* Problems with Gnome Authenticator 2FA
@ 2023-02-22 22:01 Gary Johnson
2023-02-22 23:00 ` Wojtek Kosior via
2023-02-23 13:22 ` Luis Felipe
0 siblings, 2 replies; 5+ messages in thread
From: Gary Johnson @ 2023-02-22 22:01 UTC (permalink / raw)
To: help-guix@gnu.org
Hi Guix,
I'm being required to setup a 2FA application to create
one-time-passwords for a self-managed Gitlab instance. The wrinkle is
that I don't own a smartphone. Up until now I've been able to use 2FA
over SMS for most systems I interact with, but Gitlab doesn't support
this option. Instead, there is a hard requirement on using a dedicated
application for this purpose. The recommended choices are Google
Authenticator and Microsoft Authenticator for either iOS or Android.
Again, I don't have access to either of these operating systems, nor do
I want to use these proprietary applications for (what should be) such a
basic task.
In digging through the Guix package list, I found `authenticator`:
==========================================================================
name: authenticator
version: 3.32.2
outputs:
+ out: everything
systems: x86_64-linux
dependencies: desktop-file-utils@0.26 gettext-minimal@0.21 glib@2.70.2 gobject-introspection@1.66.1 gsettings-desktop-schemas@41.0 gtk+@3.24.30 libhandy@0.0.13
+ libsecret@0.20.5 pkg-config@0.29.2 python-beautifulsoup4@4.11.1 python-pillow@9.2.0 python-pyfavicon@0.1.1 python-pygobject@3.40.1 python-pyotp@2.7.0
+ python-pyzbar@0.1.8 python@3.9.9 yoyo-migrations@7.2.0 zbar@0.23.90
location: gnu/packages/gnome.scm:10394:2
homepage: https://gitlab.gnome.org/World/Authenticator/
license: GPL 3+
synopsis: Two-factor authentication application built for GNOME
description: Authenticator is a two-factor authentication (2FA) application built for the GNOME desktop environment.
+
+ Features:
+
+ * QR code scanner
+
+ * Beautiful UI
+
+ * Huge database of more than 560 supported services
+
+ * Keep your PIN tokens secure by locking the application with a password
+
+ * Automatically fetch an image for services using their favicon
+
+ * The possibility to add new services
==========================================================================
It looks like a reasonable FOSS option, so I tried it out via `guix
shell`:
```
$ guix shell authenticator -- authenticator
```
Unfortunately, I just get a program crash and a stacktrace:
==========================================================================
Traceback (most recent call last):
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 59, in do_startup
self._setup_actions()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 142, in _setup_actions
Keyring.get_default().connect("notify::can-be-locked",
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 49, in get_default
Keyring.instance = Keyring()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 44, in __init__
self.props.can_be_locked = self.is_password_enabled() and self.has_password()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/models/keyring.py", line 136, in is_password_enabled
state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.GError: g-dbus-error-quark: The name org.freedesktop.secrets was not provided by any .service files (2)
Traceback (most recent call last):
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 77, in do_activate
window = Window.get_default()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default
Window.instance = Window()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__
self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
==========================================================================
The line that stuck out to me was this one:
```
gi.repository.GLib.GError: g-dbus-error-quark: The name
org.freedesktop.secrets was not provided by any .service files (2)
```
A little web searching led me to understand that I need to have the
`gnome-keyring` daemon running. (I wish that had been in the package
documentation.)
Okay, so I reviewed the Guix manual, and I found this info:
==========================================================================
-- Variable: gnome-keyring-service-type
This is the type of the service that adds the GNOME Keyring
(https://wiki.gnome.org/Projects/GnomeKeyring). Its value is a
‘gnome-keyring-configuration’ object (see below).
This service adds the ‘gnome-keyring’ package to the system profile
and extends PAM with entries using ‘pam_gnome_keyring.so’,
unlocking a user’s login keyring when they log in or setting its
password with passwd.
-- Data Type: gnome-keyring-configuration
Configuration record for the GNOME Keyring service.
‘keyring’ (default: ‘gnome-keyring’)
The GNOME keyring package to use.
‘pam-services’
A list of ‘(SERVICE . KIND)’ pairs denoting PAM services to
extend, where SERVICE is the name of an existing service to
extend and KIND is one of ‘login’ or ‘passwd’.
If ‘login’ is given, it adds an optional
‘pam_gnome_keyring.so’ to the auth block without arguments and
to the session block with ‘auto_start’. If ‘passwd’ is given,
it adds an optional ‘pam_gnome_keyring.so’ to the password
block without arguments.
By default, this field contains “gdm-password” with the value
‘login’ and “passwd” is with the value ‘passwd’.
==========================================================================
As my next step, I added this service to my `operating-system`
definition and rebuilt my machine with `sudo guix system reconfigure
system.scm`:
```
(service gnome-keyring-service-type (gnome-keyring-configuration))
```
FYI, I'm using EXWM as my window manager.
After a reboot, I didn't see any new services running with `sudo herd
status`, so I'm not entirely sure how to verify that the
gnome-keyring-daemon is running and check its status. I tried `pgrep
gnome-keyring` and got a PID back. However, when I run `authenticator`,
I just get exactly the same error again as above, indicating that the
client application isn't able to talk to the DBUS service provided by
`gnome-keyring`.
As a last ditch effort, I tried creating another shell in which to start
up the `gnome-keyring-daemon` manually.
