https://bugs.kde.org/show_bug.cgi?id=384331
Bug ID: 384331 Summary: Cannot use PAM modules which send text back to kscreenlocker_greet Product: kscreenlocker Version: 5.10.3 Platform: Neon Packages OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: kcheckpass Assignee: plasma-b...@kde.org Reporter: amar...@xes-inc.com CC: bhus...@gmail.com, mgraess...@kde.org Target Milestone: --- I'm trying to use a two-factor authentication PAM module on KDE Neon 5.10 but am running into trouble because SDDM does not support two-factor authentication (https://github.com/sddm/sddm/issues/784) and it seems like kscreenlocker_greet does not either. In particular, the OpenOTP PAM module (https://www.rcdevs.com/downloads/Integration+Plugins/) tries to have the display manager print a message (e.g. something like "Insert your token now") and also display an input password box where you can enter the OTP string. In both the case of SDDM and kscreenlocker_greet, this causes the login/unlock screen to hang because these systems don't know how to handle this request from PAM. I've tried out a different PAM module (https://developers.yubico.com/pam-u2f/) which does not try to display a message with the login/unlock screen and it works fine with both SDDM and kscreenlocker_greet, but I need to use the OpenOTP module which does try to interact with SDDM/kscreenlocker_greet. Do you have any advice on how to handle this situation with kscreenlocker_greet? Is there a way I can tell it to just ignore any such "display this text" messages from the PAM module and proceed with the login?Or, can it be configured to display this information from the PAM module? I have tested gdm3, gnome-screensaver, xscreensaver, lightdm, and xsecurelock and they are all able to handle displaying the text and input field for the OTP string so I believe this should be possible with SDDM and kscreenlocker_greet too. Moreover, I see that SDDM has its own PAM config file at /etc/pam.d/sddm but kscreenlocker_greet or kcheckpass does not (it just uses /etc/pam.d/common-auth); ideally it would have a separate config file like /etc/pam.d/kcheckpass as well. Example /etc/pam.d/common-auth config file for the OpenOTP PAM module: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth [success=1 default=ignore] pam_openotp.so client_id="Neon" auth requisite pam_deny.so auth required pam_permit.so Example /etc/pam.d/common-auth config file for the pam-u2fmodule: auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth [success=1 default=ignore] pam_u2f.so sddm authfile=/home/user/u2f auth requisite pam_deny.so auth required pam_permit.so I would be happy to test patches for fixing this. Thanks! -- You are receiving this mail because: You are watching all bug changes.