hi, when I run install.sh in my WSL, it says "Error: Key creation failed due to some error". I check the WindowsHelloKeyCredentialCreator source code and find you call KeyCredentialManager.RequestCreateAsync() without any precheck if the user didn't set up PIN. here are the example from https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport

var keyCredentialAvailable = await KeyCredentialManager.IsSupportedAsync();
if (!keyCredentialAvailable)
{
    // User didn't set up PIN yet
    return;
}

Windows Hello Face enters a face scanning loop and starts responding with "something went wrong, try again" after a couple of retries. Canceling the prompt cancels the installation.

+ sudo echo 'win_mnt = "/mnt/c"'
+ sudo tee -a /etc/pam_wsl_hello/config
win_mnt = "/mnt/c"
+ set +x
Please authenticate yourself now to create a credential for '*********' and '*********' pair.
+ pushd /mnt/c/Users/*********/AppData/Local/Programs/wsl-hello-sudo
/mnt/c/Users/*********/AppData/Local/Programs/wsl-hello-sudo ~/release
+ ./WindowsHelloBridge.exe creator pam_wsl_hello_*********
Error: The user cancelled.
+ test 176 = 171

I got this working with Ubuntu and love it, TY!

My next question is, I also have Kali installed, and ran the same exact setup instructions, but while it works in Ubuntu, it gets ignored in my Kali install. Do I have to do something different to have it work in both at the same time?

In the case that Windows Hello isn't supported, but a key is still generated (or you just run the WindowsHelloAuthenticator` binary by hand), it fails to upon the expected error UI box.

Output:

> sudo whoami

Unhandled Exception: System.AggregateException: One or more errors occurred. ---> System.Exception: Invalid window handle.

This API must be called from a thread with a CoreWindow or a window must have been set explicitly.
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at WindowsHelloAuthenticator.Program.<VerifyUser>d__9.MoveNext()
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   at System.Threading.Tasks.Task`1.get_Result()
   at WindowsHelloAuthenticator.Program.Main(String[] args)

This all said, I'm not sure if there's actually a way to open a window on the desktop from WSL like this.

System details:
WSL Version: 1, Ubuntu 18
OS Info: Windows 10 Pro, 19043.1288
Terminal: Windows Terminal Preview

I ran the installer script and verified the existence of pam_wsl_hello.so in /lib/x86_64-linux-gnu/security/. The file is there. Permissions all seem alright.

For debugging purposes, I added

auth       required   /lib/x86_64-linux-gnu/security/pam_wsl_hello.so

to /etc/pam.d/su.
Even with the absolute path, the same error occurs: su: Module is unknown

Output of uname -a:

Linux LAPTOP-RUJJI7SM 4.4.0-17134-Microsoft #345-Microsoft Wed Sep 19 17:47:00 PST 2018 x86_64 GNU/Linux

Windows version: 10.0.17134 Build 17134
MD5Sum:
8ee75aee1cc9531bafa689d8c12ac9e3 /lib/x86_64-linux-gnu/security/pam_wsl_hello.so

What am I missing here?

HELP. i cant find solution anymore.

tar.exe: Error opening archive: Failed to open 'release.tar.gz'
tar.exe doesnt work even i use wget so i manually downloaded the install.sh in URL. but following error oucurred:

install.sh: 10: Syntax error: "(" unexpected (expecting "then")

+WSL is always root even im not elevated but im in administrator account on windows. i have no other account. how to login 'normal user'?

Face recognition is not the default authentication option but PIN. I was unable to find a way to change it.

install.sh breaks on line 58 if $WINUSER/$PAM_WSL_HELLO_WINPATH contains a space:

./install.sh: line 58: [: /c/Users/Jonas: binary operator expected

Easy to workaround once you notice the issue because you can pass your own install location as part of the setup, but still would be nice if it'd work out of the box :)

install.sh assumes that things are in /lib/x86_64-linux-gnu, but arch has all of those paths directly under /lib. Changing the paths made it work, but the script should handle that automatically.

