Hi Guix, I'm being required to setup a 2FA application to create one-time-passwords for a self-managed Gitlab instance. The wrinkle is that I don't own a smartphone. Up until now I've been able to use 2FA over SMS for most systems I interact with, but Gitlab doesn't support this option. Instead, there is a hard requirement on using a dedicated application for this purpose. The recommended choices are Google Authenticator and Microsoft Authenticator for either iOS or Android. Again, I don't have access to either of these operating systems, nor do I want to use these proprietary applications for (what should be) such a basic task.
In digging through the Guix package list, I found `authenticator`: ========================================================================== name: authenticator version: 3.32.2 outputs: + out: everything systems: x86_64-linux dependencies: desktop-file-utils@0.26 gettext-minimal@0.21 glib@2.70.2 gobject-introspection@1.66.1 gsettings-desktop-schemas@41.0 gtk+@3.24.30 libhandy@0.0.13 + libsecret@0.20.5 pkg-config@0.29.2 python-beautifulsoup4@4.11.1 python-pillow@9.2.0 python-pyfavicon@0.1.1 python-pygobject@3.40.1 python-pyotp@2.7.0 + python-pyzbar@0.1.8 python@3.9.9 yoyo-migrations@7.2.0 zbar@0.23.90 location: gnu/packages/gnome.scm:10394:2 homepage: https://gitlab.gnome.org/World/Authenticator/ license: GPL 3+ synopsis: Two-factor authentication application built for GNOME description: Authenticator is a two-factor authentication (2FA) application built for the GNOME desktop environment. + + Features: + + * QR code scanner + + * Beautiful UI + + * Huge database of more than 560 supported services + + * Keep your PIN tokens secure by locking the application with a password + + * Automatically fetch an image for services using their favicon + + * The possibility to add new services ========================================================================== It looks like a reasonable FOSS option, so I tried it out via `guix shell`: ``` $ guix shell authenticator -- authenticator ``` Unfortunately, I just get a program crash and a stacktrace: ========================================================================== Traceback (most recent call last): File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 59, in do_startup self._setup_actions() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 142, in _setup_actions Keyring.get_default().connect("notify::can-be-locked", File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 49, in get_default Keyring.instance = Keyring() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 44, in __init__ self.props.can_be_locked = self.is_password_enabled() and self.has_password() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 136, in is_password_enabled state = Secret.password_lookup_sync(schema, {}, None) gi.repository.GLib.GError: g-dbus-error-quark: The name org.freedesktop.secrets was not provided by any .service files (2) Traceback (most recent call last): File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 77, in do_activate window = Window.get_default() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default Window.instance = Window() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__ self.init_template('Window') TypeError: <lambda>() takes 0 positional arguments but 1 was given ========================================================================== The line that stuck out to me was this one: ``` gi.repository.GLib.GError: g-dbus-error-quark: The name org.freedesktop.secrets was not provided by any .service files (2) ``` A little web searching led me to understand that I need to have the `gnome-keyring` daemon running. (I wish that had been in the package documentation.) Okay, so I reviewed the Guix manual, and I found this info: ========================================================================== -- Variable: gnome-keyring-service-type This is the type of the service that adds the GNOME Keyring (https://wiki.gnome.org/Projects/GnomeKeyring). Its value is a ‘gnome-keyring-configuration’ object (see below). This service adds the ‘gnome-keyring’ package to the system profile and extends PAM with entries using ‘pam_gnome_keyring.so’, unlocking a user’s login keyring when they log in or setting its password with passwd. -- Data Type: gnome-keyring-configuration Configuration record for the GNOME Keyring service. ‘keyring’ (default: ‘gnome-keyring’) The GNOME keyring package to use. ‘pam-services’ A list of ‘(SERVICE . KIND)’ pairs denoting PAM services to extend, where SERVICE is the name of an existing service to extend and KIND is one of ‘login’ or ‘passwd’. If ‘login’ is given, it adds an optional ‘pam_gnome_keyring.so’ to the auth block without arguments and to the session block with ‘auto_start’. If ‘passwd’ is given, it adds an optional ‘pam_gnome_keyring.so’ to the password block without arguments. By default, this field contains “gdm-password” with the value ‘login’ and “passwd” is with the value ‘passwd’. ========================================================================== As my next step, I added this service to my `operating-system` definition and rebuilt my machine with `sudo guix system reconfigure system.scm`: ``` (service gnome-keyring-service-type (gnome-keyring-configuration)) ``` FYI, I'm using EXWM as my window manager. After a reboot, I didn't see any new services running with `sudo herd status`, so I'm not entirely sure how to verify that the gnome-keyring-daemon is running and check its status. I tried `pgrep gnome-keyring` and got a PID back. However, when I run `authenticator`, I just get exactly the same error again as above, indicating that the client application isn't able to talk to the DBUS service provided by `gnome-keyring`. As a last ditch effort, I tried creating another shell in which to start up the `gnome-keyring-daemon` manually. ``` $ guix shell gnome-keyring authenticator $ gnome-keyring-daemon --start ** Message: 13:57:16.939: couldn't access control socket: /run/user/1000/keyring/control: No such file or directory discover_other_daemon: 0SSH_AUTH_SOCK=/run/user/1000/keyring/ssh $ pgrep gnome 1727 gnome-keyring-d $ authenticator Traceback (most recent call last): File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 208, in _is_locked_changed Window.get_default().refresh_view() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default Window.instance = Window() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__ self.init_template('Window') TypeError: <lambda>() takes 0 positional arguments but 1 was given Traceback (most recent call last): File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 77, in do_activate window = Window.get_default() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default Window.instance = Window() File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__ self.init_template('Window') TypeError: <lambda>() takes 0 positional arguments but 1 was given ``` So...not great. I got the sense from the first output message that `gnome-keyring` was somehow interacting badly with `ssh-agent`. The second piece of bad information is that `authenticator` is, of course, still crashing. Now it looks like it's talking to `gnome-keyring-daemon`, but it's throwing a new error related to a function call arity mistake: ``` TypeError: <lambda>() takes 0 positional arguments but 1 was given ``` AFAICT, this is an error in the `authenticator` application. My question to the mailing list then is: "Does anyone else have any experience with setting up authenticator, the gnome-keyring service, or any other mechanism for 2FA on a Guix System desktop?" Thanks in advance, folks. ~Gary -- Protect yourself from surveillance: https://emailselfdefense.fsf.org ======================================================================= () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is HTML email a security nightmare? See https://useplaintext.email/ Please avoid sending me MS-Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
