Getting FIDO2 tokens to work with SDDM

PopTop · February 23, 2025, 6:31pm

Hi, I’m trying to get my FIDO 2 tokens to work with SDDM/Plasma. I followed the excellent guide posted here written by @pavinjoseph and managed to get sudo and sudo -i working perfectly in the terminal.

However, when I tried adding auth sufficient pam_u2f.so authfil e=/etc/Yubico/u2f_keys cue to /etc/pam.d/sddm, GUI prompts still require the root password.

/etc/pam.d/sddm

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     sufficient     pam_u2f.so      authfile=/etc/Yubico/u2f_keys cue  <<< added this line
auth     substack       common-auth
account  substack       common-account
account  include        postlogin-account
password substack       common-password
password include        postlogin-password
session  required       pam_loginuid.so
session  optional       pam_keyinit.so revoke force
session  substack       common-session
session  include        postlogin-session

Afterwards I tried the more dangerous method of directly modifying the /etc/pam.d/common-auth file like mentioned in the guide to see if that would work, but I was still prompted for the root password.

Any help would be appreciated.

arvidjaar · February 23, 2025, 7:21pm

You get root password request from kdesu. How is it related to SDDM?

pavinjoseph · February 24, 2025, 4:51am

Thanks for the kind words

FWIW, I wasn’t able to get it to work with gnomesu either, though the lock screen (GDM) worked fine.

arvidjaar · February 24, 2025, 6:56am

gnomesu is using gnomesu-pam PAM service. Did you modify it?

pavinjoseph · February 24, 2025, 7:11am

Yep!

pavin@suse-pc:/etc/pam.d> cat gnomesu-pam 
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     sufficient     pam_u2f.so      authfile=/etc/Yubico/u2f_keys cue
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_keyinit.so force revoke
session  optional       pam_xauth.so

arvidjaar · February 24, 2025, 7:37am

Any error messages? Although it gets off topic here.

pavinjoseph · February 24, 2025, 7:53am

No errors!

pavin@suse-pc:~> sudo journalctl -k -b -g pam | cat
Feb 21 08:06:06 suse-pc systemd[1]: systemd 257.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
Feb 21 08:06:17 suse-pc systemd[1]: systemd 257.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
Feb 22 03:57:10 suse-pc systemd[1]: systemd 257.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
Feb 23 03:09:21 suse-pc systemd[1]: systemd 257.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
Feb 24 03:10:06 suse-pc systemd[1]: systemd 257.2 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)

pavin@suse-pc:~> sudo journalctl -p3 -b -g pam | cat
Feb 21 08:06:31 suse-pc gdm-autologin][6584]: gkr-pam: couldn't get the password from user: Conversation error
Feb 21 08:15:47 suse-pc sudo[14424]: pam_unix(sudo:auth): conversation failed
Feb 21 08:15:47 suse-pc sudo[14424]: pam_unix(sudo:auth): auth could not identify password for [root]

system · March 26, 2025, 7:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.