You are not logged in.

Pages: 1

#1 2024-02-09 21:27:03

Chris2000SP
Member
Registered: 2023-11-21
Posts: 7

[SOLVED] KDE Kscreenlocker with pam-u2f didn't work

Hello,

I made a bug report at kde.org with this:
https://bugs.kde.org/show_bug.cgi?id=481143

Please read the report.

I managed to get it run with lightdm to login with fido2 but with kscreenlocker it didn't work.

Do i made it wrong?

Last edited by Chris2000SP (2024-02-15 18:24:34)

Offline

#2 2024-02-15 18:28:12

Chris2000SP
Member
Registered: 2023-11-21
Posts: 7

Re: [SOLVED] KDE Kscreenlocker with pam-u2f didn't work

I have found the Issue. I had 2 keys in the key file. That didn't work. I solved it by putting 2 lines in the pam.d file with "sufficient" and "required" and two different key files. With this it works with two different Fido2 sticks.

EDIT: And Kscreenlocker had no bug. That was my own fault.

Cheers

Last edited by Chris2000SP (2024-02-15 18:29:38)

Offline

#3 2024-04-20 14:22:44

raprism
Member
Registered: 2024-04-20
Posts: 1

Re: [SOLVED] KDE Kscreenlocker with pam-u2f didn't work

If 2 keys are in a single line (with matching user entry) as described in pam_u2f docs, it works to have only one key file. But only, if the key file is per-user configured (e.g. with authfile=./.u2f_key). Then openasuser is the default mode! And this works in /etc/pam.d/kde:

auth       sufficient                  pam_u2f.so authfile=./.u2f_key

I haven't tried the system-wide configuration with world-readable keys mapping file, but if the system-wide key-file is setup in normal way (only root access) without any extra options,  then this fails:

auth       sufficient                  pam_u2f.so authfile=/etc/u2f_mappings

It may not work, because the screen locker does not have sufficient rights to access a root-only readable file.

This was found by try and error. At least I didn't found it in the Arch Wiki or somewhere else.

Offline

#4 2024-04-20 18:16:54

libertepourmoi
Member
Registered: 2022-03-26
Posts: 3

Re: [SOLVED] KDE Kscreenlocker with pam-u2f didn't work

Well, 2 keys, in a single line, as described in pam_u2f docs, in a system-wide configuration file, and referenced in one line in /etc/pam.d/kde is what works on my system in order to unlock the screen lock by touching the key. With either key, they're treated the same.

The only difference I see to the second scenario described above in #3 is that my mappings file is not restricted to root access, as I have 644 permissions on it.

Edit: I just tried and changed perms to 640. Doesn't work then. So, it is down to the file being world-readable for this to work.

Last edited by libertepourmoi (2024-04-20 18:24:20)

Offline

Pages: 1

Board footer

Powered by FluxBB