Bug 964677 - mate-screensaver fails to unlock with multiple factor authentication in pam.
mate-screensaver fails to unlock with multiple factor authentication in pam.
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: mate-screensaver (Show other bugs)
18
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Dan Mashal
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-19 09:23 EDT by William Brown
Modified: 2015-07-18 09:02 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-12 15:21:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description William Brown 2013-05-19 09:23:46 EDT
Description of problem:
With two factor authentication, such as pam_yubico along with pam_unix, mate-screensaver fails to unlock the display. Disabling the second factor, the screen unlocks. 


How reproducible:
Always

Steps to Reproduce:
1. Configure two factor authentication
2. Lock screen
3. Attempt to unlock
  
Actual results:
Cannot unlock display

Expected results:
Should be able to unlock display.

Additional info:

[gs_manager_request_unlock] gs-manager.c:1918 (14:30:44):	 Request unlock but dialog is already up
[error_watch] gs-window-x11.c:1122 (14:30:44):	 command error output: [auth_message_handler] mate-screensaver-dialog.c:209 (14:30:44):	 Got message style 1: 'Yubikey for `william': '

[gs_window_raise] gs-window-x11.c:788 (14:30:44):	 Raising screensaver window
[gs_window_xevent] gs-window-x11.c:860 (14:30:44):	 not raising our windows
[gs_window_xevent] gs-window-x11.c:860 (14:30:44):	 not raising our windows
[lock_command_watch] gs-window-x11.c:1688 (14:30:44):	 command output: WINDOW ID=54525982

[error_watch] gs-window-x11.c:1122 (14:30:44):	 command error output: [gs_lock_plug_enable_prompt] gs-lock-plug.c:1310 (14:30:44):	 Setting prompt to: Yubikey for `william': 

[gs_window_xevent] gs-window-x11.c:845 (14:30:44):	 not raising our windows
[update_geometry] gs-window-x11.c:454 (14:30:44):	 got geometry for monitor 0: x=0 y=0 w=1680 h=1050
[update_geometry] gs-window-x11.c:467 (14:30:44):	 using geometry for monitor 0: x=0 y=0 w=1680 h=1050
[gs_window_move_resize_window] gs-window-x11.c:500 (14:30:44):	 Move and/or resize window on monitor 0: x=0 y=0 w=1680 h=1050
[gs_window_xevent] gs-window-x11.c:860 (14:30:44):	 not raising our windows
[gs_window_xevent] gs-window-x11.c:845 (14:30:44):	 not raising our windows
[gs_window_xevent] gs-window-x11.c:845 (14:30:44):	 not raising our windows
[error_watch] gs-window-x11.c:1122 (14:30:48):	 command error output: [request_response] mate-screensaver-dialog.c:135 (14:30:48):	 got response: -2

[error_watch] gs-window-x11.c:1122 (14:30:48):	 command error output: [auth_message_handler] mate-screensaver-dialog.c:209 (14:30:48):	 Got message style 1: 'Password: '

[error_watch] gs-window-x11.c:1122 (14:30:48):	 command error output: [gs_lock_plug_enable_prompt] gs-lock-plug.c:1310 (14:30:48):	 Setting prompt to: Password:

[error_watch] gs-window-x11.c:1122 (14:30:50):	 command error output: [request_response] mate-screensaver-dialog.c:135 (14:30:50):	 got response: -2

[error_watch] gs-window-x11.c:1122 (14:30:53):	 command error output: [do_auth_check] mate-screensaver-dialog.c:288 (14:30:53):	 Verify user returned: FALSE

[lock_command_watch] gs-window-x11.c:1688 (14:30:53):	 command output: NOTICE=AUTH FAILED
Comment 1 Dan Mashal 2013-05-24 01:38:10 EDT
Please provide steps to configure two step auth
Comment 2 William Brown 2013-05-24 21:59:11 EDT
Install pam_yubico

MAKE SURE YOU LEAVE A ROOT TTY OPEN TO UNDO THE PAM CHANGES IF NEEDED

into /etc/pam.d/system-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
#### ADD THE LINE BELOW
auth        required pam_yubico.so id=1 alwaysok=1 
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

You should now at the screensaver prompt that asks for two factors of authentication. The first will always succeed no matter what you type (Due to the alwaysok option)
Comment 3 Wolfgang Ulbrich 2013-08-09 18:44:54 EDT
You should file out a issue report at https://github.com/mate-desktop/mate-screensaver for this to notify upstream.
Comment 4 Wolfgang Ulbrich 2013-09-12 15:21:23 EDT
Ok, since 4 month no reaction from user, feel free to post here if i happens again, i will re-open the report in this case.
Comment 5 James Boyle 2015-07-16 10:50:36 EDT
Occurs on Fedora 22 also.  I will be happy to provide additional information - please let me know what to capture / look for.  

--James

[error_watch] gs-window-x11.c:1330 (10:46:35):   command error output: [request_response] mate-screensaver-dialog.c:142 (10:46:35):      got response: -2

[error_watch] gs-window-x11.c:1330 (10:46:36):   command error output: [auth_message_handler] mate-screensaver-dialog.c:216 (10:46:36):  Got message style 1: 'Password: '

[error_watch] gs-window-x11.c:1330 (10:46:36):   command error output: [gs_lock_plug_enable_prompt] gs-lock-plug.c:1601 (10:46:36):      Setting prompt to: Password:

[error_watch] gs-window-x11.c:1330 (10:46:39):   command error output: [request_response] mate-screensaver-dialog.c:142 (10:46:39):      got response: -2

[lock_command_watch] gs-window-x11.c:1921 (10:46:39):    command output: RESPONSE=OK

[lock_command_watch] gs-window-x11.c:1943 (10:46:39):    Got OK response
Comment 6 Wolfgang Ulbrich 2015-07-18 09:02:28 EDT
Can you please open a new report for it?
With all informations from logs.
And provide information which second authentification modul you use.
You can kill the screensaver process and start it in a terminal with
mate-screensaver --debug

Note You need to log in before you can comment on or make changes to this bug.