hyprlock PAM failed for howdy

[littleblack111]

Regression?

Yes, No

Hyprlock Info and Version

Hyprlock version 0.4.1

Hyprlock config

general {
    immediate_render = true
    hide_cursor = true
}

background {
    monitor =
    path = ~/.cache/bg.png
   # only png supported for now
    color = rgba(25, 20, 20, 1.0)

    # all these options are taken from hyprland, see https://wiki.hyprland.org/Configuring/Variables/#blur for explanations
    blur_passes = 0 # 0 disables blurring
    blur_size = 2
    noise = 0
    contrast = 0
    brightness = 0
    vibrancy = 0
    vibrancy_darkness = 0.0
    # update: 1800000: true
}

input-field {
    monitor =
    size = 300, 30
    outline_thickness = 0
    dots_size = 0.25 # Scale of input-field height, 0.2 - 0.8
    dots_spacing = 0.55 # Scale of dots' absolute size, 0.0 - 1.0
    dots_center = true
    dots_rounding = -1
    outer_color = rgba(242, 243, 244, 0)
    inner_color = rgba(242, 243, 244, 0)
    font_color = rgba(242, 243, 244, 0.75)
    fade_on_empty = false
    placeholder_text = # Text rendered in the input box when it's empty.
    hide_input = false
    check_color = rgba(204, 136, 34, 0)
    fail_color = rgba(204, 34, 34, 0) # if authentication failed, changes outer_color and fail message color
    fail_text = $FAIL <b>($ATTEMPTS)</b> # can be set to empty
    fail_transition = 300 # transition time in ms between normal outer_color and fail_color
    capslock_color = -1
    numlock_color = -1
    bothlock_color = -1 # when both locks are active. -1 means don't change outer color (same for above)
    invert_numlock = true # change color if numlock is off
    swap_font_color = false # see below
    position = 0, -468
    halign = center
    valign = center
}

label {
  monitor = 
  text = cmd[update:1000] echo "$(~/scripts/song-status)"
  color = rgba(242, 243, 244, 0.75)
  font_size = 14
  font_family = SF Pro Text
  position = 20, 1024
  halign = left
  valign = center
}

label {
  monitor =
  text = cmd[update:1000] echo "$(~/scripts/network-status)"
  color = rgba(242, 243, 244, 0.75)
  font_size = 16
  font_family = SF Pro Text
  position = -35, 1024
  halign = right
  valign = center
}

label {
  monitor =
  text = cmd[update:1000] echo "$(~/scripts/layout-status)"
  color = rgba(242, 243, 244, 0.75)
  font_size = 15
  font_family = SF Pro Text
  position = -150, 1024
  halign = right
  valign = center
}

label {
  monitor =
  text = cmd[update:1000] echo "$(date +"%A, %B %d")"
  color = rgba(242, 243, 244, 0.75)
  font_size = 20
  font_family = SF Pro Display Bold
  position = 0, 405
  halign = center
  valign = center
}

label {
  monitor = 
  # text = cmd[update:1000] echo "$(date +"%I:%M")"
  text = cmd[update:1000] enable strftime; strftime '%I:%M' $EPOCHSECONDS
  # text = $TIME
  color = rgba(242, 243, 244, 0.75)
  font_size = 93
  font_family = SF Pro Display Bold
  position = 0, 310
  halign = center
  valign = center
}


label {
    monitor =
    text = Password:
    color = rgba(242, 243, 244, 0.75)
    font_size = 10
    font_family = SF Pro Display
    position = 0, -438
    halign = center
    valign = center
}

Compositor Info and Version

System/Version info

Hyprland, built from branch main at commit 8b86ee8bf08eaf8b57d0a7f12af876216323cc3d  (github: encourage usage of --systeminfo if Hyprland won't launch).
Date: Wed Sep 25 11:39:33 2024
Tag: v0.43.0-61-g8b86ee8b, commits: 5257
built against aquamarine 0.4.1


flags: (if any)


System Information:
System name: Linux
Node name: ArchLinux
Release: 6.10.10-zen1-1-zen
Version: #1 ZEN SMP PREEMPT_DYNAMIC Thu, 12 Sep 2024 17:17:51 +0000


