Hacker News new | past | comments | ask | show | jobs | submit login
WSL Hello Sudo: Face Recognition of Windows Hello on Windows Subsystem for Linux (github.com/nullpo-head)
213 points by cglong on March 2, 2021 | hide | past | favorite | 81 comments

This is pretty sweet. I feel like the only thing is that Windows Hello, and other fingerprint/face scanning tech is pretty slow compared to typing in a password, so doubt i'll be using it anytime soon. This is still very interesting from a technical pov.

I know nothing of PAM, but could it be used with something like LDAP? or ActiveDirectory?

Both face and fingerprint authenticate in under a second on all the machines I use.

If the machine is joined to a domain you'd need to use Hello for Business. It's more involved to set up, but if you've got enough Windows computers to have an AD domain you should definitely do it.


I used Windows Hello for about a year with a Razer Stargazer (IR Camera) and was always impressed with how quickly it was able to auth me, no matter if I was wearing glasses or not. Less than a second for me too, and that camera does not have the fastest start time, from camera init to capturing from both RGB and IR cameras.

At first I was skeptical about the usefulness of such a feature given my password doesn't take long to type, but it turned it to be a feature I really enjoyed.

I have a IR camera built into my Dell Latitude. It's suprising at how quick it is. The only catch is that I'm usually loocking at my monitor and have to turn to the laptop for it to pick up.

yep! PAM is "Pluggable Authentication Module" which sits between applications and the auth method, so you can put anything there. LDAP and ActiveDirectory are fairly common ones

Is there any library like PAM in the Windows ecosystem?

Not exactly. You can create custom authentication methods and prompts, but it's architected differently. (I think Local Security Authority (LSA) and Credential Providers are the keywords to search for details)

Used to be called GINA. In addition to sibling comments, see: https://docs.microsoft.com/en-us/windows/win32/secauthn/winl...

> This is pretty sweet. I feel like the only thing is that Windows Hello, and other fingerprint/face scanning tech is pretty slow compared to typing in a password

My Dell Vostro has pretty instantaneous fingerprint recognition, much faster than a password (my previous Acer has a less convenient location for the sensor, and was much slower, and was much less reliable.)

On my gygabyte aero, the fingerprint is almost instantaneous

This looks great. I hate Linux desktop and Windows server, so WSL has been a blessing for me.

Glad to see I am not the only one. Windows desktop also has a big plus: native RDP is unparalleled compared to VNC or any other Linux remote desktop.

Native rdp (server and client) has gotten pretty good in Linux of late, too.

And now windows comes with openssh server too, which is a little more sane than opening up access to network managing windows machines directly via WMI...

It's true that VNC is a disaster, but RDP still feels miles behind thrid-party tech like TeamViewer. And doesn't MSFT stil cripple RDP on Home editions?

Is it actually miles behind?

I've used RDP to work remotely and also to play some games inside Hyper-V VM and I didn't felt big difference between native

I haven't used it much lately, but a few years back I was working on a Windows Server system (whichever was the version that was basically Windows 8) and remember it being really janky (latency spikes, image artifacts, etc.) over my pathetic DSL Internet connection. Then I noticed some other admin installed TeamViewer on it so I gave it a try and it was way faster and smoother so I switched to it permanently, despite the constant annoyances because we were too cheap to pay for a license.

Admittedly, it's been almost a decade since Windows 8 (!?!), so this is a very dated experience.

Technically MSFT disabled the RDP server feature in Home edition, meaning you can't use Windows Home as RDP host (I am not sure the proper terminology for this). The software still in there, you only can use RDP client in Win Home, not the server aspect. It is just disabled without official way of enabling it (w/o upgrading to Pro). However there is way to get it enabled in Windows Home, it need rdpwrap by stascrop. Just download the file and run it. It will get the server aspect running.

Rdpwrap by stascrop (GitHub) https://github.com/stascorp/rdpwrap/releases

There is an official way to get RDP connections to Windows Home edition systems, Windows Quick Assist: https://community.windows.com/en-us/stories/windows-quick-as...

Obviously it has far more restrictions than enabling RDP on Pro systems, but that's because it's clearly designed with Home users (average consumers) in mind.

I would be on KDE if I didn't have to use Visual Studio for my day job (project is still not fully .NET core). But WSL is a good compromise I use it as my shell for all git, dotnet related stuff.

