https://bugs.kde.org/show_bug.cgi?id=384331
Bug ID: 384331
Summary: Cannot use PAM modules which send text back to
kscreenlocker_greet
Product: kscreenlocker
Version: 5.10.3
Platform: Neon Packages
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: kcheckpass
Assignee: plasma-b...@kde.org
Reporter: amar...@xes-inc.com
CC: bhus...@gmail.com, mgraess...@kde.org
Target Milestone: ---
I'm trying to use a two-factor authentication PAM module on KDE Neon 5.10 but
am running into trouble because SDDM does not support two-factor authentication
(https://github.com/sddm/sddm/issues/784) and it seems like kscreenlocker_greet
does not either. In particular, the OpenOTP PAM module
(https://www.rcdevs.com/downloads/Integration+Plugins/) tries to have the
display manager print a message (e.g. something like "Insert your token now")
and also display an input password box where you can enter the OTP string. In
both the case of SDDM and kscreenlocker_greet, this causes the login/unlock
screen to hang because these systems don't know how to handle this request from
PAM. I've tried out a different PAM module
(https://developers.yubico.com/pam-u2f/) which does not try to display a
message with the login/unlock screen and it works fine with both SDDM and
kscreenlocker_greet, but I need to use the OpenOTP module which does try to
interact with SDDM/kscreenlocker_greet. Do you have any advice on how to handle
this situation with kscreenlocker_greet? Is there a way I can tell it to just
ignore any such "display this text" messages from the PAM module and proceed
with the login?Or, can it be configured to display this information from the
PAM module? I have tested gdm3, gnome-screensaver, xscreensaver, lightdm, and
xsecurelock and they are all able to handle displaying the text and input field
for the OTP string so I believe this should be possible with SDDM and
kscreenlocker_greet too.
Moreover, I see that SDDM has its own PAM config file at /etc/pam.d/sddm but
kscreenlocker_greet or kcheckpass does not (it just uses
/etc/pam.d/common-auth); ideally it would have a separate config file like
/etc/pam.d/kcheckpass as well.
Example /etc/pam.d/common-auth config file for the OpenOTP PAM module:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth [success=1 default=ignore] pam_openotp.so client_id="Neon"
auth requisite pam_deny.so
auth required pam_permit.so
Example /etc/pam.d/common-auth config file for the pam-u2fmodule:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth [success=1 default=ignore] pam_u2f.so sddm authfile=/home/user/u2f
auth requisite pam_deny.so
auth required pam_permit.so
I would be happy to test patches for fixing this. Thanks!
--
You are receiving this mail because:
You are watching all bug changes.
