Giters

kennethrrosen / qubes-xscreensaver-totp

Login with OTP in Xscreensaver over lightdm

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

qubes-otp

forked into the Qubes official documentation with the help of @deeplow, here: https://www.qubes-os.org/doc/mfa/

2FA for xscreensaver

To add two-factor authentication to the PAM script, you can use the pam_google_authenticator module, which implements the Time-based One-Time Password (TOTP) algorithm, also in the /etc/pam.d/xscreensaver file in dom0.

To set up two-factor authentication for the xscreensaver login:

sudo qubes-dom0-update google-authenticator
Y y n y | google-authenticator

#top of /etc/pam.d/xscreensaver
auth required pam_google_authenticator.so

#comment-out `auth include system-auth`
# as alternative: ooath-toolkit

Modify the PAM configuration for xscreensaver to include pam_unix and pam_google_authenticator. Open a terminal in dom0 and run the following command to edit the /etc/pam.d/xscreensaver file:

auth required pam_unix.so
auth required pam_google_authenticator.so

In the xscreensaver-demo window, set the "Mode" to "One screen with password" and click "Advanced". In the "Advanced" window, set the "Authentication Program" to /usr/bin/xscreensaver-auth, and click "OK" to save the changes.

Lock the screen and enter your username, password, and the one-time code generated by the Google Authenticator app.

Enhance login security

If you want to tweak xscreensaver further, you can included pam_tty_audit and pam_tally2 to setup a lockout policy, to prevent brute-force attacks, or add monitoring and record authentication events, respectively. The pam_unix module is used to authenticate the user's password, and the pam_tally2 and pam_tty_audit modules are added for lockout policy and auditing.

The pam_tally2 module will deny access after three failed login attempts and will unlock the account after 20 minutes (1200 seconds). The pam_tty_audit module will log all authentication events to the system log.

After you modify the PAM configuration file, you can save the changes and test the modified configuration by locking the screen and entering the password. Make sure that the changes are working as expected and that you can log in successfully.

auth required pam_unix.so
auth required pam_tally2.so deny=3 unlock_time=1200 audit
auth required pam_tty_audit.so enable=*

About

Login with OTP in Xscreensaver over lightdm