I hate the Windows desktop (and server). Right now I am using XFCE. Much faster than Windows, lower memory footprint and I got it to look similar to macOS to some extent.

Using Windows compared to using XFCE is like pulling a stubborn donkey. No, I don't want to update, I don't want a voice assistant, I don't want absurd UIs, I don't want telemetry, I just want a goddamn menu and desktop icons.

Well, what can I say, good for you :-)

>No, I don't want to update

Why don't you want to update? You really should.

> I don't want a voice assistant

It takes less than 5 minutes to disable and hide it.

> I don't want absurd UIs

How do you define absurd UIs? Do you think 1 billion people using Windows are all absurd? If so, that's highly arrogant of you.

> I don't want telemetry

It's a bit annoying and philosophically not a great thing, but you can disable 99% of their telemetry in about 15 minutes.

> I just want a goddamn menu and desktop icons

Windows offers this and more.

I've used Xfce for a long time, it's nice. But the whole "it's faster and lower memory footprint" doesn't matter much these days, especially since Windows is really well optimized now. How many people are using Xfce on systems with 1GB of RAM anymore? Plus Windows obviously offers much more than just Xfce and Xfce is also under-resourced, developer-wise, and on the brink of becoming abandonware. Linux desktops really are not in a good place today.

> Why don't you want to update? You really should.

Yes, tomorrow evening when I have time, not literally right now in the middle of a 2-day 3D render that my computer has been running for a 24 hours now.

> It takes less than 5 minutes to disable and hide it.

Until an update re-enables it or pops an un-hidable fullscreen popup with misleading questions that tricks you into enabling it again.

> [absurd UIs]

You can't possibly be defending the shitshow that is the Win10 setting menu! Everyone hates it, from techies, developers, gamers, grandmas... I could probably write an essay just about the actual bugs and missing features, not even counting stupid design.

> [telemetry]

See the Cortana reply above

> [resources]

Few people are running <1GB of RAM, true, but very many are still running 4GB. That means you can basically open a Word document and two Chrome tabs before your system becomes unusable. This isn't an exaggeration - if the two tabs are heavy (like FB and Gmail, for example), the system will aready start swapping.

For another datapoint, I can no longer play certain games (heavily modded) on Win, because they actually need at least 6GB or RAM and that's enough to crash my 8GB system. On Linux, I can run the game, Spotify and like 3 Firefox tabs on the same machine, and I'm using a DE that notorious for high RAM usage (KDE Plasma).

Windows Update is quite accommodating if you configure it a bit in the Pro version. The Home version of Windows is a pain all around, the upgrade to Pro is definitely worth it (especially if you are actually doing serious work)

> You can't possibly be defending the shitshow that is the Win10 setting menu!

It's a humongous engineering project and I can see what they're doing. It's a super painful and long transition, but where they've finished the transition, I like it. Very nicely organized, searchable, it makes a lot of sense, it's consistent. It's a great UI, we're just in the middle of the construction site.

Yes, I completely agree. But you wouldn't kick a bunch of people out of their apartments and force them to live in the construction site for 3 years because "once it's done, it'll be way nicer than where they were living".

I don't know what their thought process was when they decided it, but they for sure knew it was going to be painful for users.

I imagine they didn't have any other way to do it.

If they don't do it, everyone complains that the Control Panel is getting antiquated, if they do it, people complain why they're changing it like this.

We have to be realistic here.

It's definitely a tough situation, but they did in the the dumbest way possible. By intentionally hiding old menus before the new ones are fixed, they have effectively broken the OS itself for the vast majority of users.

My favorite example of this is the sound output setting. Windows has two output "streams" - communication and media. The old menu used to have a "set default" button that set a device to default for both, but you could also set each default manually. The new menu doesn't make that distinction at all, but the new default device switcher only switches the playback default. This results in things like Skype, Zoom, Discord... seemingly not respecting the output device setting. The only way to fix this is through the old menu, but they have removed every trace of it, so you have to trick Windows by searching for "sounds" to get to the place where you change things like the error message sound, which pops up a window where you can then switch the tab to the old sound control panel.

