MATE Screensave Doesn't Support TOTP

Category:bug report

I set up LightDM to require time-based one-time password and that is working. I get the code from the FreeOTP program on F-Droid and use that to login. I noticed the screensaver still expects a password. I configured the screensaver to require the same TOTP and, although the screensaver shows the prompt of "One-time password (OATH) for `jason':" it doesn't actually accept the code.

Here's how to reproduce this:
First install the packages libpam-oath and oathtool.

A seed is needed. The seed should be unique for every user. To make a
seed: head -10 /dev/urandom | sha512sum | cut -b 1-30

Edit or create /etc/users.oath and put in something like this:

HOTP/T30/6 jason - 0d0bfda66a840172a51b39af18a55b

Replacing jason with your actual username and 0d0bfda66a840172a51b39af18a55b with whatever seed you generated. (Don't worry; this is not my actual seed; I generated a random one for this report.)

Edit the file /etc/pamd.d/lightdm and comment out the line:
@include common-auth
And add this line just above it:
auth required usersfile=/etc/users.oath window=30 digits=6

Edit the file /etc/pamd.d/mate-screensaver and make a similar change: Comment out @include common-auth and add the line:
auth required usersfile=/etc/users.oath window=30 digits=6

You will need a way to generate one-time passwords. Either install FreeOTP on your phone from F-Droid or install oathtool on another computer so that you can generate one-times codes.

If you're doing it from another computer you can just do:
oathtool --totp 0d0bfda66a840172a51b39af18a55b
And it will provide with the the one-time password.

If you install FreeOTP from F-Droid:
1. Tap on the key with a + sign in the top
2. In the first field that has name at domain enter some name that will help you remember what thing the password is for. It doesn't have to be an email address; it could be the system's hostname or whatever helps you remember.
3. The next field with a bunch of hex numbers seems to be required but doesn't actually matter the contents. I usually put the username here.
4. Go back to the computer and run oathtool --totp -v 0d0bfda66a840172a51b39af18a55b
Notice the "-v" in the command this time. This is for verbose mode which will cause a Base32 secret to be printed out.
5. Enter the base32 secret into FreeOTP
6. Leave everything else as is:
Type: OTP
Digits: 6
Algorithm: SHA1
Interval: 30
7. Tap Add
8. Tap on the new entry to get a one-time password.
9. Run oathtool --totp 0d0bfda66a840172a51b39af18a55b and verify that the codes match.
10. If the codes match, restart the computer. If they don't match, you messed up somewhere.

Once the computer restarts you should see that LightDM then prompts for the one-time password when logging in.

Once logged in, if you go to the Trisquel menu and select Lock Screen you should see that trying to unlock the screen prompts for a one-time password where it says "One-time password (OATH) for `jason':"

And, although LightDM accepts the one-time passwords, the MATE Screensaver does not. It always rejects them as if they're incorrect.

Once the MATE Screensaver is activated you should see that returning from it

Sat, 07/13/2019 - 21:54

Enable debug in both of the following places:

* "Trisquel menu" → "System" → "Preferences" → "Personal"/"User" → "Session applications". Edit the screen locker" entry to have a command as follows: mate-screensaver --debug

* In both of "/etc/pam.d/lightdm" and "/etc/pam.d/mate-screensaver", by adding "debug" (without quotes) before "usersfile" in "auth required usersfile=/etc/users.oath window=30 digits=6".

And the result in "~/.xsession-errors" file is like this:

--Begin of file--
[listener_service_deleted] gs-listener-dbus.c:1111 (16:13:23): DBUS service deleted:
[unfade_idle] gs-manager.c:1209 (16:13:23): resetting fade
[gs_fade_reset] gs-fade.c:877 (16:13:23): Resetting fade
[gs_manager_request_unlock] gs-manager.c:1943 (16:13:23): Request unlock but dialog is already up
[error_watch] gs-window-x11.c:1245 (16:13:23): command error output: [auth_message_handler] mate-screensaver-dialog.c:212 (16:13:23): Got message style 1: 'One-time password (OATH) for `adfeno': '

[gs_window_raise] gs-window-x11.c:912 (16:13:23): Raising screensaver window
[gs_window_xevent] gs-window-x11.c:984 (16:13:23): not raising our windows
[gs_window_xevent] gs-window-x11.c:984 (16:13:23): not raising our windows
[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(118)] called.

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(119)] flags 0 argc 4

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(121)] argv[0]=debug

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(121)] argv[2]=window=30

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(121)] argv[3]=digits=6

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(122)] debug=1

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(123)] alwaysok=0

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(124)] try_first_pass=0

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(125)] use_first_pass=0

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath

[error_watch] gs-window-x11.c:1245 (16:13:23): command error output: [gs_lock_plug_enable_prompt] gs-lock-plug.c:1581 (16:13:23): Setting prompt to: One-time password (OATH) for `adfeno':

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(127)] digits=6

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:parse_cfg(128)] window=30

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: [pam_oath.c:pam_sm_authenticate(163)] get user returned: adfeno

[lock_command_watch] gs-window-x11.c:1832 (16:13:23): command output: WINDOW ID=62914590

[gs_window_xevent] gs-window-x11.c:984 (16:13:23): not raising our windows
[gs_window_xevent] gs-window-x11.c:969 (16:13:23): not raising our windows
[update_geometry] gs-window-x11.c:544 (16:13:23): got geometry for monitor 0: x=0 y=0 w=1366 h=768
[update_geometry] gs-window-x11.c:568 (16:13:23): using geometry for monitor 0: x=0 y=0 w=1366 h=768
[gs_window_move_resize_window] gs-window-x11.c:603 (16:13:23): Move and/or resize window on monitor 0: x=0 y=0 w=1366 h=768
[gs_window_xevent] gs-window-x11.c:984 (16:13:23): not raising our windows
[gs_window_xevent] gs-window-x11.c:969 (16:13:23): not raising our windows
[gs_window_xevent] gs-window-x11.c:969 (16:13:23): not raising our windows
[error_watch] gs-window-x11.c:1245 (16:13:33): command error output: [request_response] mate-screensaver-dialog.c:138 (16:13:33): got response: -2

