Unlock the login keyring

[amirkaveh]

Hi.
Everything works smoothly in Howdy version 2.6.1 on Ubuntu 20.04.1.
The only thing is that when you log in to the system using Howdy for the first time, the OS prompts for your password because of the keyring.
I think solving it is a tough one because of OS security rules, but not prompting for a password improves the experience very much.

[boltgolt]

Unfortunately this is unfixable at the moment, the keyring is secured with your password and without this password there is no way to unlock it. It's unfortunately a side effect of how the keyring works

[Nos78]

@boltgolt may I ask for your thoughts on the logic here? If this keyring is auto-unlocked when a user enters their login password from the login-screen, why can it not also be unlocked when a biometric login is provided? I assume the keyring password and the user password are one-and-the-same, else the same logic you state would also prevail?

Is there is no configuration we can change to facilitate this? For example, enabling auto-login (IE logging in without a password) will also repreduce this exact behaviour in prompting the for the password. So, continuing this logic flow, we're basically saying that the howdy tool is a glorified auto-login, thats more secure than the default passwordless user auto-login? (Granted, IMO much more secure)

In summary, are you saying that for a face login to unlock the keyring, then its the keyring tool that needs modifying? I'm prepared to look at it, so I'll take an educated guess as to whether its a configuration issue or hacking-come-code issue?

[boltgolt]

Your first paragraph makes no sense to me. Your password is the encryption key to your keyring and you do not enter it when you log in with Howdy. There is no way around that specific issue.

If you'd like you could set the keyring password to an empty string, but that does mean your keys are saved on disk in plain text.

[barbalex]

Your first paragraph makes no sense to me. Your password is the encryption key to your keyring and you do not enter it when you log in with Howdy. There is no way around that specific issue.

If you'd like you could set the keyring password to an empty string, but that does mean your keys are saved on disk in plain text.

If this is the case, then howdy is pretty much useless. As @Nos78 mentioned, howdy is useless if it can not be used instead of entering a password.

The readme begins with: Howdy provides Windows Hello™ style authentication. I use Windows Hello. But it not only authenticates me, it also authorizes me and thus completely replaces having to enter a password.

After looking a little more closely at the issues, it seems that a high percentage have been about this fact. And they have been closed as duplicate of this one here. Seems that @Nos78 and me are not alone in expecting howdy to authenticate and authorize users.

[tokox]

I agree, but there is no way howdy can unlock that. Keyring is encrypted using your password and it can't be decrypted differently than entering password. You could reconfigure your keyring tool to work somehow different so no password will be needed (you will have to think about replacement) or for example create a script that will unlock the keyring after login from saved somewhere password or something like that. The second solution is only a very not recommended and unsafe workaround.

[Nos78]

Oh wow this thread is a blast from the past! @boltgolt thanks for that answer—IIRC the password being used as the encryption key was the bit of the logic I'd overlooked; the first paragraph, in my original comment you responded to, that made no sense to you, was in reference to me being prompted for my Linux user password (or keyring password? I'm replying quickly here) when face recognition failed. And pondering the whole process, lead me to wonder why I could not "unlock" my keyring with a face recognition.
The answer was simple, and your reply helped. I never replied and I apologise. Since this has been added to, I now wish to do so!

I guess I'm not alone in wanting howdy to completely replace password entry. However, that doesn't make it (howdy) useless—it's only in accessing a keyring that it gets....messy... and I now understand why. The passwd is the encryption key. Therefore impossible.

I do like blasts from the past!

[boltgolt]

It's an issue basically all alternative single-factor PAM modules run into, if the keyring starts widely supporting TPMs then it would be a different story

In its current state it's at least very useful to me personally, my laptop as of right now has 100+ days of uptime and I only had to type my password when I booted it. Since then Howdy has handled all my sudo prompts

[Nos78]

It's an issue basically all alternative single-factor PAM modules run into, if the keyring starts widely supporting TPMs then it would be a different story

In its current state it's at least very useful to me personally, my laptop as of right now has 100+ days of uptime and I only had to type my password when I booted it. Since then Howdy has handled all my sudo prompts

Totally agree... it was just that one area that it became, less than useful. A unique use case, otherwise like you, I only need to use password when my appearance changes significantly. Like when I grew a beard through total laziness.

So much so, that when I needed to sign into my SMB share on a new PC. I almost content remember the darn password 😂

[jeffshee]

@boltgolt Sorry if this has been asked before. Is there a way to configure PAM to avoid using face authentication for login if the keyring is locked (i.e., during the first bootup), similar to how Android, with biometrics enabled, requires a PIN/password after a reboot?

[bochen87]

This is quite an issue for me - i tried using howdy, but due to keyring not getting unlocked, i have big issues:

• My VScode is stuck trying to signin to the various plugins
• Chrome is detecting my pc as a new pc and logs me out of everything
• slack can't login
• online accounts can't login

It's quite the pain. I had to unfortunately uninstall howdy due to this issue :-(