I don't think there's been a single month since this change was pushed out where I didn't have to help someone with this. It's clearly broken, clearly

I'm on the latest release version (20H2). If you go to Settings > Sound, there's a Related Settings heading, under which you'll find Sound Control Panel. There's the list of output devices where you can Set Default, and there's a tab for Communications, though there's not a lot in there. Is that what you're talking about?

Yes, that's the one. I've have that menu as well, but it's not always there. I think there were a couple of versions without it, but they probably realised this exact problem and put it back. Still not a very discoverable thing for someone who doesn't know exactly what they're looking for though.

Pretty much everything you describe are poorly cherrypicked non issues that affect fictional people. Like the tormented fictional people from informercials.

Just use pavucontrol (Pulseaudio volume control) which comes included with most distros.

Windows 10...pavucontrol... I have a feeling you really didn't read the thread leading up to this

Which version is this in? I'm on 1909 and there is still a link to the Sound Control Panel in the top right menu of the Sound Settings page.

Yeah, it's usually there, but I've also seen it not be. I never bothered to figure out why, it was probably just a short-lived update and I guess many people got stuck on it for a bit. It's still definitely the kind of thing even a more capable user probably wouldn't think to even look for if they didn't know about the whole media vs comms stream thing and that exact menu.

Those tiny non resizable windows and dialogs coming straight from Windows 95. Are they really getting rid of them?

Yup. I think they're binning everything and replacing it with the new UI. It's just literally taking a decade.

The new UI seems to be very forward facing, I suspect that they're targeting everything with it: desktop, mobile, even AR/VR.

> How do you define absurd UIs? Do you think 1 billion people using Windows are all absurd? If so, that's highly arrogant of you.

Most of those 1 billion people didn't choose Windows 10 because they looked at it and thought, "yeah, this user interface is so much better than Windows 7". Most of those people didn't look at the latest update to Windows 10 and think, "yeah, these changes to the UI are major improvements, my life will be so much easier than on the previous version of Windows 10".

For most of the non-programmers I know, it's more of a boiling-frog situation. Microsoft blackmails them into "upgrading" using security patches, and every "upgrade" makes the UI less intuitive, slower to use, or worse in some other way.

Just last month, for example, I got a call from my parents because the Photos app was no longer allowing them to save an edited copy of a photo to a different folder. Turns out, yeah, you just couldn't do that anymore. It's absurd, but my parents certainly aren't the absurd ones.

> How do you define absurd UIs? Do you think 1 billion people using Windows are all absurd? If so, that's highly arrogant of you.

I think Windows is a probably the least worst desktop (not laptop!) OS right now but I would defend the parent commenter here. Windows has had the slowest and most painful UI transition I've seen in an OS, and it definitely hinders usability. Try to change certain innocuous settings in windows and you will unknowingly embark on a journey through time as you discover layers of settings still preserved in older and older UI frameworks still tucked away in deep corners of the OS.

>Why don't you want to update? You really should. sorry guys i cant export that report for this mornings meeting for another 45 minutes as the copy of that proprietary software we're required to use by regulations in this country is... on the windows computer that has decided to update

>How do you define absurd UIs? have you ever tried using windows 10 control panel?

>It's a bit annoying and philosophically not a great thing, but you can disable 99% of their telemetry in about 15 minutes.

https://www.youtube.com/watch?v=PxwEwwlDM8Q CIA/NSA leader "We kill people based on metadata"

I grew up on windows and dont know how to program, and even I am dumping windows for ubuntu or osx (+ windows running in a vm for legacy software). windows is just trash. its pure trash. it has the worst user interface, the worst controls, lags, power issues, etc.

I would rather run a windows AWS instance accessed via a 4g ipad pro than continue using my pc workstation. its not good when people that dropped out of business degrees and cant program say that!

Well, is your PC workstation from your company? For various (many of them obsolete) reasons, companies load a ton of management crap on Windows systems. That software is not as available on MacOS, let alone Linux desktop, so they don't because they can't.

The billion people you mentioned use Windows because it was preinstalled on their computer. They also have not, in their majority, heard of Linux. There is almost no company doing marketing for Linux desktops.

Many people use computers for entertainment and Windows has more compatibility with games because game developers target Windows. Even though many of the game engines they use support Linux.

With Wine, Proton, Dxvk, etc... the game compatibility gap is closing rapidly, though.

Now, many occupations require software that won't run on Linux (software from Autodesk, Adobe, etc), but the use case for the vast majority of people is well covered.

