hyprwm
Cisco DUO pam module not working with Hyprlock
Hi, not sure if this is a bug or a feature request. I'm new to Hyprland and am using on a machine with an organization that utilizes Duo for MFA. I'm not sure if I've failed to configure something correctly or if this type of MFA isn't supported. Happy to share some config, platform info, and maybe some sanitized logs if that is needed to help determine if this is a bug or enhancement request...let me know what you'd like to see.
BACKGROUND I see several issues (#723, #170, #205) related to PAM. I see mention of using google-authenticator, which seems to be a sync-based MFA, not a 2-way interactive push+confirm type.
ISSUE Outside of Hyprland/Hyprlock, the Duo MFA pam module is configured correctly and works fine for text console login, remote password auth via ssh, sudo, and Gnome/GDM. Inside of Hyprland the MFA challenge is only sent at login, not with screen unlock.
The simplified view of the workflow is:
- input password
- send push message - display challenge code if supported (3-digit code, but this doesn't appear to be part of the
duo_unix.sopam library) - receive push message
- reply to push message (enter code if provided, otherwise just confirm access)
- screen unlocks
To reiterate that it does not seem like the Duo MFA challenge on linux supports the 3-digit code, this aspect works in many things including windows clients and website clients, but does not appear to happen in any of the authentication scenarios I mentioned above - it could be a configuration detail that our people have not instructed us to implement on linux clients or maybe it's not supported by Duo (yet). I describe it not for purposes of awareness, not immediate implementation.
Hi, I did implement support for a synchronous MFA setup like you saw.
I don't really understand the issue tbh. Is the problem the linux support of "Duo MFA"??
If you think it should work with hyprlock, please:
- give me a description (or link one), that describes how you set up your pam configuration.
- describe exactly how to reproduce it and describe what doesn't work.
- check the hyprlock logs, it logs quite a bit in regards to PAM.
Inside of Hyprland the MFA challenge is only sent at login, not with screen unlock.
Hmm what do you mean with "login"? Like sddm/greetd or whatever display-manager login?? Possibly related: #691
Under Gnome/GDM... When the machine is booted up, GDM starts and you enter a username and password, if the password is accepted, the MFA auth happens. You get a push notification, hit yes, and the system proceeds and your desktop launches. While you're logged in and lock the screen (manually or through idling), you enter your password, then the MFA auth happens again before the screen unlock is completed. So it will only unlock if the MFA is satisfied.
In my Ubuntu 2404 setup with hyprland, I'm still using GDM as the greeter for logins, and it's sending the MFA prompt, but hyprlock is not.
Duo has the capability to use N-digit codes like Google Authenticator or Authy, but typically that's used when offline. Duo's normal behavior is to push a message to a mobile phone that the user must open an app to click "yes" or "no". So I had thought this workflow might be different than the MFA process that's driven by entering an N-digit code from an authenticator app.
Here's the Duo pam config instructions, I don't do anything out of the ordinary, it's a brand new install/setup.
Maybe because I'm on Ubuntu 2404, its an old version of things...others have said so with regard to issues I've encountered with waybar and window/workspace placements under hyprland.
Yes, there is a Duo App for mobile phones.
https://duo.com/product/multi-factor-authentication-mfa/authentication-methods/duo-push