How to add facial recognition based login in ubuntu/linux?

Question

I have written a code (in python) to detect my face. Now I want to add this feature for login in my Ubuntu system. I searched over internet but cannot find suitable answers.

I want to display an option/icon to select facial recognition and on clicking that, my facial recognition code starts running in background. How I can achieve it? Please explain exactly where I need to make changes in ubuntu system for enabling and using such option?

Answer 1

You will want to use Linux-PAM to allow you to Su/Sudo using facial recognition. I have done this with python + a bash script here: https://github.com/lambrou/susentry I have taken part of my README and will explain it to you with the context of your question.

The first thing you will need to do is make a bash script that calls your python script.

#!/bin/bash

# You must change the value /path/to/susentry.py to the path of your
# python file.
export DISPLAY=:0.0
xhost +local:
python3 /path/to/susentry.py -l # run the python script for facial recognition
exit_status=$? # This grabs the exit status of the python script we just ran
if [ "${exit_status}" -ne 0 ]; # checks to see if exit status is anything other than 0
then
    echo "exit ${exit_status}"
    exit 1 # exit status 1 on python script fail (exit 1)
fi
echo "EXIT 0"
exit 0 # exit 0 if we get to this line

What this script does is sets the display to your display, as the PAM module will be calling the script from a different userspace we will need to tell it where your display is, and what xhost you are using. Then, it grabs the exit status of your python script (make sure on facial recognition fail it exits 1, pass it exits 0) and passes it to PAM to let it know whether or not the script passed or failed. Find this line:

python3 /path/to/susentry.py -l

And change /path/to/susentry.py to the full path of your python script. Then, place this file in /usr/local/bin folder.

Next, we modify the PAM common-auth file:

gksudo gedit /etc/pam.d/common-auth

Find this line in your common-auth file:

auth [success=1 default=ignore]     pam_unix.so nullok_secure

This line calls the module that asks the user for a password. If the module returns success (password correct), it skips the next line (success=1 means skip one line). The goal is to skip the following line if authentication is successful:

auth    requisite           pam_deny.so

As this line denies the user access to privileges. So, if you want to use su/sudo, but instead of entering your password you use facial comparison, put this above the line above:

auth [success=2 default=ignore]     pam_exec.so debug log=/path/to/pamlogs.txt /usr/local/bin/susentry

Make sure you change /path/to/pamlogs.txt to where you want the PAM output to be saved. (This ouput is error output and stdin output from your PAM, your bash script, and your python script) Lets break this down.

auth [success=2 default=ignore]

Means "If this program returns success (exit 0), then skip the next 2 lines. (Password prompt line, authentication fail line)

pam_exec.so debug log=/path/to/pamlogs.txt

This part says "use pam_exec to execute the bash script, and send all the error logs/stdin logs to /path/to/pamlogs.txt

/usr/local/bin/susentry

This part is the location of the bash script. This is what PAM exec runs and waits for an exit code for.

If the facial recognition script fails it should fall back to asking for a password. Please note that you need to be careful when editing /etc/pam.d/common-auth as you can break your sudo. You may want to open a new terminal with root privileges while you mess with this stuff so you can revert back the changes.