If they were given the chance to acquire their computer for cheaper without an OS they would have done so.

What do you mean I have to use iwconfig to fix my network? No, I just want to connect to a network. I don't want to write scripts for every device to suspend and resume.

It's been years since that was necessary. All major distros do this sort of thing automatically now with GUI configuration tools as a first class option. Even on bare bones distros like Debian.

Setting up my laptop with Fedora is a more straightforward job than doing the same task with Windows 10. Everything worked, including the fingerprint reader - no manual install of anything required.

I've only had to touch iwconfig once (on a desktop OS) and it was when my network card wasn't even supported on Windows, so it was still a win for Linux. But yes, if something breaks, no shit you have to pull out the command line - it's the same on Windows, only a lot of the time, you can't actually fix it because they don't give you the necessary tools.

As for suspend/resume scripts, I've never had to do that and I use Arch (yes, hahah, but you know what I mean).

funny you say that, because Arch is what had me learn about those monstrosities (suspend/resume scripts). Granted, it was back around 2011 though so I'm sure things have changed quite a bit since.

Windows has a certification process for most hardware and drivers, things still break but any major or wide breaks are caught quite early. I just have less time to tinker with stuff when random flakiness pops up which happened a lot when I used Arch and Ubuntu.

You don't need iwconfig to fix your network. You can just use the network settings UI. Next.

What kind of prompt is this? It looks like Windows Terminal running Bash, but are the icons PNGs (windows + home), or a specific type-face rendering emoji?


It is Windows Terminal. See https://github.com/microsoft/terminal

Windows terminal for the win! (pun intended haha)

To me developing with WSL2 is now even better than on native Linux - works exceptionally well. I use it with VS Code + WSL plugin and Docker for Windows.

How do you deal with performance issues with files not on the linux machine?

I had this problem at first (I kept my source codes in a separate drive to be able to edit them from my Windows IDE), but nowadays I just keep all my code files in WSL and I don't notice the problem at all anymore. VSCode makes interacting with the box completely transparent.

For me, this hasn't been an issue. I think number one is just that I don't have to do this often. Perhaps sometimes I download a file with my Windows browser and save it locally, and then want to get to it in WSL2. Maybe I'll copy it somewhere locally, or since it's just a one-off, grab it. And performance doesn't seem like a problem. All drives are NVMe SSD. Perhaps if you have use cases where you're managing/editing a lot of files between file systems, it could add up to some frustration.

There is no performance issues with WSL2. It was only the case with the first version of WSL.

WSL2 has better performance for accessing files in the WSL filesystem than WSL1 does (partly because the WSL files are stored differently).

But it has worse performance for accessing native Windows files than WSL1 does.

In any case I think an assertion that WSL2 has no performance issues needs a serious citation (as opposed to no citation which you gave) - you're making a claim about all possible situations. As always, a statement that "no x exists" requires seriously more proof than "at least one x does exist".

That's not the full story. WSL2 has serious regressions in cross-OS performance, and many users have switched back to WSL1, which supposedly isn't going away any time soon.

I prefer remoting through vscode into a remote dev machine so that I can work on my laptop from wherever with amazing build times

> The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data.


Windows Hello is opt-in and also has many other providers other than facial recognition

This looks easier to setup and use than using fingerprint for sudo on native Macos.

I’m going to repost this from the Mac thread:

What exactly is the point of sudo/UAC these days of single-user machines? I think https://xkcd.com/1200 put it well. Anything running as an unelevated user account can access my browser sessions where it can steal my passwords, emails, other other private info. It can turn on my microphone and camera. It can read all of my documents. Those are the things I care about protecting, not whatever special things root can do like install drivers and create virtual network interfaces.

The best configuration for WSL sudo is probably to just allow all commands without any authentication.

Have you forgotten what life was like before windows got UAC? Just because a machine is single user doesn't mean it's a good idea for all processes to run as root/Admin.

back then I remember that people generally had a single computer, used by the whole family! It's definitely not good for kids to trivially install a banking trojan when downloading stuff. Nowadays: all my data belongs to a single user, I am the only user on 5 machines. The only thing for which root is good, is to secure fw updating and deleting ZFS/BTRFS-snapshots. Unfortunately there's still setuid-binaried weakening this security model.

