MATE Screensave Doesn't Support TOTP

Category:bug report

I set up LightDM to require time-based one-time password and that is working. I get the code from the FreeOTP program on F-Droid and use that to login. I noticed the screensaver still expects a password. I configured the screensaver to require the same TOTP and, although the screensaver shows the prompt of "One-time password (OATH) for `jason':" it doesn't actually accept the code.

Here's how to reproduce this:
First install the packages libpam-oath and oathtool.

A seed is needed. The seed should be unique for every user. To make a
seed: head -10 /dev/urandom | sha512sum | cut -b 1-30

Edit or create /etc/users.oath and put in something like this:

HOTP/T30/6 jason - 0d0bfda66a840172a51b39af18a55b

Replacing jason with your actual username and 0d0bfda66a840172a51b39af18a55b with whatever seed you generated. (Don't worry; this is not my actual seed; I generated a random one for this report.)

Edit the file /etc/pamd.d/lightdm and comment out the line:
@include common-auth
And add this line just above it:
auth required usersfile=/etc/users.oath window=30 digits=6

Edit the file /etc/pamd.d/mate-screensaver and make a similar change: Comment out @include common-auth and add the line:
auth required usersfile=/etc/users.oath window=30 digits=6

You will need a way to generate one-time passwords. Either install FreeOTP on your phone from F-Droid or install oathtool on another computer so that you can generate one-times codes.

If you're doing it from another computer you can just do:
oathtool --totp 0d0bfda66a840172a51b39af18a55b
And it will provide with the the one-time password.

If you install FreeOTP from F-Droid:
1. Tap on the key with a + sign in the top
2. In the first field that has name at domain enter some name that will help you remember what thing the password is for. It doesn't have to be an email address; it could be the system's hostname or whatever helps you remember.
3. The next field with a bunch of hex numbers seems to be required but doesn't actually matter the contents. I usually put the username here.
4. Go back to the computer and run oathtool --totp -v 0d0bfda66a840172a51b39af18a55b
Notice the "-v" in the command this time. This is for verbose mode which will cause a Base32 secret to be printed out.
5. Enter the base32 secret into FreeOTP
6. Leave everything else as is:
Type: OTP
Digits: 6
Algorithm: SHA1
Interval: 30
7. Tap Add
8. Tap on the new entry to get a one-time password.
9. Run oathtool --totp 0d0bfda66a840172a51b39af18a55b and verify that the codes match.
10. If the codes match, restart the computer. If they don't match, you messed up somewhere.

Once the computer restarts you should see that LightDM then prompts for the one-time password when logging in.

Once logged in, if you go to the Trisquel menu and select Lock Screen you should see that trying to unlock the screen prompts for a one-time password where it says "One-time password (OATH) for `jason':"

And, although LightDM accepts the one-time passwords, the MATE Screensaver does not. It always rejects them as if they're incorrect.

Once the MATE Screensaver is activated you should see that returning from it