Bug 51207

Summary: It is impossible to unlock screen when 2FA is enabled via FIDO2 with Yubikey
Product: Sisyphus Reporter: Constantin <constacalm>
Component: kscreenlockerAssignee: Sergey V Turchin <zerg>
Status: REOPENED --- QA Contact: qa-sisyphus
Severity: normal    
Priority: P5 CC: mcpain, zerg
Version: unstable   
Hardware: x86_64   
OS: Linux   

Description Constantin 2024-08-20 11:21:01 MSK 
It seems that is impossible to unlock screen using kscreenlocker in Plasma KDE6, when Yubikey (Rutoken MFA) is using as second auth factor.

Steps to reproduce:

1. Install U2F/FIDO2 PAM module:

apt-get install pam_u2f

2. Insert Yubikey (or Rutoken MFA), and initialize auth key for every user, who needs MFA:

cd && pamu2fcfg > key

3. Make system-wide auth config file, and insert user's auth information into it:

# cd && mkdir -vp /etc/U2F
# cat ./key > /etc/U2F/u2f_keys
# echo -e >> /etc/U2F/u2f_keys
# cat /home/<username>/key >> /etc/U2F/u2f_keys
# echo -e /etc/U2F/u2f_keys
... repeat two last commands for every user, who needs MFA...
# chmod 755 /etc/U2F
# chmod 644 /etc/U2F/u2f_keys (it is possible to make more restricitive rights for Gnome\GDM, i.e 640, but not for KDE\sddm)
# chown -R root:root /etc/U2F

4. Configure system-wide PAM file /etc/pam.d/system-auth-common, adding there 2FA:

#%PAM-1.0
#account required pam_access.so
auth required pam_u2f.so authfile=/etc/U2F/u2f_keys cue [cue_prompt=Checking MFA]
session required pam_mktemp.so
session required pam_limits.so

5. Expected result:

Users need to make password auth as first factor, and Yubikey/Rutoken MFA as second factor in every entry point (tty/graphical DM/unlock screen via graphical locker or vlock/su/sudo/polkit, etc...)

6. Real result:

Unlocking graphical session is impossible in KDE6 Plasma.
In Gnome\GDM or KDE5 -- there are no such problems

6.
Comment 1 Constantin 2024-08-23 10:31:01 MSK 
Fixed in versions:

kscreenlocker-common-6.1.4-alt3.noarch
kscreenlocker-6.1.4-alt3.x86_64
libkscreenlocker6-6.1.4-alt3.x86_64

Thank you.
Comment 2 Constantin 2024-09-15 16:09:14 MSK 
Now, after last update in versions: 

kscreenlocker-common-6.1.5-alt2.noarch
libkscreenlocker6-6.1.5-alt2.x86_64
kscreenlocker-6.1.5-alt2.x86_64

kscreenlocker locks and unlocks screen successfully, but only one auth factor (password) needs to unlock screen. System is not even asks for second factor (FIDO2\U2F via Yubikey/Rutoken MFA), but in /etc/pam.d/system-auth-common I still have:

#%PAM-1.0
#account                required        pam_access.so
auth required pam_u2f.so authfile=/etc/U2F/u2f_keys cue [cue_prompt=MFA checking...]
session         required        pam_lastlog.so nowtmp
session         required        pam_mktemp.so
session         required        pam_limits.so
Comment 3 Олег Соловьев 2024-09-16 11:11:36 MSK 
(In reply to Constantin from comment #2)
> Now, after last update in versions: 
> 
> kscreenlocker-common-6.1.5-alt2.noarch
> libkscreenlocker6-6.1.5-alt2.x86_64
> kscreenlocker-6.1.5-alt2.x86_64

What if you add
> auth            include         system-auth-common
ontop of /etc/pam.d/kde?

Old version was behaving perfectly with Yubikey but it sometimes stuck on "Unlock" button after `control system-auth fprintd` since interactive (password) worker asks for fingerprint first, receives "success" and stucks due an upstream bug: https://bugs.kde.org/show_bug.cgi?id=485520
Comment 4 Constantin 2024-09-16 20:29:22 MSK 
> What if you add
> > auth            include         system-auth-common
> ontop of /etc/pam.d/kde?

Yes, I've just added that string exactly ontop of /etc/pam.d/kde, and it solves the problem. It seems to me, that maybe kscreenlocker also use /etc/pam.d/kde instead(?) of it's own /etc/pam.d/kde6-screenlocker? 'Cause I've already got this in /etc/pam.d/kde6-screenlocker:

#%PAM-1.0
auth            sufficient      pam_succeed_if.so user ingroup nopasswdlogin
auth            include         system-auth
auth            include         system-auth-common

Btw, you can ask Alexey Shabalin for Yubikey\RutokenMFA to test for yourself probably. I gave him these tokens last spring several months ago.
Comment 5 Олег Соловьев 2024-09-17 10:51:34 MSK 
(In reply to Constantin from comment #4)
> Yes, I've just added that string exactly ontop of /etc/pam.d/kde, and it
> solves the problem. It seems to me, that maybe kscreenlocker also use
> /etc/pam.d/kde instead(?) of it's own /etc/pam.d/kde6-screenlocker? 'Cause

/etc/pam.d/kde is owned by kscreenlocker, you can drop /etc/pam.d/kde6-screenlocker now.
Comment 6 Constantin 2024-09-17 10:53:54 MSK 
> /etc/pam.d/kde is owned by kscreenlocker, you can drop
> /etc/pam.d/kde6-screenlocker now.

Ok. Thank you.
Comment 7 Constantin 2024-09-24 12:31:11 MSK 
I made a mistake when checking this option for /etc/pam.d/kde:

> auth            include         system-auth-common

When this option is set, only right Yubikey presence is checking. I.e. I made a mistake in my password, and only Yubikey is enough to unlock screen. Then I continiuos checking, and now I see, I don't need to enter password at all, only second factor is enough.