Apr29
Lenovo W510 Integrated Webcam & Face Authentication
Filed under Gentoo Linux
Getting tired of typing my root’s password each sudo, I was looking for a more efficient method to authenticate myself. Since I don’t need high security on my notebook, I was wondering whether one can use the integrated webcam of my notebook to do some basic face authentication. There exists a pluggable authentication module (pam) which is doing face identification based on the Open Source Computer Vision library.
This post assumes a Gentoo Linux on a Lenovo Thinkpad W510 and shows how to setup the face recognition pam modules to be integrated in the Gnome desktop environment. To setup the integrated webcam, please refer to this earlier post. After that, the webcam should be recognized as an USB device:
Bus 001 Device 006: ID 17ef:480f Lenovo Integrated Webcam [R5U877]
Because the face authentication it is based on OpenCV, we need to install this library first. Fortunately, it’s located in portage:
Next, we need to download and extract the sources for the face authentication pam:
$ tar -xzf pam-face-authentication-0.3.tar.gz
We can use cmake to build the source and install the binaries:
$ mkdir build && cd build
$ cmake ..
-- Checking GNUCXX version 3/4 to determine OpenCV /opt/net/ path
-- Performing Test PAM_MESSAGE_CONST
-- Performing Test PAM_MESSAGE_CONST - Success
-- Found PAM: /usr/lib64/libpam.so;/usr/lib64/libdl.so
-- Configuring done
-- Generating done
-- Build files have been written to: /home/daniel/downloads/today/pam-face-authentication-0.3/build
$ make
$ sudo make install
[ 3%] Built target DESKTOP_ENTRY_FILE
[ 31%] Built target pam_face_authentication
[ 96%] Built target qt-facetrainer
[100%] Built target xwindowFaceAuth
Install the project...
-- Install configuration: ""
-- Installing: /lib/security/pam_face_authentication.so
-- Installing: /usr/local/bin/qt-facetrainer
-- Removed runtime path from "/usr/local/bin/qt-facetrainer"
-- Installing: /usr/local/kde/4/bin/xwindowFaceAuth
-- Installing: /usr/local/share/haarcascade_eye.xml
-- Installing: /usr/local/share/haarcascade_eye_tree_eyeglasses.xml
-- Installing: /usr/local/share/haarcascade_nose.xml
-- Installing: /usr/local/share/haarcascade.xml
-- Installing: /usr/local/share/icons/pfa-logo.png
-- Installing: /usr/local/share/applications/qt-facetrainer.desktop
Next, the pam module must be configured to be use for system authentication:
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_face_authentication.so
auth required pam_fprintd.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
As you see, I configured pam_face_authentication.so right after the traditional login using password. By doing so, first the user is asked to type a password. If this authentication has failed (or the user just hit enter), it is tried to recognize the face. If this has failed, the user is asked for finger print, which is described in an earlier post.
After this steps, we can train the faces for each user:
In order to enable face recognition authentication for the root user i.e. su and sudo, we have to run qt-facetrainer as root:
That’s it. The face recognition is now enabled as fallback method for authentication in any pam based service i.e. gdm/xdm and gnome-screensaver. Please note that this authentication method can be easily circumvented. The qt-facetrainer offers some advanced settings to configure the tradeoff between security and recognition performance in order to avoid false-positives. But one could simply use a photo of the corresponding user in order to grant access to the system. I did not try that, but please keep that in mind.
In any case, this method should neither be used in security critical systems nor it should be used as a required pam method, because different illumination seems also to be a problem so that under bad circumstances, the face cannot be recognized correctly.
