support optional TOTP for authentication

It requires a pam_oath in a version that implements the
no_usersfile_okay argument. Provisionally using 2.6.11.12 as a version
to indicate it, the patch is not yet merged upstream, but this is likely
a version upstream will not assign. Patch:
https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/42

Upstream: https://github.com/openSUSE/cockpit/pull/27

cockpit.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Sep 18 12:37:18 UTC 2024 - Jan Zerebecki <jan.suse@zerebecki.de>
+
+- support optional TOTP for authentication, requires pam_oath
+
+-------------------------------------------------------------------
+Tue Aug 20 13:24:06 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- remove requires on pam_oath completely. It will be re-introduced
+  later when it works with optional enrollment
+
 -------------------------------------------------------------------
 Mon Aug 20 11:44:33 UTC 2024 - Alice Brooks <alice.brooks@suse.com>
 
@@ -30,6 +41,7 @@ Sat Aug  7 09:37:00 UTC 2024 - pallas wept <pallaswept@proton.me>
 
 - Recommend cockpit-packagekit if zypper is installed
 
+-------------------------------------------------------------------
 Wed Aug  7 09:36:58 UTC 2024 - Jan Zerebecki <jan.suse@zerebecki.de>
 
 - load pam_oath for optional TOTP for authentication

cockpit.pam

@@ -8,3 +8,4 @@ password include common-password
 session required pam_loginuid.so
 session optional pam_keyinit.so force revoke
 session include common-session
+auth [user_unknown=ignore success=ok] pam_oath.so usersfile=${HOME}/.pam_oath_usersfile no_usersfile_okay window=20 digits=6

cockpit.spec

@@ -575,7 +575,7 @@ Suggests: sssd-dbus >= 2.6.2
 %if 0%{?suse_version}
 Requires(pre): permissions
 Requires: distribution-logos
-Requires: pam_oath
+Requires: pam_oath >= 2.6.11.12
 Requires: wallpaper-branding
 %endif
 # for cockpit-desktop