Login with password and google-authenticator in plasma

Hello, everyone.
I have installed plasma in a Virtualbox Machine; I would like the login procedure after boot to prompt for the google-authenticator code right after the password. I have done tests with ubuntu and it works, but I find it difficult to transfer the procedure to manjaro
After installing and running google-authenticator , I modified

/etc/pam.d/system-login

which looks like this

auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
session    optional   pam_umask.so
-session   optional   pam_systemd.so
session required pam_env.so

by adding as the third line

auth required pam_google_authenticator.so

on the next reboot, at login, after first providing the password, the system tells me that the password is wrong, and I can no longer log in…
What to do ?

Hi @Frank62,

While I’ve never attempted this, I can point you here. You might see something you’ve missed…

https://wiki.archlinux.org/title/Google_Authenticator

Hope this helps!

auth required pam_google_authenticator.so no_increment_hotp

instead of

auth required pam_google_authenticator.so

??? have you checked this link:

Recommended reading

https://wiki.archlinux.org/title/Google_Authenticator

1 Like

I only need to use 2-way authentication for local login to the system, so I don’t need SSH. According to the wiki I just need to add the line

auth required pam_google_authenticator.so

nel file /etc/pam.d/login . But whatever its position, it has no effect. In addition the file /etc/pam.d/gdm-password does not exist in manjaro ( according to wiki)

Scratch this

That is a drop-in directory. For user customizations. AFAIK there should be nothing inside it by default, or shouldn’t even exist. So try creating it and then add the file…:

sudo mkdir /etc/pam.d/gdm-password

And then do the stuff. Or something. No, I don’t know the default contents.

Just notice file and not directory.

That tells me, you probably don’t have Google Authenticator installed…

Edit:

Re-read the topic title and contents. Came across this:

…and since Plasma uses sddm, I’d say your stuffed…

:man_shrugging:

:sob:

Actually authentication works in manjaro-gnome. Too bad we can’t use it in plasma.

the phrase gdm point to a Gnome environment - you are all about plasma?

I am quite sure you are doing something wrong here …

I am working with virtualbox machines …

Apparently you can get google-authenticator to work with plasma with a method suggested by a post referenced by @Mirdarthos .Reading that post to the end a solution is suggested. I modified the file

/etc/pam.d/system-login

in the following way

auth       required pam_google_authenticator.so forward_pass
auth      [success=1 default=ignore]      pam_unix.so  try_first_pass
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth


account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
session    optional   pam_umask.so
-session   optional   pam_systemd.so
session    required   pam_env.so

Adding only the first two lines from the suggestion in the post. Now the login is done like this: if “AAAA” is the password and “BBBB” is the code provided by the authenticator, at login you have to type

AAAABBBB

and the login is successful.
I’m doing some testing now to see if it works in many cases

2 Likes