I'm trying to use a two-factor authentication PAM module on KDE Neon 5.10 but am running into trouble because SDDM does not support two-factor authentication (https://github.com/sddm/sddm/issues/784) and it seems like kscreenlocker_greet does not either. In particular, the OpenOTP PAM module (https://www.rcdevs.com/downloads/Integration+Plugins/) tries to have the display manager print a message (e.g. something like "Insert your token now") and also display an input password box where you can enter the OTP string. In both the case of SDDM and kscreenlocker_greet, this causes the login/unlock screen to hang because these systems don't know how to handle this request from PAM. I've tried out a different PAM module (https://developers.yubico.com/pam-u2f/) which does not try to display a message with the login/unlock screen and it works fine with both SDDM and kscreenlocker_greet, but I need to use the OpenOTP module which does try to interact with SDDM/kscreenlocker_greet. Do you have any advice on how to handle this situation with kscreenlocker_greet? Is there a way I can tell it to just ignore any such "display this text" messages from the PAM module and proceed with the login?Or, can it be configured to display this information from the PAM module? I have tested gdm3, gnome-screensaver, xscreensaver, lightdm, and xsecurelock and they are all able to handle displaying the text and input field for the OTP string so I believe this should be possible with SDDM and kscreenlocker_greet too. Moreover, I see that SDDM has its own PAM config file at /etc/pam.d/sddm but kscreenlocker_greet or kcheckpass does not (it just uses /etc/pam.d/common-auth); ideally it would have a separate config file like /etc/pam.d/kcheckpass as well. Example /etc/pam.d/common-auth config file for the OpenOTP PAM module: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth [success=1 default=ignore] pam_openotp.so client_id="Neon" auth requisite pam_deny.so auth required pam_permit.so Example /etc/pam.d/common-auth config file for the pam-u2fmodule: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth [success=1 default=ignore] pam_u2f.so sddm authfile=/home/user/u2f auth requisite pam_deny.so auth required pam_permit.so I would be happy to test patches for fixing this. Thanks!
Hi, Same problem/ask here with a Kubuntu 18.04 I try with lightdm, but after the user lock is session, he can't logon to resume it. If any idear in waiting dev...
Thank you for reporting this issue in KDE software. As it has been a while since this issue was reported, can we please ask you to see if you can reproduce the issue with a recent software version? Like Plasma 5.25, or ideally 5.26? I ask because 5.25 ushered in a lot of PAM changes and might have fixed this. If you can reproduce the issue, please change the status to "CONFIRMED" when replying. Thank you!
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!