WSL Hello sudo brings Windows Hello authentication to Linux on WSL

Although Microsoft is improving Windows Subsystem for Linux with almost every major Windows 10 update, some features are still not available in WSL. For example, users cannot utilize any biometric authentication inside Linux distros. This is where third-party developers step in. Takaya Saeki, a developer from Japan, came up with a nifty tool that enables Windows Hello biometric authentication to Linux running in WSL.


With WSL Hello sudo, you can replace traditional passwords with a fingerprint, facial recognition, or  simple PIN for authentication inside WSL when using the sudo tool.

The sudo app allows to temporarily escalate your limited user account privileges to root on Linux. This allows performing system maintenance, install and remove packages, edit config files, etc, without switching the user session. Sudo allows executing a single command as root and then return to the regular user context.

Users who can use sudo in Linux defined in a special file "sudoers". A sudoer must enter his password to verify his account and execute a command elevated.

Here WSL Hello sudo comes into play.

Windows Hello Sudo

WSL Hello sudo

WSL Hello sudo is an open-source Pluggable Authentication Module (PAM) written in Rust. It is compatible with the first and second generation of WSL. The app allows biometric authentication to authenticate sudo commands (commands that require elevated privileges or "superuser" access level). Here is a brief explanation from the developer on how WSL Hello works inside your Linux distributives:

Windows Hello maintains RSA key-pairs for each Windows user in its TPM hardware and tells success of authentication by signing given contents by the private key. To utilize its API, "WSL Hello sudo" contains small Windows CLI apps that return public key and signed signature of given content. On the other hand, the PAM module of "WSL Hello sudo" remembers the public keys of each Windows user who corresponds to each Linux user. So, the PAM module authenticates the given Linux user by the following process.

  1. The PAM module is launched by sudo and receives a Linux user to be authenticated.
  2. The PAM module launches the companion Windows app and sends a random value via WSL's interop bridge.
  3. The companion Windows app invokes Windows Hello.
  4. Windows Hello makes a signature of the given input by the private key of the current Windows user.
  5. The companion Windows app returns the signature.
  6. The PAM module verifies the signature by the public key of the Windows user who corresponds to the given Linux user.

You can learn more about WSL Hello in the official GitHub repository. There you will find  download links and the user manual with instructions on setting up and configuring Windows Hello in WSL. Do note that you need a Windows Hello-compatible camera or a device with a fingerprint reader. Alternatively, you can use a simple PIN.

WSL is a unique environment within Windows that allows developers or other users to run Linux distributives inside Windows 10. With WSL, Microsoft eliminated the need to run two operating systems on a single PC. Nowadays, users can run Linux apps side-by-side with Windows apps, access the Linux file system from File Explorer, and even utilize hardware acceleration. To make good use of these features in Windows 10, you need to enable Windows Subsystem for Linux and download the preferred distro from Microsoft Store.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!


Author: Taras Buria

Taras is here to cover stories about Microsoft and everything around, although sometimes he prefers Apple.

Leave a Reply

Your email address will not be published.

Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.