MATE Screensave Doesn't Support One-Time Passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mate-screensaver (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 16.04.
I set up LightDM to require time-based one-time password and that is working. I get the code from the FreeOTP program on F-Droid for the Android phone and use that to login. I noticed the screensaver still expected a password. I configured the screensaver to require the same one-time password and, although the screensaver shows the prompt of "One-time password (OATH) for `jason':" it doesn't actually accept the code.
Here's how to reproduce this:
First install the packages libpam-oath and oathtool.
A seed is needed. The seed should be unique for every user. To make a seed:
head -10 /dev/urandom | sha512sum | cut -b 1-30
Edit or create /etc/users.oath and put in something like this:
HOTP/T30/6 jason - 0d0bfda66a84017
Replacing jason with your actual username and 0d0bfda66a84017
Edit the file /etc/pamd.d/lightdm and comment out the line:
@include common-auth
And add this line just above it:
auth required pam_oath.so usersfile=
Edit the file /etc/pamd.
auth required pam_oath.so usersfile=
You will need a way to generate one-time passwords. Either install FreeOTP on your phone from F-Droid or Google Play or install oathtool on another computer so that you can generate one-times codes.
If you're doing it from another computer you can just do:
oathtool --totp 0d0bfda66a84017
And it will provide with the the one-time password.
If you install FreeOTP from F-Droid or Google Play:
1. Tap on the key with a + sign in the top
2. In the first field that has name at domain enter some name that will help you remember what thing the password is for. It doesn't have to be an email address; it could be the system's hostname or whatever helps you remember.
3. The next field with a bunch of hex numbers seems to be required but doesn't actually matter the contents. I usually put the username here.
4. Go back to the computer and run oathtool --totp -v 0d0bfda66a84017
Notice the "-v" in the command this time. This is for verbose mode which will cause a Base32 secret to be printed out.
5. Enter the Base32 secret into FreeOTP
6. Leave everything else as is:
Type: OTP
Digits: 6
Algorithm: SHA1
Interval: 30
7. Tap Add
8. Tap on the new entry to get a one-time password.
9. Run oathtool --totp 0d0bfda66a84017
10. If the codes match, restart the computer. If they don't match, you messed up somewhere.
Once the computer restarts you should see that LightDM then prompts for the one-time password when logging in.
Once logged in, proceed to lock the screen. You should see that trying to unlock the screen prompts for a one-time password. Obtain a current password from FreeOTP and/or oathtool.
And you should see that, although LightDM accepts the one-time passwords, the MATE Screensaver does not. It always rejects them as if they're incorrect.
Once the MATE Screensaver is activated you should see that returning from it
Changed in mate-screensaver (Ubuntu): | |
status: | New → Incomplete |
tags: | added: xenial |
[Expired for mate-screensaver (Ubuntu) because there has been no activity for 60 days.]