GPU information: 
00:02.0 VGA compatible controller [0300]: Intel Corporation Raptor Lake-S GT1 [UHD Graphics 770] [8086:a780] (rev 04) (prog-if 00 [VGA controller])
01:00.0 VGA compatible controller [0300]: NVIDIA Corporation AD103 [GeForce RTX 4080 SUPER] [10de:2702] (rev a1) (prog-if 00 [VGA controller])
NVRM version: NVIDIA UNIX Open Kernel Module for x86_64  560.35.03  Release Build  (archlinux-builder@ArchLinux)  


os-release: NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="38;2;23;147;209"
HOME_URL="https://archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://gitlab.archlinux.org/groups/archlinux/-/issues"
PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
LOGO=archlinux-logo


plugins:
  Hyprspace by KZdkm ver 0.1
  hypr-darkwindow by micha4w ver 1.0.0
  hyprchroma by alexhulbert ver 1.0.0

Description

[ERR] auth: pam_authenticate failed for hyprlock
for howdy(in hyprlock pam:auth sufficient pam_python.so /lib/security/howdy/pam.py as suggested by howdy arch wiki)

How to reproduce

1. use howdy
2. add auth sufficient pam_python.so /lib/security/howdy/pam.py and disable auth include login
3. try unlock hyprlock

Crash reports, logs, images, videos

[ERR] auth: pam_authenticate failed for hyprlock

[PaideiaDilemma]

idk but this is not a problem with hyprlock.
The error [ERR] auth: pam_authenticate failed for hyprlock is just what hyprlock logs whenever you fail to authenticate.

[littleblack111]

it is... everything else works fine with it.

the thing is. my camera light doesnt even turn on... usually, its do sth like sudo, then the camera light indicator lights up, then it authenticate

also i tried verbose, which doesnt seem to give details as well:

[ERR] auth: Authentication failed for hyprlock
[TRACE] timer thread firing
[TRACE] got wl event
[TRACE] timer thread firing
[TRACE] got wl event
[LOG] Failed attempts: 1
[TRACE] render lock
[TRACE] Requesting label resource placeholder:Authentication failed <b>(1)</b>961155979244320.94901960.95294120.956862750.7490196
[TRACE] frame 164
[TRACE] Processing requested resourceID placeholder:Authentication failed <b>(1)</b>961155979244320.94901960.95294120.956862750.7490196

[PaideiaDilemma]

Just for sanity, can you check if hyprlock-git changes anything?
Can you check if it works with swaylock?

[littleblack111]

yep. both doesn't work...

[FearlessSpiff]

I am playing around with howdy the first time. In gdm I have to enter an empty password (which is stupid) for howdy to scan my face. Did you try that in Hyprlock?
I would also really want to be able to use Howdy with Hyprlock as I don't have a keyboard with me all the time when using my tablet.

[FearlessSpiff]

I am going to test more stuff with Howdy and Hyprland tomorrow if time allows.

[FearlessSpiff]

I wasn't able to use Howdy with hyprlock. But I might be doing something wrong. Just added what I added for gdm and sudo, which both work, to the top of /etc/pam.d/hyprlock:

auth       sufficient                  pam_unix.so try_first_pass likeauth nullok
auth       sufficient                  pam_python.so /lib/security/howdy/pam.py

I tried with an empty password, but Howdy wasn't triggered. I can't see anything related in the hyprlock logs either.

[Alanon202]

I’m using howdy beta on Arch and have used the same config on X11 with simple modifications to system-auth. The setup works just fine on every app requiring authorisation, from terminals to graphical apps, except hyprlock.

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass likeauth nullok
auth       [success=1 default=bad]     /lib/security/pam_howdy.so          try_first_pass
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

Weirdly, with hyprlock’s PAM defaults and the Howdy beta setup above (either with empty input or with any random character typed into the input field) the camera LED seemingly activates but hyprlock unlocks instantly, allowing itself to be completely bypassed. I can literally put my finger over the camera and it will unlock in an instant, regardless of the fact that no password was input and no check was done.

My solution has been to intentionally disable Howdy for hyprlock by copying the vanilla system-auth. This removes Howdy from the picture, but ensures that no one can gain access to the system by typing random stuff and pressing enter.

I’m just writing this in case someone else is on Howdy beta and maybe hasn’t noticed the security hole the setup can create.

[PaideiaDilemma]

Ah right i forgot about this issue.
howdy is broken. See boltgolt/howdy#969
and #535