Lenovo W510 Integrated Webcam & Face Authentication

Getting tired of typing my root’s password each sudo, I was looking for a more efficient method to authenticate myself. Since I don’t need high security on my notebook, I was wondering whether one can use the integrated webcam of my notebook to do some basic face authentication. There exists a pluggable authentication module (pam) which is doing face identification based on the Open Source Computer Vision library.
This post assumes a Gentoo Linux on a Lenovo Thinkpad W510 and shows how to setup the face recognition pam modules to be integrated in the Gnome desktop environment. To setup the integrated webcam, please refer to this earlier post. After that, the webcam should be recognized as an USB device:

[19:30] 0 daniel@ws1 /home/daniel $ lsusb| grep -i webcam
Bus 001 Device 006: ID 17ef:480f Lenovo Integrated Webcam [R5U877]

Because the face authentication it is based on OpenCV, we need to install this library first. Fortunately, it’s located in portage:

$ emerge -v opencv

Next, we need to download and extract the sources for the face authentication pam:

$ wget http://pam-face-authentication.googlecode.com/files/pam-face-authentication-0.3.tar.gz
$ tar -xzf pam-face-authentication-0.3.tar.gz

We can use cmake to build the source and install the binaries:

$ cd pam-face-authentication-0.3
$ mkdir build && cd build
$ cmake ..  
-- Checking GNUCXX version 3/4 to determine  OpenCV /opt/net/ path
-- Performing Test PAM_MESSAGE_CONST
-- Performing Test PAM_MESSAGE_CONST - Success
-- Found PAM: /usr/lib64/libpam.so;/usr/lib64/libdl.so
-- Configuring done
-- Generating done
-- Build files have been written to: /home/daniel/downloads/today/pam-face-authentication-0.3/build
$ make
$ sudo make install
[  3%] Built target DESKTOP_ENTRY_FILE
[ 31%] Built target pam_face_authentication
[ 96%] Built target qt-facetrainer
[100%] Built target xwindowFaceAuth
Install the project...
-- Install configuration: ""
-- Installing: /lib/security/pam_face_authentication.so
-- Installing: /usr/local/bin/qt-facetrainer
-- Removed runtime path from "/usr/local/bin/qt-facetrainer"
-- Installing: /usr/local/kde/4/bin/xwindowFaceAuth
-- Installing: /usr/local/share/haarcascade_eye.xml
-- Installing: /usr/local/share/haarcascade_eye_tree_eyeglasses.xml
-- Installing: /usr/local/share/haarcascade_nose.xml
-- Installing: /usr/local/share/haarcascade.xml
-- Installing: /usr/local/share/icons/pfa-logo.png
-- Installing: /usr/local/share/applications/qt-facetrainer.desktop

Next, the pam module must be configured to be use for system authentication:

$ cat /etc/pam.d/system-auth
auth        required    pam_env.so
auth        sufficient  pam_unix.so try_first_pass likeauth nullok
auth        sufficient  pam_face_authentication.so
auth        required    pam_fprintd.so
account required    pam_unix.so
password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password    required    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session     required    pam_limits.so
session     required    pam_env.so
session     required    pam_unix.so
session     optional    pam_permit.so

As you see, I configured pam_face_authentication.so right after the traditional login using password. By doing so, first the user is asked to type a password. If this authentication has failed (or the user just hit enter), it is tried to recognize the face. If this has failed, the user is asked for finger print, which is described in an earlier post.

After this steps, we can train the faces for each user:

$ qt-facetrainer

In order to enable face recognition authentication for the root user i.e. su and sudo, we have to run qt-facetrainer as root:

$ sudo qt-facetrainer

That’s it. The face recognition is now enabled as fallback method for authentication in any pam based service i.e. gdm/xdm and gnome-screensaver. Please note that this authentication method can be easily circumvented. The qt-facetrainer offers some advanced settings to configure the tradeoff between security and recognition performance in order to avoid false-positives. But one could simply use a photo of the corresponding user in order to grant access to the system. I did not try that, but please keep that in mind.

In any case, this method should neither be used in security critical systems nor it should be used as a required pam method, because different illumination seems also to be a problem so that under bad circumstances, the face cannot be recognized correctly.

Leave a Reply

You must be logged in to post a comment.