Skip to content

[v3.0 Beta] pam_howdy.so segfaults / core dumps on Linux Mint, resolved by using pam_exec with compare.py #1112

Description

@nikcola16-bit

Please describe the issue in as much detail as possible, including any errors and traces.
_If your issue is a camera issue, be sure to also post the image generated by running sudo howdy snapshot.

Markdown
_

Environment

  • OS: Linux Mint (Ubuntu-based)
  • Howdy Version: 3.0 Beta
  • Hardware: Laptop (Honor MagicBook) with integrated webcam

Problem Description

When configuring the native pam_howdy.so module in the PAM stack (e.g., /etc/pam.d/sudo), the authentication process constantly fails or hangs for about 12 seconds, resulting in core dumped or exit code 1.

Upon deeper inspection, it appears that the compiled C/Python PAM binding in the 3.0 beta experiences a segmentation fault or threading crash when initialized by PAM, likely due to GUI/OpenCV initialization conflicts or window rendering issues in the backend, even when no display is active.

The Discovery

Interestingly, running the underlying Python comparison script directly as root works flawlessly, instantly, and without any graphical errors:

sudo python3 /lib/security/howdy/howdy/src/compare.py <username>
The script accurately returns exit code 0 on successful face recognition and exit code 1 on failure or timeout. The issue is strictly isolated to the compiled pam_howdy.so module itself.

Our Workaround / Solution

To bypass the crashing .so module while keeping the fast, native facial recognition of Howdy 3.0, we completely replaced pam_howdy.so with standard pam_exec.so combined with a lightweight Bash wrapper.

1    We created a secure script at /usr/local/bin/howdy-auth

#!/bin/bash
export PYTHONPATH=/lib/security/howdy/howdy/src

# Automatically capture the user attempting to authenticate
USER_TO_AUTH="${PAM_USER:-nikolaus}"

# Execute the core Howdy python engine directly
/usr/bin/python3 /lib/security/howdy/howdy/src/compare.py "$USER_TO_AUTH"

# Forward the exit status directly to PAM
if [ $? -eq 0 ]; then
    exit 0
else
    exit 1
fi

2 Then, we appended it to the top of the PAM configuration files (sudo, polkit-1, lightdm, cinnamon-screensaver) like this:

auth sufficient pam_exec.so stdout /usr/local/bin/howdy-auth

Result

This approach completely resolved the issue. Face recognition now takes less than a second, does not cause any memory dumps, and seamlessly falls back to the standard password prompt if the user turns away or if it's too dark (thanks to the sufficient control flag).

Hopefully, this insight helps to refactor the main pam_howdy.so logic for the official v3.0 release, perhaps by separating the PAM C-bindings from the core Python execution stack more cleanly, or catching headless OpenCV crashes gracefully.

Thank you for maintaining this awesome project!




----

I've searched for similar issues already, and my issue has not been reported yet.

Linux distribution (if applicable):

Howdy version (`sudo howdy version`):

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions