Issues with Plasma Lockscreen and pam_u2f: Unlock needed for each monitor?
Hi all, this has been annoying me for several months/years and I always forgot to open up a bug report: I am using pam_u2f to unlock my Plasma/KDE lock screen using a U2F device (the predecessor of FIDO). ``` # /etc/pam.d/kde #%PAM-1.0 auth sufficient pam_u2f.so openasuser [...] ``` Works like a charm with sudo. Works like a charm with the lockscreen, if the laptop is not connected to an external monitor. Works with two external monitors connected, but it seems I need to go through the "press U2F device and click the 'unlock' button" process for each monitor. In my case, three times. Sometimes it seems to be enough to just have 2 of each, however: Once should be enough. This looks like a bug in Plasma, but what component should the bug be opened against? Anyone else experiencing the same? (I am not sure if this also explains why the fingerprint sensor is not working in plasma unlocking, but works for sudo, but that might be another story) Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi Johannes, Am Mittwoch, 23. November 2022, 08:54:40 CET schrieb Johannes Kastl:
Hi all,
this has been annoying me for several months/years and I always forgot to open up a bug report:
-ENOBOO# mentioned ;-) Non working fingerprint sensor is worth another one of course. Cheers, Pete -- Life without chameleons is possible, but pointless.
Hi Pete, On 24.11.22 at 17:29 Hans-Peter Jansen wrote:
Am Mittwoch, 23. November 2022, 08:54:40 CET schrieb Johannes Kastl:
Hi all,
this has been annoying me for several months/years and I always forgot to open up a bug report:
-ENOBOO# mentioned ;-)
My question was, against which component/program I should open the bug report? :-) ---cite---
This looks like a bug in Plasma, but what component should the bug be opened against? ---/cite---
Non working fingerprint sensor is worth another one of course.
Same question :-) Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi Johannes, Am Donnerstag, 24. November 2022, 18:52:19 CET schrieb Johannes Kastl:
Hi Pete,
On 24.11.22 at 17:29 Hans-Peter Jansen wrote:
Am Mittwoch, 23. November 2022, 08:54:40 CET schrieb Johannes Kastl:
Hi all,
this has been annoying me for several months/years and I always forgot to open up a bug report:
-ENOBOO# mentioned ;-)
My question was, against which component/program I should open the bug report? :-)
I would report this issue against KDE Workspace. It looks like u2f integration in kscreenlocker is lacking here. Probably a pam_u2f issue, but less likely.
---cite---
This looks like a bug in Plasma, but what component should the bug be opened against? ---/cite---
Non working fingerprint sensor is worth another one of course.
Same question :-)
Start with checking https://fprint.freedesktop.org/supported-devices.html. If your device is supported, file a bug report against Basesystem. Excuse my all too brief and incomplete reply, but the topic interests me very much in principle. Best, Pete -- Life without chameleons is possible, but pointless.
Hi Pete, On 25.11.22 at 11:56 Hans-Peter Jansen wrote:
I would report this issue against KDE Workspace. It looks like u2f integration in kscreenlocker is lacking here. Probably a pam_u2f issue, but less likely.
Thanks! Here it is: BOO#1205768 https://bugzilla.opensuse.org/show_bug.cgi?id=1205768
Non working fingerprint sensor is worth another one of course.
Start with checking https://fprint.freedesktop.org/supported-devices.html. If your device is supported, file a bug report against Basesystem.
As it works for sudo but does not work for Plasma unlocking, I'll also report against KDE Workspace.
Excuse my all too brief and incomplete reply, but the topic interests me very much in principle.
No problem. Have a nice weekend! Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On Wed, Nov 23, 2022 at 4:54 AM Johannes Kastl <kastl@b1-systems.de> wrote:
Hi all,
this has been annoying me for several months/years and I always forgot to open up a bug report:
I am using pam_u2f to unlock my Plasma/KDE lock screen using a U2F device (the predecessor of FIDO).
This is one of those things.. that require a lot of additional work to be ready for primetime, I personally believe FIDO2 stuff needs to be a first-level, working by default authentication protocol for future distributions.. Windows hello already has it. maybe we need systemd-hellod :-) The first thing is one official pam upstream module, reviewed by pam developers, as I am not really convinced this pam_u2f module is very well tested or accounts for all corner cases.. then all the scary GUI stuff :-) So far aint nobody got the money to pay for all this to be done it seems :-)
Hi Cristian, On 26.11.22 at 14:28 Cristian Rodríguez wrote:
On Wed, Nov 23, 2022 at 4:54 AM Johannes Kastl <kastl@b1-systems.de> wrote:
I am using pam_u2f to unlock my Plasma/KDE lock screen using a U2F device (the predecessor of FIDO).
This is one of those things.. that require a lot of additional work to be ready for primetime, I personally believe FIDO2 stuff needs to be a first-level, working by default authentication protocol for future distributions.. Windows hello already has it. maybe we need systemd-hellod :-)
I agree that it would be nice if this would be better known, as it really a nice feature. Especially as FIDO/U2F are also a nice 2nd factor for lots of websites already.
The first thing is one official pam upstream module, reviewed by pam developers, as I am not really convinced this pam_u2f module is very well tested or accounts for all corner cases.. then all the scary GUI stuff :-)
I cannot say anything regarding the quality of the code both in pam_u2f or the plasma lockscreen integration. In my case it seems like it is just a minor thing, as the "unlock" routine seems to be called once for each monitor. Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
participants (3)
-
Cristian Rodríguez -
Hans-Peter Jansen -
Johannes Kastl