https://bugs.kde.org/show_bug.cgi?id=469684
Bug ID: 469684
Summary: KDE Polkit does not support Duo MFA
Classification: Plasma
Product: policykit-kde-agent-1
Version: unspecified
Platform: Debian stable
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected], [email protected]
Target Milestone: ---
SUMMARY
***
MFA configured through the Duo security provider does not work with any KDE
Plasma components. This includes polkit calls from the desktop, as well as SDDM
during login.
***
STEPS TO REPRODUCE
1. Install Duo according to their instructions, either installing from a repo
or building from source: https://duo.com/docs/duounix
2. Configure /etc/duo/pam_duo.conf and /etc/duo/login_duo.conf with a current
ikey, skey, and api hostname
3. Configure /etc/pam.d/common-auth (or /etc/pam.d/system-auth and
/etc/pam.d/password-auth if RHEL-based) with the appropriate
/lib64/security/pam_duo.so call in accordance with Duo documentation:
https://duo.com/docs/duounix
OBSERVED RESULT
Duo works appropriately in a terminal, requiring the OTP from the user before
successfully authenticating, but fails in the graphical environment everywhere.
SDDM login simply fails with no reason, and polkit prompts do not work
properly.
EXPECTED RESULT
After a correct password is entered, a second text field is presented for the
OTP to complete Duo authentication, much like it's handled in Gnome and XFCE.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Debian 11
(available in About System)
KDE Plasma Version: 4:5.20.5
ADDITIONAL INFORMATION
Happy to help reproduce if anyone is confused.
--
You are receiving this mail because:
You are watching all bug changes.
