Problems with Gnome Authenticator 2FA

Problems with Gnome Authenticator 2FA

[Gary Johnson]

Hi Guix,

  I'm being required to setup a 2FA application to create
one-time-passwords for a self-managed Gitlab instance. The wrinkle is
that I don't own a smartphone. Up until now I've been able to use 2FA
over SMS for most systems I interact with, but Gitlab doesn't support
this option. Instead, there is a hard requirement on using a dedicated
application for this purpose. The recommended choices are Google
Authenticator and Microsoft Authenticator for either iOS or Android.
Again, I don't have access to either of these operating systems, nor do
I want to use these proprietary applications for (what should be) such a
basic task.

In digging through the Guix package list, I found `authenticator`:

==========================================================================
name: authenticator
version: 3.32.2
outputs:
+ out: everything
systems: x86_64-linux
dependencies: desktop-file-utils@0.26 gettext-minimal@0.21 glib@2.70.2 gobject-introspection@1.66.1 gsettings-desktop-schemas@41.0 gtk+@3.24.30 libhandy@0.0.13
+ libsecret@0.20.5 pkg-config@0.29.2 python-beautifulsoup4@4.11.1 python-pillow@9.2.0 python-pyfavicon@0.1.1 python-pygobject@3.40.1 python-pyotp@2.7.0
+ python-pyzbar@0.1.8 python@3.9.9 yoyo-migrations@7.2.0 zbar@0.23.90
location: gnu/packages/gnome.scm:10394:2
homepage: https://gitlab.gnome.org/World/Authenticator/
license: GPL 3+
synopsis: Two-factor authentication application built for GNOME  
description: Authenticator is a two-factor authentication (2FA) application built for the GNOME desktop environment.
+ 
+ Features:
+ 
+    * QR code scanner
+ 
+    * Beautiful UI
+ 
+    * Huge database of more than 560 supported services
+ 
+    * Keep your PIN tokens secure by locking the application with a password
+ 
+    * Automatically fetch an image for services using their favicon
+ 
+    * The possibility to add new services
==========================================================================

It looks like a reasonable FOSS option, so I tried it out via `guix
shell`:

```
$ guix shell authenticator -- authenticator
```

Unfortunately, I just get a program crash and a stacktrace:

==========================================================================
Traceback (most recent call last):
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 59, in do_startup
    self._setup_actions()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 142, in _setup_actions
    Keyring.get_default().connect("notify::can-be-locked",
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 49, in get_default
    Keyring.instance = Keyring()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 44, in __init__
    self.props.can_be_locked = self.is_password_enabled() and self.has_password()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 136, in is_password_enabled
    state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.GError: g-dbus-error-quark: The name org.freedesktop.secrets was not provided by any .service files (2)
Traceback (most recent call last):
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 77, in do_activate
    window = Window.get_default()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default
    Window.instance = Window()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__
    self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
==========================================================================

The line that stuck out to me was this one:

```
gi.repository.GLib.GError: g-dbus-error-quark: The name
org.freedesktop.secrets was not provided by any .service files (2)
```

A little web searching led me to understand that I need to have the
`gnome-keyring` daemon running. (I wish that had been in the package
documentation.)

Okay, so I reviewed the Guix manual, and I found this info:

==========================================================================
 -- Variable: gnome-keyring-service-type
     This is the type of the service that adds the GNOME Keyring
     (https://wiki.gnome.org/Projects/GnomeKeyring).  Its value is a
     ‘gnome-keyring-configuration’ object (see below).

     This service adds the ‘gnome-keyring’ package to the system profile
     and extends PAM with entries using ‘pam_gnome_keyring.so’,
     unlocking a user’s login keyring when they log in or setting its
     password with passwd.

 -- Data Type: gnome-keyring-configuration
     Configuration record for the GNOME Keyring service.

     ‘keyring’ (default: ‘gnome-keyring’)
          The GNOME keyring package to use.

     ‘pam-services’
          A list of ‘(SERVICE . KIND)’ pairs denoting PAM services to
          extend, where SERVICE is the name of an existing service to
          extend and KIND is one of ‘login’ or ‘passwd’.

          If ‘login’ is given, it adds an optional
          ‘pam_gnome_keyring.so’ to the auth block without arguments and
          to the session block with ‘auto_start’.  If ‘passwd’ is given,
          it adds an optional ‘pam_gnome_keyring.so’ to the password
          block without arguments.

          By default, this field contains “gdm-password” with the value
          ‘login’ and “passwd” is with the value ‘passwd’.
==========================================================================

As my next step, I added this service to my `operating-system`
definition and rebuilt my machine with `sudo guix system reconfigure
system.scm`:

```
(service gnome-keyring-service-type (gnome-keyring-configuration))
```

FYI, I'm using EXWM as my window manager.

