support optional TOTP for authentication

It requires a pam_oath in a version that implements the no_usersfile_okay argument. Provisionally using 2.6.11.12 as a version to indicate it, the patch is not yet merged upstream, but this is likely a version upstream will not assign. Patch: https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/42 Upstream: https://github.com/openSUSE/cockpit/pull/27
2024-08-06 16:43:58 +02:00 · 2024-08-06 16:43:58 +02:00 · 95f291257b
commit 95f291257b
parent 14257e4afc
3 changed files with 7 additions and 0 deletions
--- a/cockpit.changes
+++ b/cockpit.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Sep 18 12:37:18 UTC 2024 - Jan Zerebecki <jan.suse@zerebecki.de>
+
+- support optional TOTP for authentication, requires pam_oath
+
 -------------------------------------------------------------------
 Tue Aug 20 13:24:06 UTC 2024 - Adam Majer <adam.majer@suse.de>

--- a/cockpit.pam
+++ b/cockpit.pam
@ -8,3 +8,4 @@ password include common-password
 session required pam_loginuid.so
 session optional pam_keyinit.so force revoke
 session include common-session
+auth [user_unknown=ignore success=ok] pam_oath.so usersfile=${HOME}/.pam_oath_usersfile no_usersfile_okay window=20 digits=6
--- a/cockpit.spec
+++ b/cockpit.spec
@ -575,6 +575,7 @@ Suggests: sssd-dbus >= 2.6.2
 %if 0%{?suse_version}
 Requires(pre): permissions
 Requires: distribution-logos
+Requires: pam_oath >= 2.6.11.12
 Requires: wallpaper-branding
 %endif
 # for cockpit-desktop