[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Problems with Gnome Authenticator 2FA
|
From: |
Gary Johnson |
|
Subject: |
Problems with Gnome Authenticator 2FA |
|
Date: |
Wed, 22 Feb 2023 17:01:28 -0500 |
Hi Guix,
I'm being required to setup a 2FA application to create
one-time-passwords for a self-managed Gitlab instance. The wrinkle is
that I don't own a smartphone. Up until now I've been able to use 2FA
over SMS for most systems I interact with, but Gitlab doesn't support
this option. Instead, there is a hard requirement on using a dedicated
application for this purpose. The recommended choices are Google
Authenticator and Microsoft Authenticator for either iOS or Android.
Again, I don't have access to either of these operating systems, nor do
I want to use these proprietary applications for (what should be) such a
basic task.
In digging through the Guix package list, I found `authenticator`:
==========================================================================
name: authenticator
version: 3.32.2
outputs:
+ out: everything
systems: x86_64-linux
dependencies: desktop-file-utils@0.26 gettext-minimal@0.21 glib@2.70.2
gobject-introspection@1.66.1 gsettings-desktop-schemas@41.0 gtk+@3.24.30
libhandy@0.0.13
+ libsecret@0.20.5 pkg-config@0.29.2 python-beautifulsoup4@4.11.1
python-pillow@9.2.0 python-pyfavicon@0.1.1 python-pygobject@3.40.1
python-pyotp@2.7.0
+ python-pyzbar@0.1.8 python@3.9.9 yoyo-migrations@7.2.0 zbar@0.23.90
location: gnu/packages/gnome.scm:10394:2
homepage: https://gitlab.gnome.org/World/Authenticator/
license: GPL 3+
synopsis: Two-factor authentication application built for GNOME
description: Authenticator is a two-factor authentication (2FA) application
built for the GNOME desktop environment.
+
+ Features:
+
+ * QR code scanner
+
+ * Beautiful UI
+
+ * Huge database of more than 560 supported services
+
+ * Keep your PIN tokens secure by locking the application with a password
+
+ * Automatically fetch an image for services using their favicon
+
+ * The possibility to add new services
==========================================================================
It looks like a reasonable FOSS option, so I tried it out via `guix
shell`:
```
$ guix shell authenticator -- authenticator
```
Unfortunately, I just get a program crash and a stacktrace:
==========================================================================
Traceback (most recent call last):
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
line 59, in do_startup
self._setup_actions()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
line 142, in _setup_actions
Keyring.get_default().connect("notify::can-be-locked",
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py",
line 49, in get_default
Keyring.instance = Keyring()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py",
line 44, in __init__
self.props.can_be_locked = self.is_password_enabled() and
self.has_password()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py",
line 136, in is_password_enabled
state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.GError: g-dbus-error-quark: The name org.freedesktop.secrets
was not provided by any .service files (2)
Traceback (most recent call last):
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
line 77, in do_activate
window = Window.get_default()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
line 70, in get_default
Window.instance = Window()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
line 55, in __init__
self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
==========================================================================
The line that stuck out to me was this one:
```
gi.repository.GLib.GError: g-dbus-error-quark: The name
org.freedesktop.secrets was not provided by any .service files (2)
```
A little web searching led me to understand that I need to have the
`gnome-keyring` daemon running. (I wish that had been in the package
documentation.)
Okay, so I reviewed the Guix manual, and I found this info:
==========================================================================
-- Variable: gnome-keyring-service-type
This is the type of the service that adds the GNOME Keyring
(https://wiki.gnome.org/Projects/GnomeKeyring). Its value is a
‘gnome-keyring-configuration’ object (see below).
This service adds the ‘gnome-keyring’ package to the system profile
and extends PAM with entries using ‘pam_gnome_keyring.so’,
unlocking a user’s login keyring when they log in or setting its
password with passwd.
-- Data Type: gnome-keyring-configuration
Configuration record for the GNOME Keyring service.
‘keyring’ (default: ‘gnome-keyring’)
The GNOME keyring package to use.
‘pam-services’
A list of ‘(SERVICE . KIND)’ pairs denoting PAM services to
extend, where SERVICE is the name of an existing service to
extend and KIND is one of ‘login’ or ‘passwd’.
If ‘login’ is given, it adds an optional
‘pam_gnome_keyring.so’ to the auth block without arguments and
to the session block with ‘auto_start’. If ‘passwd’ is given,
it adds an optional ‘pam_gnome_keyring.so’ to the password
block without arguments.
By default, this field contains “gdm-password” with the value
‘login’ and “passwd” is with the value ‘passwd’.
==========================================================================
As my next step, I added this service to my `operating-system`
definition and rebuilt my machine with `sudo guix system reconfigure
system.scm`:
```
(service gnome-keyring-service-type (gnome-keyring-configuration))
```
FYI, I'm using EXWM as my window manager.
After a reboot, I didn't see any new services running with `sudo herd
status`, so I'm not entirely sure how to verify that the
gnome-keyring-daemon is running and check its status. I tried `pgrep
gnome-keyring` and got a PID back. However, when I run `authenticator`,
I just get exactly the same error again as above, indicating that the
client application isn't able to talk to the DBUS service provided by
`gnome-keyring`.
As a last ditch effort, I tried creating another shell in which to start
up the `gnome-keyring-daemon` manually.
```
$ guix shell gnome-keyring authenticator
$ gnome-keyring-daemon --start
** Message: 13:57:16.939: couldn't access control socket:
/run/user/1000/keyring/control: No such file or directory
discover_other_daemon: 0SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
$ pgrep gnome
1727 gnome-keyring-d
$ authenticator
Traceback (most recent call last):
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
line 208, in _is_locked_changed
Window.get_default().refresh_view()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
line 70, in get_default
Window.instance = Window()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
line 55, in __init__
self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
Traceback (most recent call last):
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py",
line 77, in do_activate
window = Window.get_default()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
line 70, in get_default
Window.instance = Window()
File
"/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py",
line 55, in __init__
self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
```
So...not great. I got the sense from the first output message that
`gnome-keyring` was somehow interacting badly with `ssh-agent`.
The second piece of bad information is that `authenticator` is, of
course, still crashing. Now it looks like it's talking to
`gnome-keyring-daemon`, but it's throwing a new error related to a
function call arity mistake:
```
TypeError: <lambda>() takes 0 positional arguments but 1 was given
```
AFAICT, this is an error in the `authenticator` application.
My question to the mailing list then is:
"Does anyone else have any experience with setting up authenticator, the
gnome-keyring service, or any other mechanism for 2FA on a Guix System
desktop?"
Thanks in advance, folks.
~Gary
--
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Why is HTML email a security nightmare? See https://useplaintext.email/
Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
- Problems with Gnome Authenticator 2FA,
Gary Johnson <=