To resolve:

winget install microsoft.vcredist.2015+.x64

On Ubuntu, you can easily include the required pam settings by creating the following file:

/usr/share/pam-configs/wsl-hello-sudo

Name: WSL Hello authentication
Default: no
Priority: 260
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_wsl_hello.so

Then you can call sudo pam-auth-update and select the entry from the checkbox list. The resulting file will include the required PAM config entries without creating any conflicts with other authentication methods.

Perhaps it would make sense to include that file in the install script?

Error code: 80090010
at
..SECURITY_STATUS.CheckStatus(...)
...

When opening KeePass over RDP session, no Hello obviousli is available and error dialog opens.
When closing popup, normal fallback password dialog could be used.

As the title states, running the script generates a permission error for chmod,

Choosing a different location inside the local users folder generates the same error

Running the script with sudo stops the script asking you to run it as a local user.

Tried opening Ubuntu normally and with administrative privileges inside windows

Any idea what could cause this?

running the chmod command with sudo does work after the script failed. However, restarting the script re-executes the copy and the chmod command causing it to fail again

Hi,

I get this error:

./install.sh
'\wsl.localhost\Ubuntu\home\mvg\release'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
The syntax of the command is incorrect.

During installation the script asks for the /c location if /mnt/c/ doesn't exist, but then the authentication code in Rust still requires it to be /mnt/c/: https://github.com/nullpo-head/WSL-Hello-sudo/blob/master/src/auth.rs#L209

Since users enter the /c location already anyway as part of the setup, I guess this location could just be stored in etc/pam_wsl_hello/config alongside the authenticator_path – though I think it'd be cleaner to automatically use the root property in etc/wsl.conf to check for the drive mount root.

I've tried the directions in the README.md for this error but so far no luck.

I always get the password prompt:

mbcrump@DT:/mnt/c/Users/micrum$ sudo id
Password:

My sudo nano /etc/pam.d/sudo:

#%PAM-1.0

auth       sufficient pam_wsl_hello.so
session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0@include common-auth
@include common-account
@include common-session-noninteractive

The exe copied over successfully:

mbcrump@DT:/mnt/c/Users/micrum/pam_wsl_hello/WindowsHelloAuthenticator$ tree
.
├── WindowsHelloAuthenticator.exe
├── WindowsHelloAuthenticator.exe.config
└── WindowsHelloAuthenticator.pdb

0 directories, 3 files

Anyone having an issue?

I got this error when I try to run install.sh

When you run WSL Hello with OpenSUSE Tumbleweed it results in an error:

❯ su
WSL Hello error: cannot find the credential public key for this user
Password:

Whenever I call sudo in hyper terminal, the authentication window appears in the background, and I have to switch to it with with Alt + Tab.

Windows Hello work with PIN, Fingerprint but Face recognition. It recognize but open Windows Hello popup again and again. I have found some workaround:

• Change to other authentication method such as PIN or fingerprint and change back to Face recognition will work.
• Move face out of camera then move back will work as well.
• Keep face out of camera first and wait a second then move in.

I think this problem come with authentication speed. Face recognition is fastest authentication way, it take some milliseconds to recognize compared with PIN and fingerprint (including time to type numbers and move your hand over fingerprint sensor and swipe).

When the install script reaches the line + ./WindowsHelloBridge.exe creator pam_wsl_hello_vkapadia it gives the message Error: Access Denied. This is with Ubuntu 18.04 on WSL 2 on Windows 11.

Hi team - I love this! Thank you. Wondered if there is a way to automatically ok this window, please? i.e. bypass the required mouse click of the "ok" button once Windows Hello has verified me, please?

It works on my Ubuntu 16.04 and 18.04, but it doesn't work on 20.04.

I have installed and configured WSL Hello on my Ubuntu 20.04 several times starting with a clean distro each time. Unfortunately, it prompts for the password. I tried to debug with su, but it prompts for the password too and doesn't output any errors.

Microsoft Windows [Version 10.0.18363.815]

Authentication with a security key, while supported by Windows, is not available when using the PAM module.

