From 95f291257bf63a3a7f7bd4cdd1428b39511f941d934fca81709f621a8058e0ee Mon Sep 17 00:00:00 2001
From: Jan Zerebecki <jan.suse@zerebecki.de>
Date: Tue, 6 Aug 2024 16:43:58 +0200
Subject: [PATCH] support optional TOTP for authentication

It requires a pam_oath in a version that implements the
no_usersfile_okay argument. Provisionally using 2.6.11.12 as a version
to indicate it, the patch is not yet merged upstream, but this is likely
a version upstream will not assign. Patch:
https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/42

Upstream: https://github.com/openSUSE/cockpit/pull/27
---
 cockpit.changes | 5 +++++
 cockpit.pam     | 1 +
 cockpit.spec    | 1 +
 3 files changed, 7 insertions(+)

diff --git a/cockpit.changes b/cockpit.changes
index 08015aa..920db96 100644
--- a/cockpit.changes
+++ b/cockpit.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Sep 18 12:37:18 UTC 2024 - Jan Zerebecki <jan.suse@zerebecki.de>
+
+- support optional TOTP for authentication, requires pam_oath
+
 -------------------------------------------------------------------
 Tue Aug 20 13:24:06 UTC 2024 - Adam Majer <adam.majer@suse.de>
 
diff --git a/cockpit.pam b/cockpit.pam
index 376d79f..efef5db 100644
--- a/cockpit.pam
+++ b/cockpit.pam
@@ -8,3 +8,4 @@ password include common-password
 session required pam_loginuid.so
 session optional pam_keyinit.so force revoke
 session include common-session
+auth [user_unknown=ignore success=ok] pam_oath.so usersfile=${HOME}/.pam_oath_usersfile no_usersfile_okay window=20 digits=6
diff --git a/cockpit.spec b/cockpit.spec
index 7a99e09..ba164c2 100644
--- a/cockpit.spec
+++ b/cockpit.spec
@@ -575,6 +575,7 @@ Suggests: sssd-dbus >= 2.6.2
 %if 0%{?suse_version}
 Requires(pre): permissions
 Requires: distribution-logos
+Requires: pam_oath >= 2.6.11.12
 Requires: wallpaper-branding
 %endif
 # for cockpit-desktop