On Windows, it's a malware thing. Windows XP applications were designed with horrible security issues disguised as features because of it, partially causing the massive pain everybody felt when migrating to Windows Vista. Your favourite text editor could be the reason your graphics card would randomly make the screen go green, or that your flash drive didn't work, or that your system bluescreened and you'd have no idea of knowing because *anything* could be causing those problems.

Modern Windows has permission levels and capabilities that segregate background processes and system services. If your browser, running in low integrity mode, gets exploited, there's a whole layer of security that needs to be bypassed to read the keys you type or to install tasks at startup.

On Linux, I think it's mostly an anti-fuckup-thing. You can't accidentally delete system files if you're not root, you can't accidentally restart the wrong service, you can't accidentally edit the system config when you want to edit the user config. Badly-written tools can't mutate something when I ask them to just read. It also works for the same reasons as UAC does for Windows, though the Linux permission model is much simpler than the Windows one for most use cases.

If you run everything as root, the first compromise rootkits your computer. If you use proper user segregation additional steps need to be executed in order to trick you into getting the malware hooked deep into your system.

For WSL, the problem is similar to Linux, because WSL is just a well-integrated Linux VM. Dev tools such as npm download and execute random code from the internet, which can be infected somewhere six levels down the dependency chain. If you run those as root, you're giving that malware full access to your system whereas your local user account can only modify some of the files outside of WSL.

It doesn't protect you from theft of your unlocked laptop. It does protect you from bad software, at least partially.

It’s true that the pre-UAC situation in Windows was bad, but the function of UAC was to encourage app developers to do the right thing. Raymond Chen agrees:

”UAC is not a security feature. It’s a convenience feature that acts as a forcing function to get software developers to get their act together.” https://devblogs.microsoft.com/oldnewthing/20160816-00/?p=94...

On a single user machine, it does nothing for user security, because all of the things worth protecting, like your data, don’t require elevation anyway.

As for preventing fuckups, it prevents the wrong fuckups. Deleting my user files is a bad fuckup. A program trashing my files and emptying my bank account is a bad fuckup. Trashing my OS install, the only thing root can do that my user account can’t, is an inconvenience.

Even a single user machine is really not single user because your applications are also users on your machine and being Internet connected/updated you better have control over what they can do.

Hello, author of please (https://gitlab.com/edneville/please) here, where I've taken a different approach to make permitting grnular things simple.

Permiting everything is no different really to browsing the web as root.

Permitting granular things in sudo and doas isn't easy.

For what it is worth, many of the systems I work on on have many more than just one user and I am sure that other people work on bigger environments too. When you have multiple users, you run the risk of delegating more access than you should and thus compromise content, hence why I think access should simple!

Clearly the better use case is with sshd, rather than sudo. Accept logins via ssh only when you are in front of the computer! ;)


It’s really discouraging to see such a negative sentiment to the the namesake of this website here.

Hacking around at systems you’re interested in is hardly a waste of time, it’s through projects driven by self interest that we learn the most imo.

Have to agree with you. Guess the original meaning of the hacker term has been forgotten/hijacked.

Agreed, I learned a lot about sudo just from this README :)

EDIT: oops, this wasn't from MS.

AFAICT this isn’t by Microsoft, and anyways by this definition it would mean that Microsoft cannot do anything without being declared EEE revival except strictly implementing the baseline standard.

Extending standards is normal and expected. It’s the extinguishing part that we get in trouble, but a natural risk of any large player “contributing” to OS (their weight is what opens the possibility; but their weight is also what you want to enable larger/comprehensive OS codebases).

That is, you want Microsoft contributing to Linux. The thing to avoid is only Microsoft contributing to Linux.

That's grossly unfair to the author of this project. This is not from Microsoft, but an individual developer.

The "individual developer" you're talking about is a former Microsoft employee

So Microsoft’s plan to extend Linux includes getting former employees to do it?

Wouldn't anyone with a pension or shares in a company want it to succeed?

but that's the employees sole intent, and not the "firm".

People really get riled up with some brands, but I think brands are really just people who operate the brand collectively, often with an emphasis on the leadership that gets to guide the sail. Gates and Ballmer are past.

How is Gates past? Doesn't he still own the majority share but just someone else is the face of the company? I would assume, as a majority share holder, your interests and ethics would remain the same.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact