PAM, howdy and fscrypt co-working

Hello !

I am currently re-trying to install howdy 2.6.1-2 (AUR) on my uptodate Manjaro

it works, but not exactly as intended…

Let me explain :smiley:

1/ I have my home folder encrypted by fscrypt (history of previous linux I used…next laptop I will do different) => it works fine : my home folder is unwrapped at login, no problem.

2/ I setup howdy, following arch wiki

So I added the following lines to some pam files (/etc/pam.d) :smiley:

auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_python.so /lib/security/howdy/pam.py

3/ It works very well:

  • when unlocking from screensave (lock screen): it prompt for password:
  • either I type password => it works
  • or I type ‘enter’, howdy is triggered, camera turn on and recognize me => it works !

4/ Only one issue : at initial login (after reboot or PC start up).
whatever I do, it won’t unlock my encrypted /home. So I can login, but it ends on a fresh desktop with almost nothing…(still a terminal so I can revert my config changes).
=> The issue is both with password login (unexpected) and howdy login (expected).

So it is ok that howdy does not work for startup login (it cannot provide password as key for unwrapping fscrypt /home… but I would expected at least the normal password to work.

5/ my intent:

  • use password at login (howdy shall not try identification before I try enter password). if password is ok => login.
    howdy may try if I enter wrong or empty password, I can live with that.
  • use either password or just “enter” (empty password) to trig howdy on other unlock situation.

I assume it could be solved by a wise placement of howdy config lines in pam.d file(s), or some tuning, but I was not able to figure out which one.
any ideas ?

I cannot claim to know the inner workings of PAM - wanted to - but never got around to it

No ideas - only thoughts…

If it works at the lockscreen - is your ‘credential’ stored inside your home?

well, howdy works, so if my home is already unlocked, it’s all fine.
The point is only to make the pam modification compatible with both howdy and as before with password.
it seems something is not exactly as before when I use password for login.

In the mean time I found a work around by editing /lib/security/howdy/pam.py:
basically pam.py won’t try to unlock in some specific situation (laptop lid is closed, remote ssh connection so you are not in front of camera etc…)
I added one more situation that if fscrypt status of my home folder is not ‘Unlocked: Yes’, howdy won’t try neither.
I would have never been able to do that alone, AI helped me :smiley:

here is the code if some are interested:

# added code
def is_fscrypt_unwrapped(directory):
        try:
                process = subprocess.Popen(['fscrypt', 'status', directory], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                stdout, stderr = process.communicate()
                return "Unlocked: Yes" in stdout.decode('utf-8')
        except Exception as e:
                syslog.syslog(syslog.LOG_ERR, "Error checking fscrypt status: {0}".format(e))
                return False


def doAuth(pamh):
        """Starts authentication in a seperate process"""

        # Abort is Howdy is disabled
        if config.getboolean("core", "disabled"):
                return pamh.PAM_AUTHINFO_UNAVAIL

        # Abort if we're in a remote SSH env
        if config.getboolean("core", "ignore_ssh"):
                if "SSH_CONNECTION" in os.environ or "SSH_CLIENT" in os.environ or "SSHD_OPTS" in os.environ:
                        return pamh.PAM_AUTHINFO_UNAVAIL

        # Abort if lid is closed
        if config.getboolean("core", "ignore_closed_lid"):
                if any("closed" in open(f).read() for f in glob.glob("/proc/acpi/button/lid/*/state")):
                        return pamh.PAM_AUTHINFO_UNAVAIL

        # Set up syslog
        syslog.openlog("[HOWDY]", 0, syslog.LOG_AUTH)

        
        # Abort if user is not root, and home directory is not mounted. This is for fscrypt.
        user = pamh.get_user()
        user_home = os.path.expanduser("~" + user)
        if user != "root" and not is_fscrypt_unwrapped(user_home):
                syslog.syslog(syslog.LOG_INFO, "User {0}'s directory {1} not decrypted yet, don't use face detection".format(user, user_home))
                return pamh.PAM_AUTHINFO_UNAVAIL

what was added is the ‘def’ at beginning:

def is_fscrypt_unwrapped(directory):
        try:
                process = subprocess.Popen(['fscrypt', 'status', directory], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                stdout, stderr = process.communicate()
                return "Unlocked: Yes" in stdout.decode('utf-8')
        except Exception as e:
                syslog.syslog(syslog.LOG_ERR, "Error checking fscrypt status: {0}".format(e))
                return False

and last part:

        # Abort if user is not root, and home directory is not mounted. This is for ecryptfs.
        user = pamh.get_user()
        user_home = os.path.expanduser("~" + user)
        if user != "root" and not is_fscrypt_unwrapped(user_home):
                syslog.syslog(syslog.LOG_INFO, "User {0}'s directory {1} not decrypted yet, don't use face detection".format(user, user_home))
                return pamh.PAM_AUTHINFO_UNAVAIL

on pam side, I just added at beginning of /etc/pam.d/gdm-password:
auth sufficient pam_python.so /lib/security/howdy/pam.py

seems to work pretty so far:
1/ no howdy at login
2/ howdy in other situation (lockscreen unlock)

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.