2FA Display/login manager

nmiculinic · 2019-07-15 09:57:03

Hey,

Is there feature supporting 2FA authentication on the simple desktop login?

We're talking TOTP, YubiKey mostly. My plan is having LUKS encrypted hard disk, mess around with TPM to unlock LUKS key and verify the boot loader/etc, and then open the login prompt where I have to use some 2FA method to gain access.

Wnidow's BitLocker uses TPM under the hood...thus I hope this setup should be safe enough until the arch boots up? Instead of entering the LUKS key manually every time, and having the 2FA as an additional security measure.

Whilst researching all I found is securing ssh access using those methods, not pure desktop login.

Thanks,
Neven

Lone_Wolf · 2019-07-15 11:58:50

Pam heavily relies on files in /etc/pam.d/ .
Apart from setting up the 2FA authentication, telling pam to use it for a specific service should be doable .

https://wiki.archlinux.org/index.php/Go … henticator has an example how to use gooogle authenticator for logins.

A quick peak at https://wiki.archlinux.org/index.php/Yu … n_with_SSH suggest that the same method may work for yubikey.
Just put the entries in /etc/pam.d/login instead of /etc/pam.d/sshd .

DISCLAIMER :
I'm a PAM newbie, doublecheck .
And keep a archlinux install iso ready incase you block yourself from loggin in.

Last edited by Lone_Wolf (2019-07-15 11:59:15)

Nickolas0 · 2019-07-15 12:03:31

For desktop login with 2FA and YubiKey: https://github.com/Yubico/yubico-pam or https://github.com/Yubico/pam-u2f

For unlocking LUKS: https://github.com/agherzan/yubikey-ful … encryption

nmiculinic · 2019-07-15 16:27:59

https://wiki.archlinux.org/index.php/Display_manager

Hmmm ....ok I guess most graphical display managers doesn't support the 2FA (e.g. GDM, LightDM).

But, stuff like cdm, tbsm which are started after the user logs in...they don't really care how the user logged in. Then I can reuse all the same tricks as for ssh login.

For some reason cdm have some issues, tbsm seems to work fine with gnome & i3. I guess that's the simplest way to go

Nickolas0 · 2019-07-15 16:49:59

Every display manager uses PAM and you can add PAM modules I mentioned to any display manager PAM config. Anyway I recommend to read about those things a little to avoid jumping on a footgun.

nmiculinic · 2019-07-15 16:56:02

Hmmmm PAM is used for user login. But after I've logged in I can use tbsm, cannot I?

I haven't tried with more complex login methods, but after reaching login console, I enter my credentials. Until now I've just typed `startx` and i3 would start (( there's exec in .xinitrc )). Now I type tbsm and I get the multiple options I have installed -- gnome, gnome wayland, i3, ...

Nickolas0 · 2019-07-15 17:27:09

After you're logged in then you have access to all your files so any authentication before starting DE is completely pointless. The login part is where you want to use 2FA, not after that. You can activate screenlock (with 2FA) in your DE to protect it while you're away (however security of those vary).

Last edited by Nickolas0 (2019-07-15 17:32:00)

nmiculinic · 2019-07-15 17:28:47

That's right, and that's exactly I'll do with the usual tty...I guess systemd starts getty or something? DE is just picking the right desktop environment, booting up Xserver/Wayland and initializing the session

Arch Linux

#1 2019-07-15 09:57:03

2FA Display/login manager

#2 2019-07-15 11:58:50

Re: 2FA Display/login manager

#3 2019-07-15 12:03:31

Re: 2FA Display/login manager

#4 2019-07-15 16:27:59

Re: 2FA Display/login manager

#5 2019-07-15 16:49:59

Re: 2FA Display/login manager

#6 2019-07-15 16:56:02

Re: 2FA Display/login manager

#7 2019-07-15 17:27:09

Re: 2FA Display/login manager

#8 2019-07-15 17:28:47

Re: 2FA Display/login manager

Board footer