You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This may be a partial duplicate of #3. If you want to keep it as one issue, let me know and I can put whats below in a comment in #3.
TL;DR - Requesting support for pam-provided authenticator prompts
Setup
Fedora 30, Sway 1.2, Swaylock 1.4.1
Authentication Source: FreeIPA 4.5 with OTP enabled - SSSD (and pam_sss) client side
Normal when authenticating through GDM, SSH, SUDO, Gnome Lock Screen, etc., it prompts and says "First Factor" and then once provided, it prompts for "Second factor (optional). I believe this achieved by a pam conversation that allows the requester (in this case, swaylock?) to be told by pam (and pam_sss) how or what to prompt for based off of the user provided (and some other conditions described below). How, in this case, sssd handles it from there is pretty well described in their documentation.
Unfortunately, because it was identified by @martinetd that OTP will require some extra support, I dont think that swaylock is providing all of what PAM needs for this more advanced support.
Because I couldn't get sufficient debugging out of screenlock, I cant confirm that its a PAM/OTP issue, but here is what I'm seeing below.
Conditions
Prompts from GDM/SSH/etc.
Swaylock Results
1. IPA user with OTP enabled and can reach IPA server
First/Second factor prompts
failure to unlock
2. IPA user with OTP previously enabled and now disabled, can reach IPA server
First/Second factor prompts
failure to unlock
3. IPA user with OTP enabled and can not reach IPA server
only "Password" prompt (as SSSD would not be able to validate OTP)
successful unlock
4. IPA user with OTP disabled
only "Password" prompt
successful unlock
5. Local user
only "Password" prompt
successful unlock
For condition 2, IPA/SSSD still prompts for First/Second factor prompts, I have an email out to the IPA community on how to fix this. In this case, the user can normally leave "Second Factor" prompt blank and authentication succeeds (when !swaylock).
Good news
I have an IPA instance that I'm happy to test/break for this effort. I think that SWAY is really nice but having a fully pam supported lock screen is a deal breaker.
Bad news
I haven't touched C in over a decade. I'm happy to test and build, but there likely wont be any pull requests from me. I understand that limits the usefulness, but I wanted to bring this issue to light just the same.
This may be a partial duplicate of #3. If you want to keep it as one issue, let me know and I can put whats below in a comment in #3.
TL;DR - Requesting support for pam-provided authenticator prompts
Setup
Fedora 30, Sway 1.2, Swaylock 1.4.1
Authentication Source: FreeIPA 4.5 with OTP enabled - SSSD (and pam_sss) client side
Normal when authenticating through GDM, SSH, SUDO, Gnome Lock Screen, etc., it prompts and says "First Factor" and then once provided, it prompts for "Second factor (optional). I believe this achieved by a pam conversation that allows the requester (in this case, swaylock?) to be told by pam (and pam_sss) how or what to prompt for based off of the user provided (and some other conditions described below). How, in this case, sssd handles it from there is pretty well described in their documentation.
Unfortunately, because it was identified by @martinetd that OTP will require some extra support, I dont think that swaylock is providing all of what PAM needs for this more advanced support.
Because I couldn't get sufficient debugging out of screenlock, I cant confirm that its a PAM/OTP issue, but here is what I'm seeing below.
For condition 2, IPA/SSSD still prompts for First/Second factor prompts, I have an email out to the IPA community on how to fix this. In this case, the user can normally leave "Second Factor" prompt blank and authentication succeeds (when !swaylock).
Good news
I have an IPA instance that I'm happy to test/break for this effort. I think that SWAY is really nice but having a fully pam supported lock screen is a deal breaker.
Bad news
I haven't touched C in over a decade. I'm happy to test and build, but there likely wont be any pull requests from me. I understand that limits the usefulness, but I wanted to bring this issue to light just the same.
Other References
IPA v4 authentication indicators
freeBSD sample pam conversation
man 3 openpam_ttyconv
Please let me know if you need more detail, would like logs, or if anything needs clarification. Thanks for all the awesome work!
The text was updated successfully, but these errors were encountered: