i3 - locking screen with 2-factor authentication
I'm running i3 window manager and have 2-factor authentication on my system. It appears that i3 and i3lock do NOT support the additional prompt for 2-factor authentication, but merely pipes the password I entered in as the verification code.
That obviously doesn't work, short of modifying my pam configuration and disabling 2-factor authentication (for i3lock), is there a better way that will let me leverage 2-factor authentication for i3lock as well?
i3 2-factor-authentication
asked Mar 24 '17 at 10:18
WalterWalter
5172618
add a comment |
I'm running i3 window manager and have 2-factor authentication on my system. It appears that i3 and i3lock do NOT support the additional prompt for 2-factor authentication, but merely pipes the password I entered in as the verification code.
That obviously doesn't work, short of modifying my pam configuration and disabling 2-factor authentication (for i3lock), is there a better way that will let me leverage 2-factor authentication for i3lock as well?
i3 2-factor-authentication
asked Mar 24 '17 at 10:18
WalterWalter
5172618
add a comment |
I'm running i3 window manager and have 2-factor authentication on my system. It appears that i3 and i3lock do NOT support the additional prompt for 2-factor authentication, but merely pipes the password I entered in as the verification code.
That obviously doesn't work, short of modifying my pam configuration and disabling 2-factor authentication (for i3lock), is there a better way that will let me leverage 2-factor authentication for i3lock as well?
i3 2-factor-authentication
asked Mar 24 '17 at 10:18
WalterWalter
5172618
I'm running i3 window manager and have 2-factor authentication on my system. It appears that i3 and i3lock do NOT support the additional prompt for 2-factor authentication, but merely pipes the password I entered in as the verification code.
That obviously doesn't work, short of modifying my pam configuration and disabling 2-factor authentication (for i3lock), is there a better way that will let me leverage 2-factor authentication for i3lock as well?
i3 2-factor-authentication
i3 2-factor-authentication
asked Mar 24 '17 at 10:18
WalterWalter
5172618
asked Mar 24 '17 at 10:18
WalterWalter
5172618
asked Mar 24 '17 at 10:18
WalterWalter
5172618
asked Mar 24 '17 at 10:18
WalterWalter
5172618
asked Mar 24 '17 at 10:18
WalterWalter
5172618
5172618
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Because i3lock supports PAM, it necessarily supports u2f modules too, though it may not support visual prompts for user input. It certainly works with Yubikey u2f, which merely requires the user to press a physical key on the USB after being prompted by the USB flashing.
Setup Yubikey U2F for i3lock
- Build your pam module (e.g.
pam_u2f.so) and place it in the right spot (e.g./lib/security). If you have a yubikey then follow Yubico's guide. - Create
/etc/pam.d/i3lockif it does not already exist. Here is the default file, which simply requires a password.
#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#
auth include login
You now have the following options for authenticating with your Yubikey, though the first one (password fallback) is only single factor authentication.
Option 1: Yubikey with password fallback
Add the following line before the auth include login line.
auth sufficient pam_u2f.so nouserok cue
This will unlock your computer if you hit enter, which triggers PAM authentication in i3lock (prompt will hang on "verifying") and then press the Yubikey, which should be flashing.
You can also unlock your computer simply by typing the correct password while the yubikey is not plugged in. If it is plugged in, the module will wait for the yubikey to fail, which will requires you to unplug it, or wait for it to timeout (the boring way to gain access to your computer!).
Option 2: Require Yubikey and password
Add the following line after the auth include login line.
auth required pam_u2f.so nouserok cue
This will unlock your computer if you enter the correct password, hit enter, and then press the Yubikey (it should be flashing) to provide the required second factor.
Debugging
If you get locked out, login on a virtual terminal (TTY). You can get to one with the ctrl+alt+f2 key combination. You can then kill i3lock with killall i3lock or find more information about what went wrong by looking through the output of journalctl -x.
answered 18 mins ago
Hydrox24Hydrox24
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f353541%2fi3-locking-screen-with-2-factor-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Because i3lock supports PAM, it necessarily supports u2f modules too, though it may not support visual prompts for user input. It certainly works with Yubikey u2f, which merely requires the user to press a physical key on the USB after being prompted by the USB flashing.
Setup Yubikey U2F for i3lock
- Build your pam module (e.g.
pam_u2f.so) and place it in the right spot (e.g./lib/security). If you have a yubikey then follow Yubico's guide. - Create
/etc/pam.d/i3lockif it does not already exist. Here is the default file, which simply requires a password.
#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#
auth include login
You now have the following options for authenticating with your Yubikey, though the first one (password fallback) is only single factor authentication.
Option 1: Yubikey with password fallback
Add the following line before the auth include login line.
auth sufficient pam_u2f.so nouserok cue
This will unlock your computer if you hit enter, which triggers PAM authentication in i3lock (prompt will hang on "verifying") and then press the Yubikey, which should be flashing.
You can also unlock your computer simply by typing the correct password while the yubikey is not plugged in. If it is plugged in, the module will wait for the yubikey to fail, which will requires you to unplug it, or wait for it to timeout (the boring way to gain access to your computer!).
Option 2: Require Yubikey and password
Add the following line after the auth include login line.
auth required pam_u2f.so nouserok cue
This will unlock your computer if you enter the correct password, hit enter, and then press the Yubikey (it should be flashing) to provide the required second factor.
