Authentication Fails with Verification Based Two Factor Authentication

pucheGit commented 5 years ago

I'm submitting a…

[X] Bug
[X] Feature Request
[ ] Other (Please describe in detail)

Current Behavior

I use two factor authentication provided by libpam-google-authenticator, which provides two factor authentication verification codes. When using i3lock, I do not get prompted to input my verification code, nor am I able to login as verification always fails. The error appears in auth.log as i3lock(pam_google_authenticator)[27098]: Invalid verification code for XXXX. Although I believe this is likely considered a new feature, I labeled it as a bug as well because it breaks the functionality of i3lock in its current implementation.

Expected Behavior

i3lock should allow multiple inputs to PAM, as well as provide feedback if the password is accepted, so you know that it is time to input the verification code.

Reproduction Instructions

Enable libpam-google-authenticator in /etc/pam.d/common-session (If you would like further details on this I can provide them, but it is a straightforward process with numerous online guides, so I left the specifics out for brevity).
Create Verification Codes by running google-authenticator
Attempt to use i3lock

Environment

Output of i3lock --version:

i3lock: version 2.12-3-gf6e0218 (2019-09-27, branch "master") © 2010 Michael Stapelberg

wlhlm commented 4 years ago

Does using password stacking work?

Chan-PH commented 4 years ago

Does using password stacking work?

It appears not working on my end. Does anyone here have any solution pertaining to this?

Robert-L-Turner commented 3 years ago

Same issue here and password stacking does not work. Not sure if its relevant but I actually get two errors:

[rturner@SSDarchlinux ~]$ journalctl | grep i3lock | tail -2
Jan 07 21:48:51 SSDarchlinux i3lock[3895]: pam_unix(i3lock:auth): authentication failure; logname= uid=1000 euid=1000 tty=:0 ruser= rhost=  user=rturner
Jan 07 21:48:51 SSDarchlinux i3lock[3895]: pam_systemd_home(i3lock:auth): Not a user managed by systemd-homed: No home for user rturner known

I guess on the positive side I can lock with i3lock, and then to unlock I can swap to another tty, log in with 2FA OTP and killall i3lock to get back into the session.

Is this specific to i3lock or an issue across with how (all?) lock screens interact with PAM?

https://wiki.archlinux.org/index.php/Talk:Systemd-homed

stapelberg commented 2 years ago

Better PAM support is tracked in https://github.com/i3/i3lock/issues/217

i3 / i3lock