After a reboot, I didn't see any new services running with `sudo herd
status`, so I'm not entirely sure how to verify that the
gnome-keyring-daemon is running and check its status. I tried `pgrep
gnome-keyring` and got a PID back. However, when I run `authenticator`,
I just get exactly the same error again as above, indicating that the
client application isn't able to talk to the DBUS service provided by
`gnome-keyring`.

As a last ditch effort, I tried creating another shell in which to start
up the `gnome-keyring-daemon` manually.

```
$ guix shell gnome-keyring authenticator
$ gnome-keyring-daemon --start
** Message: 13:57:16.939: couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
discover_other_daemon: 0SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
$ pgrep gnome
1727 gnome-keyring-d
$ authenticator
Traceback (most recent call last):
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 208, in _is_locked_changed
    Window.get_default().refresh_view()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default
    Window.instance = Window()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__
    self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
Traceback (most recent call last):
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 77, in do_activate
    window = Window.get_default()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default
    Window.instance = Window()
  File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__
    self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
```

So...not great. I got the sense from the first output message that
`gnome-keyring` was somehow interacting badly with `ssh-agent`.

The second piece of bad information is that `authenticator` is, of
course, still crashing. Now it looks like it's talking to
`gnome-keyring-daemon`, but it's throwing a new error related to a
function call arity mistake:

```
TypeError: <lambda>() takes 0 positional arguments but 1 was given
```

AFAICT, this is an error in the `authenticator` application.

My question to the mailing list then is:

"Does anyone else have any experience with setting up authenticator, the
gnome-keyring service, or any other mechanism for 2FA on a Guix System
desktop?"

Thanks in advance, folks.

~Gary

-- 
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Problems with Gnome Authenticator 2FA

[Wojtek Kosior via]

[-- Attachment #1: Type: text/plain, Size: 953 bytes --]

> Hi Guix,
> 
>   I'm being required to setup a 2FA application to create
> one-time-passwords for a self-managed Gitlab instance. The wrinkle is
> that I don't own a smartphone. Up until now I've been able to use 2FA
> over SMS for most systems I interact with, but Gitlab doesn't support
> this option. Instead, there is a hard requirement on using a dedicated
> application for this purpose. The recommended choices are Google
> Authenticator and Microsoft Authenticator for either iOS or Android.
> Again, I don't have access to either of these operating systems, nor do
> I want to use these proprietary applications for (what should be) such a
> basic task.
> 
> In digging through the Guix package list, I found `authenticator`:

Hi Gary!

I recall keepassxc, beside being a password manager (and one I am
satisfied with), can also generate authentication codes :)

guix show keepassxc

Good luck with your task!

Wojtek

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Problems with Gnome Authenticator 2FA

[Eugen Stan]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

On 23.02.2023 01:00, Wojtek Kosior via wrote:
> guix show keepassxc

Hi,

keepassxc is quite nice.
I am using the Debian version, not the guix version.

Most services supporting TOTP conforming with RFC also have a plain text 
2FA setup code (besides the normal QR setup code) .

keepassxc also has a browser extension named keepassxc-browser 
https://github.com/keepassxreboot/keepassxc-browser .

It does not seem to be packaged in guix.


Good luck,
-- 
Eugen Stan

[-- Attachment #2: eugen_stan.vcf --]
[-- Type: text/vcard, Size: 181 bytes --]

begin:vcard
fn:Eugen Stan
n:Stan;Eugen
email;internet:eugen.stan@netdava.com
tel;cell:+40720898747
x-mozilla-html:FALSE
url:https://www.netdava.com
version:2.1
end:vcard

Re: Problems with Gnome Authenticator 2FA

[Luis Felipe]

[-- Attachment #1.1: Type: text/plain, Size: 196 bytes --]

Hi Gary,

For what it's worth, I see the same error you see when I run 


guix shell authenticator -- authenticator

I'm using Guix System 2b1383c with GNOME as the desktop environment.


[-- Attachment #1.2: publickey - luis.felipe.la@protonmail.com - 0x12DE1598.asc --]
[-- Type: application/pgp-keys, Size: 1722 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]

Re: Problems with Gnome Authenticator 2FA

[Gary Johnson]

Wojtek Kosior <koszko@koszko.org> writes:

> I recall keepassxc, beside being a password manager (and one I am
> satisfied with), can also generate authentication codes :)
>
> guix show keepassxc

Thanks, Wojtek! I was able to use keepassxc to create a TOTP code for
Gitlab 2FA.

I wonder if anyone is planning on fixing the broken GNOME Authenticator
package though?

Cheers,
  Gary

-- 
GPG Key ID: C4FBEDBD
Use `gpg --search-keys tracker@disroot.org' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html