I installed this awhile back and wasn't aware there's now a v2. Rather than manually uninstalling and upgrading the two components, I wish they could be manageable via one or more package managers (e.g. WinGet and APT).

When I sudo (from Windows Terminal), the Windows Hello dialogue pops up unfocussed - the Terminal window keeps focus. In consequence I need to first switch to the Windows Hello window using mouse or alt-tab, and then authenticate (using a fingerprint scanner in my case). This somewhat detracts from the speed/fluency advantage of using Hello over entering a password.

I'm not sure if this is the same as the FAQ item entitled "The Windows Hello dialog sometimes appears in background." If so, apologies for the overlap, but I wonder if there is a way around it. I notice that this doesn't happen with Windows apps that use Windows Hello, eg. 1Password.

1Password first opens its own window, then the Windows Hello window appears on top of that (every time, and always achieving focus). Some sort of child window relationship perhaps? In which case, might it be possible for WSL-Hello-sudo to open a blank dummy window and do something similar?

I don't know anything about Win32 dev, so I may be talking out of my hat here. If so, ignore me ;)

Following the standard install steps in an Ubuntu 22.04 LTS WLS2 On Windows 11 Pro 22H2 Build 22621.1483

$ wget http://github.com/nullpo-head/WSL-Hello-sudo/releases/latest/download/release.tar.gz
$ tar xvf release.tar.gz
$ cd release
$ ./install.sh

I get the following error:

./install.sh: line 63: /mnt/c/Windows/System32/cmd.exe: Permission denied

Potentially relevant since the script is supposed to copy the cli app in my user folder...
My user folder contains special characters: C:\Users\Michaël Vanderheyden

I noticed that on WSL2 /etc/environment is not getting parsed even though Linux-PAM seems to be configured correctly. If I execute sudo login the /etc/environment is parsed. So it seems like there is something missing / wrong about how WSL handles the distribution.

Am I missing something obvious? Asking here because it seems like you know how to get Linux-PAM to properly work with WSL2.

Related:

• microsoft/WSL#1405
• linux-pam/linux-pam#481

Upon running su - this error message is printed. No further information is provided either by PAM or WSL-Hello.

The only extra PAM modules loaded for su are pam_rootok.so and pam_wsl_hello.so.

I don't know how to do it, I pressed every key on my keyboard and nothing is working, after giving the command, it shows the complete list, but I am unable to switch anything.

I suppose there is a typo in install.sh in the 95th line - "\" should be in quotes or have to be deleted.

I had a weird error today happening once, not before and not again afterwards.

I got the Windows Hello prompt, I confirmed with fingerprint, and then WindowsHelloAuthenticator crashed:

david@CHE-X1:~ $ sudo apt install --only-upgrade httpie

Unbehandelte Ausnahme: System.AggregateException: Mindestens ein Fehler ist aufgetreten. ---> System.Exception: TPM 2.0: Das Handle ist für die Verwendungsweise nicht korrekt. (Ausnahme von HRESULT: 0x8028008B)
   bei System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   bei WindowsHelloAuthenticator.Program.<VerifyUser>d__9.MoveNext() in C:\Users\abctk\Dropbox\develop\rust\wsl_hello_pam\win_components\WindowsHelloAuthenticator\WindowsHelloAuthenticator\Program.cs:Zeile 71.
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   bei System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
   bei System.Threading.Tasks.Task`1.get_Result()
   bei WindowsHelloAuthenticator.Program.Main(String[] args) in C:\Users\abctk\Dropbox\develop\rust\wsl_hello_pam\win_components\WindowsHelloAuthenticator\WindowsHelloAuthenticator\Program.cs:Zeile 94.

The error message is German for TPM 2.0: The Handle is not correct for the use. (TPM_20_E_HANDLE)

Windows version 19042.867

Sorry for the noobie question, I'm new to Linux. I downloaded using

wget http://github.com/nullpo-head/WSL-Hello-sudo/releases/latest/download/release.tar.gz

after installing, can I delete the 'release ' directory that the download created? (i.e. did the install script place the required stuff elsewhere on the system so this install folder is no longer needed?)

thank you in advance!