Howdy: Disable Howdy only for initial sing-in

Created on 1 Feb 2019  路  7Comments  路  Source: boltgolt/howdy

I would like to be able to disable howdy for the initial log in process. Logging in with howdy does not unlock the keychain, which forces me to enter my password manually every time I need to make a ssh connection involving a ssh key. This can be avoided only when I do the initial login with password. But in order to do so, there is a significant time to wait until the password can be entered, while howdy is trying to get my face recognized.

enhancement

Most helpful comment

You can work around this by temporarily disabling howdy during first login.
I am using elementary OS 5 which is based on Ubuntu (18.04 i believe) but it should work similar in other distros.
NOTE: "dominik" is my username and should get replaced with your own.
What I did was first create a file /etc/sudoers.d/howdy to allow executing howdy without a password.

dominik ALL = (ALL) NOPASSWD: /usr/local/bin/howdy

This is required for the following.

Create a task to run after login. I did not bother to look where to best place it as elementary os provides a nice gui for this. Make it execute the following command:

/usr/bin/sudo /usr/local/bin/howdy disable 0

Create a override in systemd to disable howdy before login. I picked "systemd-logind.service" as its a perfect fit, but it does not really matter which one you use as long as it is done before your login screen appears.
Create the file /etc/systemd/system/systemd-logind.service.d/override.conf and add the following:

[Service]
ExecStartPre=+-/bin/bash -c "SUDO_USER=dominik /usr/local/bin/howdy disable 1"

After a reboot it should work fine. Howdy is disabled until you login using your password which causes your keychain to be unlocked, and enabled for subsequent logins (like after standby or for sudo). This is the behaviour I wanted.

This could also be interesting for:

234

NOTE: All of this is not a proper solution but the best I came up with without error prone changes to howdy. It might break with updates to howdy or your OS, so don't rely on it.

All 7 comments

First of all, thanks for the suggestion! I agree with you that unlocking they keyring every time is a nuisance. There are ways to keep it unlocked permanently, but they are very insecure.

However, as explained here, Howdy does not know _why_ it is being called. The PAM call comes with no context. Detecting a first login would therefore have to rely on logging previous Howdy sessions or monitoring shutdowns. Both of which i would rather not do. Would getting #9 to work be a reasonable compromise?

Thanks for your prompt reply. And, of course, thanks for this excellent package, which I use a lot on a daily basis. :)

What's suggested in #9 seems like the ideal compromise. If I can start typing my password during face recognition, that would solve my issue completely. Then it's up to me to keep my face out of reach of the camera.

I'll close this for now to keep this topic in #9

You can work around this by temporarily disabling howdy during first login.
I am using elementary OS 5 which is based on Ubuntu (18.04 i believe) but it should work similar in other distros.
NOTE: "dominik" is my username and should get replaced with your own.
What I did was first create a file /etc/sudoers.d/howdy to allow executing howdy without a password.

dominik ALL = (ALL) NOPASSWD: /usr/local/bin/howdy

This is required for the following.

Create a task to run after login. I did not bother to look where to best place it as elementary os provides a nice gui for this. Make it execute the following command:

/usr/bin/sudo /usr/local/bin/howdy disable 0

Create a override in systemd to disable howdy before login. I picked "systemd-logind.service" as its a perfect fit, but it does not really matter which one you use as long as it is done before your login screen appears.
Create the file /etc/systemd/system/systemd-logind.service.d/override.conf and add the following:

[Service]
ExecStartPre=+-/bin/bash -c "SUDO_USER=dominik /usr/local/bin/howdy disable 1"

After a reboot it should work fine. Howdy is disabled until you login using your password which causes your keychain to be unlocked, and enabled for subsequent logins (like after standby or for sudo). This is the behaviour I wanted.

This could also be interesting for:

234

NOTE: All of this is not a proper solution but the best I came up with without error prone changes to howdy. It might break with updates to howdy or your OS, so don't rely on it.

I found that in howdy's configuration file, there is an option called "disabled." Maybe you can achieve the goal by changing this option. eg. disable howdy before shutdown, and enable it right after user's login

I would also definitely prefer to use Howdy as "screen unlock" rather than login... Mostly because of the keychain password issue.

@boltgolt said:

Howdy does not know why it is being called. The PAM call comes with no context. Detecting a first login would therefore have to rely on logging previous Howdy sessions or monitoring shutdowns

From the context that Howdy is called under are you able to interact with the rest of the system?

If so, what if Howdy checks to see if a desktop environment exists via something like loginctl to see if the user already has a session (thus we're 99% sure it's a screen lock)?

This will be a really helpful enhancement, If I'm going to re-enter my password for keyring on every login, There is no point of using Howdy anymore :cry:

Was this page helpful?
0 / 5 - 0 ratings