Debugging
If you get locked out, login on a virtual terminal (TTY). You can get to one with the ctrl+alt+f2 key combination. You can then kill i3lock with killall i3lock or find more information about what went wrong by looking through the output of journalctl -x.
answered 18 mins ago
Hydrox24Hydrox24
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Because i3lock supports PAM, it necessarily supports u2f modules too, though it may not support visual prompts for user input. It certainly works with Yubikey u2f, which merely requires the user to press a physical key on the USB after being prompted by the USB flashing.
Setup Yubikey U2F for i3lock
- Build your pam module (e.g.
pam_u2f.so) and place it in the right spot (e.g./lib/security). If you have a yubikey then follow Yubico's guide. - Create
/etc/pam.d/i3lockif it does not already exist. Here is the default file, which simply requires a password.
#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#
auth include login
You now have the following options for authenticating with your Yubikey, though the first one (password fallback) is only single factor authentication.
Option 1: Yubikey with password fallback
Add the following line before the auth include login line.
auth sufficient pam_u2f.so nouserok cue
This will unlock your computer if you hit enter, which triggers PAM authentication in i3lock (prompt will hang on "verifying") and then press the Yubikey, which should be flashing.
You can also unlock your computer simply by typing the correct password while the yubikey is not plugged in. If it is plugged in, the module will wait for the yubikey to fail, which will requires you to unplug it, or wait for it to timeout (the boring way to gain access to your computer!).
Option 2: Require Yubikey and password
Add the following line after the auth include login line.
auth required pam_u2f.so nouserok cue
This will unlock your computer if you enter the correct password, hit enter, and then press the Yubikey (it should be flashing) to provide the required second factor.
Debugging
If you get locked out, login on a virtual terminal (TTY). You can get to one with the ctrl+alt+f2 key combination. You can then kill i3lock with killall i3lock or find more information about what went wrong by looking through the output of journalctl -x.
answered 18 mins ago
Hydrox24Hydrox24
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Because i3lock supports PAM, it necessarily supports u2f modules too, though it may not support visual prompts for user input. It certainly works with Yubikey u2f, which merely requires the user to press a physical key on the USB after being prompted by the USB flashing.
Setup Yubikey U2F for i3lock
- Build your pam module (e.g.
pam_u2f.so) and place it in the right spot (e.g./lib/security). If you have a yubikey then follow Yubico's guide. - Create
/etc/pam.d/i3lockif it does not already exist. Here is the default file, which simply requires a password.
#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#
auth include login
You now have the following options for authenticating with your Yubikey, though the first one (password fallback) is only single factor authentication.
Option 1: Yubikey with password fallback
Add the following line before the auth include login line.
auth sufficient pam_u2f.so nouserok cue
This will unlock your computer if you hit enter, which triggers PAM authentication in i3lock (prompt will hang on "verifying") and then press the Yubikey, which should be flashing.
You can also unlock your computer simply by typing the correct password while the yubikey is not plugged in. If it is plugged in, the module will wait for the yubikey to fail, which will requires you to unplug it, or wait for it to timeout (the boring way to gain access to your computer!).
Option 2: Require Yubikey and password
Add the following line after the auth include login line.
auth required pam_u2f.so nouserok cue
This will unlock your computer if you enter the correct password, hit enter, and then press the Yubikey (it should be flashing) to provide the required second factor.
Debugging
If you get locked out, login on a virtual terminal (TTY). You can get to one with the ctrl+alt+f2 key combination. You can then kill i3lock with killall i3lock or find more information about what went wrong by looking through the output of journalctl -x.
answered 18 mins ago
Hydrox24Hydrox24
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Because i3lock supports PAM, it necessarily supports u2f modules too, though it may not support visual prompts for user input. It certainly works with Yubikey u2f, which merely requires the user to press a physical key on the USB after being prompted by the USB flashing.
Setup Yubikey U2F for i3lock
- Build your pam module (e.g.
pam_u2f.so) and place it in the right spot (e.g./lib/security). If you have a yubikey then follow Yubico's guide. - Create
/etc/pam.d/i3lockif it does not already exist. Here is the default file, which simply requires a password.
#
# PAM configuration file for the i3lock screen locker. By default, it includes
# the 'login' configuration file (see /etc/pam.d/login)
#
auth include login
You now have the following options for authenticating with your Yubikey, though the first one (password fallback) is only single factor authentication.
Option 1: Yubikey with password fallback
Add the following line before the auth include login line.
auth sufficient pam_u2f.so nouserok cue
This will unlock your computer if you hit enter, which triggers PAM authentication in i3lock (prompt will hang on "verifying") and then press the Yubikey, which should be flashing.
You can also unlock your computer simply by typing the correct password while the yubikey is not plugged in. If it is plugged in, the module will wait for the yubikey to fail, which will requires you to unplug it, or wait for it to timeout (the boring way to gain access to your computer!).
Option 2: Require Yubikey and password
Add the following line after the auth include login line.
auth required pam_u2f.so nouserok cue
This will unlock your computer if you enter the correct password, hit enter, and then press the Yubikey (it should be flashing) to provide the required second factor.
Debugging
If you get locked out, login on a virtual terminal (TTY). You can get to one with the ctrl+alt+f2 key combination. You can then kill i3lock with killall i3lock or find more information about what went wrong by looking through the output of journalctl -x.
answered 18 mins ago
Hydrox24Hydrox24
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 8 mins ago
answered 18 mins ago
Hydrox24Hydrox24
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 18 mins ago
Hydrox24Hydrox24
12
answered 18 mins ago
Hydrox24Hydrox24
12
12
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Hydrox24 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f353541%2fi3-locking-screen-with-2-factor-authentication%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
