abort_if_ssh not working in Fedora 40

[karuboniru]

Please describe the issue in as much detail as possible, including any errors and traces.
If your issue is a camera issue, be sure to also post the image generated by running sudo howdy snapshot.

---

• I've searched for similar issues already, and my issue has not been reported yet.

Linux distribution (if applicable): Fedora 40 (modified silverblue, howdy is installed via this treefile

Howdy version (sudo howdy version):

sudo LANG=C howdy version
Howdy 3.0.0 BETA

Installed via Copr, I noticed with the issue with version tagged as git344eb34. But I can't tell if previous version have same problem.

---

Problem

When abort_if_ssh = true is set, howdy still gets activated in ssh session.

❯ ssh yan@localhost
Last login: Fri Apr 12 23:33:27 2024 from ::1

yan@karubook ~
❯ sudo -s                                
Attempting facial authentication
[sudo] password for yan: # 
[root@karubook]/var/home/yan# exit

yan@karubook ~
❯ echo $SSH_CONNECTION
::1 40220 ::1 22

I understand this code is responsible for checking if the authenicate request is from ssh session by getting the SSH related environment variables. But this did not work on my machine. I am unfamiliar with PAM so I need help troubleshooting this.

---

Howdy config.inf

Click me

# Howdy config file
# Press CTRL + X to save in the nano editor

[core]
# Print that face detection is being attempted
detection_notice = true

# Print that face detection has timed out
timeout_notice = true

# Do not print anything when a face verification succeeds
no_confirmation = true

# When a user without a known face model tries to use this script, don't
# show an error but fail silently
suppress_unknown = false

# Disable Howdy in remote shells
abort_if_ssh = true

# Disable Howdy if lid is closed
abort_if_lid_closed = true

# Disable howdy in the PAM
# The howdy command will still function
disabled = false

# Use CNN instead of HOG
# CNN model is much more accurate than the HOG based model, but takes much more
# power to run, and is meant to be executed on a GPU to attain reasonable speed.
use_cnn = false

# Set a workaround to do face and password authentication at the same time
#  off     user will have to press enter themselves after a Howdy timeout
#  input   will send an enter keypress to stop the password prompt
#  native  will stop the prompt at PAM level (can lead to instability!)
workaround = native

[video]
# The certainty of the detected face belonging to the user of the account
# On a scale from 1 to 10, values above 5 are not recommended
# The lower, the more accurate
certainty = 3.5

# The number of seconds to search before timing out
timeout = 10

# The path of the device to capture frames from
# Video devices are usually found in /dev/v4l/by-path/
device_path = /dev/v4l/by-path/pci-0000:00:14.0-usb-0:6:1.2-video-index0

# Print a warning if the the video device is not found
warn_no_device = true

# Scale down the video feed to this maximum height
# Speeds up face recognition but can make it less precise
max_height = 320

# Set the camera input profile to this width and height
# The largest profile will be used if set to -1
# Automatically ignored if not a valid profile
frame_width = -1
frame_height = -1

# Because of flashing IR emitters, some frames can be completely unlit
# Skip the frame if the lowest 1/8 of the histogram is above this percentage
# of the total
# The lower this setting is, the more dark frames are ignored
dark_threshold = 60

# The recorder to use. Can be either opencv (default), ffmpeg or pyv4l2.
# Switching from the default opencv to ffmpeg can help with grayscale issues.
recording_plugin = opencv

# Video format used by ffmpeg. Options include vfwcap or v4l2.
# FFMPEG only.
device_format = v4l2

# Force the use of Motion JPEG when decoding frames, fixes issues with YUYV
# raw frame decoding.
# OPENCV only.
force_mjpeg = false

# Specify exposure value explicitly. This disables autoexposure.
# Use qv4l2 to determine an appropriate value.
# OPENCV only.
exposure = -1

# Specify frame rate of the capture device.
# Some IR emitters will not function properly at the default framerate.
# Use qv4l2 to determine an appropriate value.
# OPENCV only.
device_fps = -1

# Rotate captured frames so faces are upright.
#  0  Check landscape orientation only
#  1  Check both landscape and portrait orientation
#  2  Check portrait orientation only
rotate = 0

[snapshots]
# Capture snapshots of failed login attempts and save them to disk with metadata
# Snapshots are saved to /var/log/howdy/snapshots
save_failed = false

# Do the same as the option above but for successful attempts
save_successful = false

[rubberstamps]
# Enable specific extra checks after the user has been recognised
enabled = false

# What type of stamps to run and with what options. The type, timeout and
# failure mode are required. One line per stamp. Rule syntax:
#  stamptype  timeout  (failsafe | faildeadly)   [extra_argument=value]
stamp_rules = 
 nod 10s faildeadly min_directions=4

[debug]
# Show a short but detailed diagnostic report in console
# Enabling this can cause some UI apps to fail, only enable it to debug
end_report = false

# More verbose logging from the rubberstamps system
verbose_stamps = false

# Pass output of the GTK auth window to the terminal
gtk_stdout = false

---

pam.d/sudo

#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

---

auth        sufficient      pam_howdy.so
# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_unix.so nullok
auth        required                                     pam_deny.so

account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

[tokox]

#902 duplicate I think