It seems that is impossible to unlock screen using kscreenlocker in Plasma KDE6, when Yubikey (Rutoken MFA) is using as second auth factor. Steps to reproduce: 1. Install U2F/FIDO2 PAM module: apt-get install pam_u2f 2. Insert Yubikey (or Rutoken MFA), and initialize auth key for every user, who needs MFA: cd && pamu2fcfg > key 3. Make system-wide auth config file, and insert user's auth information into it: # cd && mkdir -vp /etc/U2F # cat ./key > /etc/U2F/u2f_keys # echo -e >> /etc/U2F/u2f_keys # cat /home/<username>/key >> /etc/U2F/u2f_keys # echo -e /etc/U2F/u2f_keys ... repeat two last commands for every user, who needs MFA... # chmod 755 /etc/U2F # chmod 644 /etc/U2F/u2f_keys (it is possible to make more restricitive rights for Gnome\GDM, i.e 640, but not for KDE\sddm) # chown -R root:root /etc/U2F 4. Configure system-wide PAM file /etc/pam.d/system-auth-common, adding there 2FA: #%PAM-1.0 #account required pam_access.so auth required pam_u2f.so authfile=/etc/U2F/u2f_keys cue [cue_prompt=Checking MFA] session required pam_mktemp.so session required pam_limits.so 5. Expected result: Users need to make password auth as first factor, and Yubikey/Rutoken MFA as second factor in every entry point (tty/graphical DM/unlock screen via graphical locker or vlock/su/sudo/polkit, etc...) 6. Real result: Unlocking graphical session is impossible in KDE6 Plasma. In Gnome\GDM or KDE5 -- there are no such problems 6.
Fixed in versions: kscreenlocker-common-6.1.4-alt3.noarch kscreenlocker-6.1.4-alt3.x86_64 libkscreenlocker6-6.1.4-alt3.x86_64 Thank you.
Now, after last update in versions: kscreenlocker-common-6.1.5-alt2.noarch libkscreenlocker6-6.1.5-alt2.x86_64 kscreenlocker-6.1.5-alt2.x86_64 kscreenlocker locks and unlocks screen successfully, but only one auth factor (password) needs to unlock screen. System is not even asks for second factor (FIDO2\U2F via Yubikey/Rutoken MFA), but in /etc/pam.d/system-auth-common I still have: #%PAM-1.0 #account required pam_access.so auth required pam_u2f.so authfile=/etc/U2F/u2f_keys cue [cue_prompt=MFA checking...] session required pam_lastlog.so nowtmp session required pam_mktemp.so session required pam_limits.so
(In reply to Constantin from comment #2) > Now, after last update in versions: > > kscreenlocker-common-6.1.5-alt2.noarch > libkscreenlocker6-6.1.5-alt2.x86_64 > kscreenlocker-6.1.5-alt2.x86_64 What if you add > auth include system-auth-common ontop of /etc/pam.d/kde? Old version was behaving perfectly with Yubikey but it sometimes stuck on "Unlock" button after `control system-auth fprintd` since interactive (password) worker asks for fingerprint first, receives "success" and stucks due an upstream bug: https://bugs.kde.org/show_bug.cgi?id=485520
> What if you add > > auth include system-auth-common > ontop of /etc/pam.d/kde? Yes, I've just added that string exactly ontop of /etc/pam.d/kde, and it solves the problem. It seems to me, that maybe kscreenlocker also use /etc/pam.d/kde instead(?) of it's own /etc/pam.d/kde6-screenlocker? 'Cause I've already got this in /etc/pam.d/kde6-screenlocker: #%PAM-1.0 auth sufficient pam_succeed_if.so user ingroup nopasswdlogin auth include system-auth auth include system-auth-common Btw, you can ask Alexey Shabalin for Yubikey\RutokenMFA to test for yourself probably. I gave him these tokens last spring several months ago.
(In reply to Constantin from comment #4) > Yes, I've just added that string exactly ontop of /etc/pam.d/kde, and it > solves the problem. It seems to me, that maybe kscreenlocker also use > /etc/pam.d/kde instead(?) of it's own /etc/pam.d/kde6-screenlocker? 'Cause /etc/pam.d/kde is owned by kscreenlocker, you can drop /etc/pam.d/kde6-screenlocker now.
> /etc/pam.d/kde is owned by kscreenlocker, you can drop > /etc/pam.d/kde6-screenlocker now. Ok. Thank you.
I made a mistake when checking this option for /etc/pam.d/kde: > auth include system-auth-common When this option is set, only right Yubikey presence is checking. I.e. I made a mistake in my password, and only Yubikey is enough to unlock screen. Then I continiuos checking, and now I see, I don't need to enter password at all, only second factor is enough.
