Public bug reported:
Ubuntu 16.04.
I set up LightDM to require time-based one-time password and that is
working. I get the code from the FreeOTP program on F-Droid for the
Android phone and use that to login. I noticed the screensaver still
expected a password. I configured the screensaver to require the same
one-time password and, although the screensaver shows the prompt of
"One-time password (OATH) for `jason':" it doesn't actually accept the
code.
Here's how to reproduce this:
First install the packages libpam-oath and oathtool.
A seed is needed. The seed should be unique for every user. To make a seed:
head -10 /dev/urandom | sha512sum | cut -b 1-30
Edit or create /etc/users.oath and put in something like this:
HOTP/T30/6 jason - 0d0bfda66a840172a51b39af18a55b
Replacing jason with your actual username and
0d0bfda66a840172a51b39af18a55b with whatever seed you generated. (Don't
worry; this is not my actual seed; I generated a random one for this
report.)
Edit the file /etc/pamd.d/lightdm and comment out the line:
@include common-auth
And add this line just above it:
auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6
Edit the file /etc/pamd.d/mate-screensaver and make a similar change: Comment
out @include common-auth and add the line:
auth required pam_oath.so usersfile=/etc/users.oath window=30 digits=6
You will need a way to generate one-time passwords. Either install
FreeOTP on your phone from F-Droid or Google Play or install oathtool on
another computer so that you can generate one-times codes.
If you're doing it from another computer you can just do:
oathtool --totp 0d0bfda66a840172a51b39af18a55b
And it will provide with the the one-time password.
If you install FreeOTP from F-Droid or Google Play:
1. Tap on the key with a + sign in the top
2. In the first field that has name at domain enter some name that will help
you remember what thing the password is for. It doesn't have to be an email
address; it could be the system's hostname or whatever helps you remember.
3. The next field with a bunch of hex numbers seems to be required but doesn't
actually matter the contents. I usually put the username here.
4. Go back to the computer and run oathtool --totp -v
0d0bfda66a840172a51b39af18a55b
Notice the "-v" in the command this time. This is for verbose mode which will
cause a Base32 secret to be printed out.
5. Enter the Base32 secret into FreeOTP
6. Leave everything else as is:
Type: OTP
Digits: 6
Algorithm: SHA1
Interval: 30
7. Tap Add
8. Tap on the new entry to get a one-time password.
9. Run oathtool --totp 0d0bfda66a840172a51b39af18a55b and verify that the codes
match.
10. If the codes match, restart the computer. If they don't match, you messed
up somewhere.
Once the computer restarts you should see that LightDM then prompts for
the one-time password when logging in.
Once logged in, proceed to lock the screen. You should see that trying
to unlock the screen prompts for a one-time password. Obtain a current
password from FreeOTP and/or oathtool.
And you should see that, although LightDM accepts the one-time
passwords, the MATE Screensaver does not. It always rejects them as if
they're incorrect.
Once the MATE Screensaver is activated you should see that returning
from it
** Affects: mate-screensaver (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1784255
Title:
MATE Screensave Doesn't Support One-Time Passwords
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mate-screensaver/+bug/1784255/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