[error_watch] gs-window-x11.c:1245 (16:13:33): command error output:

[error_watch] gs-window-x11.c:1245 (16:13:33): command error output: (mate-screensaver-dialog:3426): GLib-CRITICAL **: Source ID 29 was not found when attempting to remove it

[error_watch] gs-window-x11.c:1245 (16:13:33): command error output: [do_auth_check] mate-screensaver-dialog.c:291 (16:13:33): Verify user returned: FALSE

[error_watch] gs-window-x11.c:1245 (16:13:33): command error output: [do_auth_check] mate-screensaver-dialog.c:297 (16:13:33): Verify user returned error: Falha na autenticação.

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output: [pam_oath.c:pam_sm_authenticate(238)] conv returned: 593762

[error_watch] gs-window-x11.c:1245 (16:13:33): command error output: [auth_check_idle] mate-screensaver-dialog.c:358 (16:13:33): Authentication failed, retrying (1)

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output: [pam_oath.c:pam_sm_authenticate(302)] OTP: 593762

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output: [pam_oath.c:pam_sm_authenticate(312)] authenticate rc -11 (OATH_NO_SUCH_FILE: The supplied filename does not exist) last otp Wed Dec 31 21:00:00 1969

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output:

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output: [pam_oath.c:pam_sm_authenticate(317)] One-time password not authorized to login as user 'adfeno'

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output: [pam_oath.c:pam_sm_authenticate(333)] done. [Falha de autenticação]

[lock_command_watch] gs-window-x11.c:1832 (16:13:33): command output: NOTICE=AUTH FAILED
--End of file--

Sat, 07/13/2019 - 21:57

The authenticate rc/return code/error -11 (OATH_NO_SUCH_FILE) appears no matter which are the permissions set for "/etc/users.oath".

Sat, 07/13/2019 - 23:58

Per the references in [1] and [2] (forgive me for the links to sites not so good in terms of freedom of the software), I think this is related to the package not having "set user ID" (setuid/suid) executable to deal with the configuration file and the fact that "mate-screensaver" must be run in a per-user basis.

Also, running the following command tells me that no setuid file is provided:

dpkg -L oathtool liboath0 libpam-oath | sed '/\/\./d; /^$/d' | while read -r each_file; do if [[ -f "$each_file" ]]; then ls -l "$each_file"; fi; done

That gives the following result:

-- Start of output --
-rw-r--r-- 1 root root 3437 Mai 18 2015 /usr/share/doc/oathtool/copyright
-rw-r--r-- 1 root root 2929 Ago 2 2015 /usr/share/man/man1/oathtool.1.gz
-rwxr-xr-x 1 root root 48296 Ago 2 2015 /usr/bin/oathtool
lrwxrwxrwx 1 root root 19 Ago 2 2015 /usr/share/doc/oathtool/AUTHORS -> ../liboath0/AUTHORS
lrwxrwxrwx 1 root root 18 Ago 2 2015 /usr/share/doc/oathtool/README -> ../liboath0/README
lrwxrwxrwx 1 root root 19 Ago 2 2015 /usr/share/doc/oathtool/NEWS.gz -> ../liboath0/NEWS.gz
lrwxrwxrwx 1 root root 31 Ago 2 2015 /usr/share/doc/oathtool/changelog.Debian.gz -> ../liboath0/changelog.Debian.gz
-rw-r--r-- 1 root root 139 Mai 19 2015 /usr/share/doc/liboath0/AUTHORS
-rw-r--r-- 1 root root 1894 Mai 19 2015 /usr/share/doc/liboath0/README
-rw-r--r-- 1 root root 3437 Mai 18 2015 /usr/share/doc/liboath0/copyright
-rw-r--r-- 1 root root 5634 Jul 31 2015 /usr/share/doc/liboath0/NEWS.gz
-rw-r--r-- 1 root root 810 Ago 2 2015 /usr/share/doc/liboath0/changelog.Debian.gz
-rw-r--r-- 1 root root 80280 Ago 2 2015 /usr/lib/
lrwxrwxrwx 1 root root 16 Ago 2 2015 /usr/lib/ ->
-rw-r--r-- 1 root root 3437 Mai 18 2015 /usr/share/doc/libpam-oath/copyright
-rw-r--r-- 1 root root 14416 Ago 2 2015 /lib/security/
lrwxrwxrwx 1 root root 19 Ago 2 2015 /usr/share/doc/libpam-oath/AUTHORS -> ../liboath0/AUTHORS
lrwxrwxrwx 1 root root 18 Ago 2 2015 /usr/share/doc/libpam-oath/README -> ../liboath0/README
lrwxrwxrwx 1 root root 19 Ago 2 2015 /usr/share/doc/libpam-oath/NEWS.gz -> ../liboath0/NEWS.gz
lrwxrwxrwx 1 root root 31 Ago 2 2015 /usr/share/doc/libpam-oath/changelog.Debian.gz -> ../liboath0/changelog.Debian.gz
-- End of output --

Perhaps these are some of the ways out (although I did no tests of viability):

* Contribute to oathtool/oathtoolkit/liboath so that it comes with setuid files when needed (or instructs the user to do so manually if that is the case).
* Test if the configuration file must be setuid.