Kde Screen Locker with TOTP
Intro
Recently, I've been using my portable PC in public places. It's not safe to enter my password in such environments, so I came up with a solution that doesn't rely on biometric login: TOTP (Time-based One-Time Password).
Step
- Install
oath-toolkitto support totp - Setup up the TOTP
Generate a seed for the totp.
openssl rand -hex 10
Create a config file for oath-toolkit at ${HOME}/.config/oath_toolkit.
# Option User Prefix Seed
HOTP/T30/6 ${REPLACE WITH THE USER NAME} - ${REPLACE WITH THE OUTPUT OF OPENSSL}
Change the permission of the config file.
chmod 600 "${HOME}/.config/oath_toolkit"
- Setup the pam config for kde screen locker
Insert following lines before the first `auth` line of file /etc/pam.d/kde.
# Try the password, if it is a valid totp, pass the auth
auth sufficient pam_oath.so try_first_pass usersfile=${HOME}/.config/oath_toolkit window=30 digits=6sufficientmeans it will skip followingauths if thisauthpassed. It will continue theauthprocess if it failed.- The
try_first_passoption meanspam_oath.sowill use the previously entered password without prompting for it again. - If the password is longer than 6 characters,
pam_oath.sowill treat the last 6 characters as the TOTP code. It will then remove those 6 characters and use the remaining part as the password for the subsequent authentication process. So if you want to log in using your password, you can enter your password followed by any 6 characters.
Work with SDDM
In my design, the login of sddm must use a password. So I don't change the pam file of sddm. If you want to use totp in sddm, you should:
- Create a separate config file for
oath-toolkitwhich can be accessed by the user ofsddm. - Update the pam file of
sddm:/etc/pam.d/sddm, and use the correctusersfile.
Permission Issue
During my research, pam has the root permission. But if the config file set to read-only for root, the pam_oath.so can't read the config file.