PAM and howdy on new KDE Plasma install

I have just installed Manjaro on my laptop. I would like to use howdy (AUR) to replace most passwords with face authentication.

However, after following thouroughly the Arch wiki (link above), and adding the two howdy lines:

auth       sufficient     try_first_pass likeauth nullok
auth       sufficient  /usr/lib64/security/howdy/

…to almost every file in /etc/pam.d (here are these files (ProtonDrive readonly share)) – and rebooting, I don’t have any display anymore (I get a black screen on all displays instead of the login graphic page – terminals on other tty work fine though)…

Restoring the original contents of /etc/pam.d (thanks to non-graphic other tty) also restores the display.

So I need a more… erm, maybe I need someone to tell me which PAM files to modify and which not to? I know what I did will seem very stupid to most readers, but that’s how I did it in my previous distros, and it always worked out fine ^^’

So if someone knows PAM and howdy enough to answer… Thanks!

Doesn’t look thoroughly to me at all. Look at what lines you wrote and what is in the wiki.

Thanks. My config line was wrong… But I’ve fixed it now (I hope this line was the only mistake?):

auth        sufficient     try_first_pass likeauth nullok
auth        sufficient  /lib/security/howdy/

However I still get a black screen when I put these two lines in /etc/pam.d (I’ve updated the share so you can check) :confused:

Very bad idea – you need add these lines only to these files where you want to use this. If you want use this with sudo add only to /etc/pam.d/sudo. I personally recommend add lines only for sudo, polkit-1 (= all popups for authorization) and kde (= lockscreen) – I have similar setup with Yubikey and it works perfectly :wink:
Also keep in mind that some programs – like sddm – may not work with howdy (but if you insist add lines to /etc/pam.d/sddm)

Probably because you put those lines in every possible file. Check PAM docs and only put it where it belongs, dunno, maybe system-login.

Also did you configure the rest of config in that wiki?

I did, and the video part works (sudo howdy test and sudo howdy --user $USER test work — the camera view pops up and it detects my face).

I’ll read PAM documentation then… Unless someone knows better and can save me the trouble

EDIT: kind thanks to @Tomek:

Well I did exactly that (shared files updated again), but howdy never shows up… Is this line:

auth        sufficient     try_first_pass likeauth nullok

…also in your PAM files? First time I try to use it, maybe that’s the problem? Or maybe I should also add the two lines in system-auth, system-login, or both (or something else)…? Thanks!

It is in several places, but none added by myself. This module is for asking user’s password. Let’s explain on example. This is your pam for sudo:

auth            sufficient     try_first_pass likeauth nullok
auth            sufficient   /lib/security/howdy/
auth		include		system-auth
account		include		system-auth
session		include		system-auth

What it do:

  1. ask user for password → auth sufficient try_first_pass likeauth nullok
  2. use howdy for authentication if password is bad → auth sufficient /lib/security/howdy/
  3. use system-auth → auth include system-auth – entries in /etc/pam.d/system-auth:
auth       required                preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]
auth       [success=1 default=bad]          try_first_pass nullok
auth       [default=die]           authfail
auth       optional          
auth       required          
auth       required                authsucc
  1. check if user is locked → auth required preauth
  2. optionally if systemd homed is used and exist in system (not in Manjaro by default) → -auth [success=2 default=ignore]
  3. ask user for password if previous auth methods failed (first asking about password and howdy) – try_first_pass option say about that, also success=1 mean skip next line if success → auth [success=1 default=bad] try_first_pass nullok
  4. fail auth auth [default=die] authfail
  5. authorize user → auth optional
  6. load user environment → auth required
  7. clear fail auth counter for authorized user → auth required authsucc

I hope that explain a lot about this how pam works :wink:

So for using howdy at first place you most likely want just remove this line from sudo:

auth       sufficient     try_first_pass likeauth nullok

It does, thanks a lot!


… I tried removing just this line from sudo, and:

  • when I ran sudo %command%, the camera didn’t turn on, and my password no longer worked;
  • same behaviour for login.

Thankfully I didn’t edit su, so I was able to use:

> su
> vim /etc/pam.d

…to uncomment the try_first_pass line, and start over.

Did you configured howdy? Sections from 2.2 to 2.4. See also for troubleshooting there.

I did… I checked the “Troubleshooting” section but I found nothing useful…

By the way:

… Yubikey does not provide face auth, does it?

I think his point is that SDDM (which is the default display manager for KDE) seems to be a bit flaky with any alternative authentication method. Fingerprint, Yubikey, whatever. The issue linked on the Howdy arch wiki page about SDDM fingerprint login has been been open for 10 years.

Supposedly this is all going to be improved in KDE Plasma 6 (due in Feb 2024)… or you could try GNOME.

Doesn’t provide face auth, but there is no big difference in PAM configuration :slight_smile:

Indeed, I don’t use Yubikey for login though I’s possible, because with paswordless login you have to provide password for unlock keyring. As second factor it’s more reasonable and also possible, but I didn’t want it.

I doubt. There is one issue common for all DE – keyring. Only passwords works well with it. I know you can leave empty password and get rid security, but that’s not solution for me. Plasma 6 won’t solve this issue. Also SDDM is developed independently of KDE so it won’t improve PAM support with Plasma 6 :man_shrugging:

In fact, I managed to have Plasma 5 and howdy work together on openSUSE Tumbleweed… However PAM was a bit different (the important files were in /usr/lib/pam.d instead of /etc/pam.d, and I added the auth sufficient [...]howdy[...] to almost every file — I did not have to think too much about, I admit, I may be lucky it worked).

So unless Plasma and Manjaro work differently than Plasma with oS-Tw, I guess we may find a way…?

No way haha I prefer keeping passwords a thousand times :sweat_smile: once I tried Plasma there was not going back

Because of this, we’re going to bring SDDM closer and incubate it in KDE for Plasma 6! Once completed, this project will see SDDM release at the same time as Plasma and use Plasma technologies to add many new features, such as management of network and Bluetooth devices on the login screen, and tighter integration with user settings.

1 Like

After trying almost all the /etc/pam.d files (one by one, except passwd and su (in case sudo get blocked)…), I didn’t find any configuration were howdy pops up.

On oS, there was 1 difference though: I managed to bypass the need for sudo to launch howdy commands. The fact that no amount of tweaking the script /usr/bin/howdy (commenting out the lines that exit the script if I’m not sudo) allows me to do this on Manjaro, makes me think howdy never launches “alone” (other than running sudo howdy %command%) because it needs you to be authenticated as root in the background… Which is problematic when you want to use it to authenticate as root.

What do you think? Does that make sense? And if it does, is there any way to allow my system to run howdy commands without root authentication?


I think that may be solution for your issue :wink:

Thanks a lot for taking the time to look this up for me! Unfortunetaly even though I could change the line it didn’t make howdy pop up any more than before…

But in the process of modifying PAM little by little I’ve typed my passord so many times I got quite fast… That’s how I comfort myself :sweat_smile: