I comfort myself
once I tried Plasma there was not going back