Two-factor authentication (e.g. OPIE), graphical login and kdesu

Short question: Is there a way (an official way) to use (any kind of) two-factor authentication on OpenSUSE when using KDE (KDM)? :wink:


On a few important servers, I am using two-factor authentication. The official OpenSUSE repositories are offering OPIE, so I am using this (on other systems, I tend to use the Google authenticator).

My requirement is that the user has to enter his or her regular password and the one-time code (so it’s an appropriate “auth required” entry in the respective pam config files). PAM configuration is not the problem. :wink:

Consequently, all text-based stuff works perfectly (i.e., console login, ssh login, su, sudo…), but on the GUI level, I ran into a few problems:

  1. Graphical login (KDM): After entering the regular password, a dialog box pops up showing the OPIE challenge. Unfortunately, there is no field to enter the response
    . There is just an OK button, and when a user selects that button, the login screen simply displays the respective “login incorrect” message. 1. kdesu: With two-factor authentication enabled, “kdesu” hangs indefinitely after having asked, and accepted, the regular user password.

As a sidenote, the KDE lock screen does work with two-factor authentication: Wenn I activate OPIE while being logged in, the unlock dialog of the lock screen properly asks both for the regular password, and for the OPIE response (while properly displaying the OPIE challenge). This gives me some hope that there might be two-factor support in KDE.

I am not familiar with KDM configuration, but an Internet search wasn’t conclusive - all I found out that G[not K]DM does support it (cf. ) - but switching to Gnome is not my preferred option.

I hope that this question is appropriate here.

You can use “gdm” without switching to Gnome. You may need to install it, and that might pull in part of Gnome.

You might try “lightdm” for login. You may need to install that, too. I don’t know if it supports what you want, but it is worth a try.

As I understand it, the KDE developers dropped “kdm” from their project as they moved toward plasma 5. So I doubt that there will be many enhancements to “kdm”. Personally, I use “lightdm” to login to KDE, but I have not tried two-factor authentication methods.

Thank you very much, that did the trick!

I had been afraid that gdm/lightdm might not work with KDE, so I didn’t dare to do try it on my own. Now I did, and it (lightdm - I didn’t try gdm) works perfectly and supports two-factor authentication.

(In case of anyone finding this thread on their search for OpenSUSE∧two-factor auth: install lightdm, edit /etc/sysconfig/displaymanager replacing the string kdm with lightdm, and restart the display manager - e.g. rcxdm restart)

I haven’t yet found out what to do about the freezing kdesu, but since login is protected by one-time codes, I don’t consider it too much of a problem (as long as users are not using VNC).