469684 – KDE Polkit does not support Duo MFA

Bug 469684 - KDE Polkit does not support Duo MFA

Summary: KDE Polkit does not support Duo MFA

Status:	REPORTED

Alias:	None

Product:	policykit-kde-agent-1
Classification:	Plasma
Component:	general (other bugs)
Version First Reported In:	unspecified
Platform:	Debian stable Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Unassigned bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-12 23:32 UTC by samz
Modified:	2024-11-11 23:08 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description samz 2023-05-12 23:32:57 UTC

SUMMARY
***
MFA configured through the Duo security provider does not work with any KDE Plasma components. This includes polkit calls from the desktop, as well as SDDM during login.
***


STEPS TO REPRODUCE
1. Install Duo according to their instructions, either installing from a repo or building from source: https://duo.com/docs/duounix
2. Configure /etc/duo/pam_duo.conf and /etc/duo/login_duo.conf with a current ikey, skey, and api hostname
3. Configure /etc/pam.d/common-auth (or /etc/pam.d/system-auth and /etc/pam.d/password-auth if RHEL-based) with the appropriate /lib64/security/pam_duo.so call in accordance with Duo documentation: https://duo.com/docs/duounix

OBSERVED RESULT
Duo works appropriately in a terminal, requiring the OTP from the user before successfully authenticating, but fails in the graphical environment everywhere. SDDM login simply fails with no reason, and polkit prompts do not work properly.

EXPECTED RESULT
After a correct password is entered, a second text field is presented for the OTP to complete Duo authentication, much like it's handled in Gnome and XFCE.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Debian 11
(available in About System)
KDE Plasma Version: 4:5.20.5

ADDITIONAL INFORMATION
Happy to help reproduce if anyone is confused.

Comment 1 samz 2023-06-06 21:36:37 UTC

Has anyone had a moment to look at this? I can't be the only one with this problem, I would imagine.

Comment 2 Alexander Schaap 2024-11-11 23:08:08 UTC

This bug also applies to Ubuntu 22.04.5, where I installed kubuntu-desktop. Interestingly, the "Authorization Required - PolicyKit1 KDE Agent" dialog will ask for the Duo PIN when the correct password is provided, but there is no text field to enter it into, making it impossible to complete any task that requires it. Conversely, the lock screen does not ask for the Duo PIN, simply unlocking when the correct password is provided. I can also confirm it works correctly in the console, and in GNOME. I did not try SDDM.

KDE Plasma Version: 5.24.7
KDE Frameworks Version: 5.92.0
Qt Version: 5.15.3
Kernel Version: 6.8.0-47-generic (64-bit)
Graphics Platform: X11
Processors: 22 × Intel® Core™ Ultra 7 155H
Memory: 31.0 GiB of RAM
Graphics Processor: Mesa Intel® Arc