```
$ guix shell gnome-keyring authenticator
$ gnome-keyring-daemon --start
** Message: 13:57:16.939: couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
discover_other_daemon: 0SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
$ pgrep gnome
1727 gnome-keyring-d
$ authenticator
Traceback (most recent call last):
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 208, in _is_locked_changed
Window.get_default().refresh_view()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default
Window.instance = Window()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__
self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
Traceback (most recent call last):
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/application.py", line 77, in do_activate
window = Window.get_default()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 70, in get_default
Window.instance = Window()
File "/gnu/store/wj5xf38czxxm0jh6lvc5zxy8c7zfg5d3-authenticator-3.32.2/lib/python3.9/site-packages/Authenticator/widgets/window.py", line 55, in __init__
self.init_template('Window')
TypeError: <lambda>() takes 0 positional arguments but 1 was given
```
So...not great. I got the sense from the first output message that
`gnome-keyring` was somehow interacting badly with `ssh-agent`.
The second piece of bad information is that `authenticator` is, of
course, still crashing. Now it looks like it's talking to
`gnome-keyring-daemon`, but it's throwing a new error related to a
function call arity mistake:
```
TypeError: <lambda>() takes 0 positional arguments but 1 was given
```
AFAICT, this is an error in the `authenticator` application.
My question to the mailing list then is:
"Does anyone else have any experience with setting up authenticator, the
gnome-keyring service, or any other mechanism for 2FA on a Guix System
desktop?"
Thanks in advance, folks.
~Gary
--
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Why is HTML email a security nightmare? See https://useplaintext.email/
Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Problems with Gnome Authenticator 2FA
2023-02-22 22:01 Problems with Gnome Authenticator 2FA Gary Johnson
@ 2023-02-22 23:00 ` Wojtek Kosior via
2023-02-23 9:01 ` Eugen Stan
2023-02-26 20:13 ` Gary Johnson
2023-02-23 13:22 ` Luis Felipe
1 sibling, 2 replies; 5+ messages in thread
From: Wojtek Kosior via @ 2023-02-22 23:00 UTC (permalink / raw)
To: Gary Johnson; +Cc: help-guix@gnu.org
[-- Attachment #1: Type: text/plain, Size: 953 bytes --]
> Hi Guix,
>
> I'm being required to setup a 2FA application to create
> one-time-passwords for a self-managed Gitlab instance. The wrinkle is
> that I don't own a smartphone. Up until now I've been able to use 2FA
> over SMS for most systems I interact with, but Gitlab doesn't support
> this option. Instead, there is a hard requirement on using a dedicated
> application for this purpose. The recommended choices are Google
> Authenticator and Microsoft Authenticator for either iOS or Android.
> Again, I don't have access to either of these operating systems, nor do
> I want to use these proprietary applications for (what should be) such a
> basic task.
>
> In digging through the Guix package list, I found `authenticator`:
Hi Gary!
I recall keepassxc, beside being a password manager (and one I am
satisfied with), can also generate authentication codes :)
guix show keepassxc
Good luck with your task!
Wojtek
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Problems with Gnome Authenticator 2FA
2023-02-22 23:00 ` Wojtek Kosior via
@ 2023-02-23 9:01 ` Eugen Stan
2023-02-26 20:13 ` Gary Johnson
1 sibling, 0 replies; 5+ messages in thread
From: Eugen Stan @ 2023-02-23 9:01 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 468 bytes --]
On 23.02.2023 01:00, Wojtek Kosior via wrote:
> guix show keepassxc
Hi,
keepassxc is quite nice.
I am using the Debian version, not the guix version.
Most services supporting TOTP conforming with RFC also have a plain text
2FA setup code (besides the normal QR setup code) .
keepassxc also has a browser extension named keepassxc-browser
https://github.com/keepassxreboot/keepassxc-browser .
It does not seem to be packaged in guix.
Good luck,
--
Eugen Stan
[-- Attachment #2: eugen_stan.vcf --]
[-- Type: text/vcard, Size: 181 bytes --]
begin:vcard
fn:Eugen Stan
n:Stan;Eugen
email;internet:eugen.stan@netdava.com
tel;cell:+40720898747
x-mozilla-html:FALSE
url:https://www.netdava.com
version:2.1
end:vcard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Problems with Gnome Authenticator 2FA
2023-02-22 22:01 Problems with Gnome Authenticator 2FA Gary Johnson
2023-02-22 23:00 ` Wojtek Kosior via
@ 2023-02-23 13:22 ` Luis Felipe
1 sibling, 0 replies; 5+ messages in thread
From: Luis Felipe @ 2023-02-23 13:22 UTC (permalink / raw)
To: Gary Johnson; +Cc: help-guix@gnu.org
[-- Attachment #1.1: Type: text/plain, Size: 196 bytes --]
Hi Gary,
For what it's worth, I see the same error you see when I run
guix shell authenticator -- authenticator
I'm using Guix System 2b1383c with GNOME as the desktop environment.
[-- Attachment #1.2: publickey - luis.felipe.la@protonmail.com - 0x12DE1598.asc --]
[-- Type: application/pgp-keys, Size: 1722 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Problems with Gnome Authenticator 2FA
2023-02-22 23:00 ` Wojtek Kosior via
2023-02-23 9:01 ` Eugen Stan
@ 2023-02-26 20:13 ` Gary Johnson
1 sibling, 0 replies; 5+ messages in thread
From: Gary Johnson @ 2023-02-26 20:13 UTC (permalink / raw)
To: Wojtek Kosior; +Cc: help-guix@gnu.org
Wojtek Kosior <koszko@koszko.org> writes:
> I recall keepassxc, beside being a password manager (and one I am
> satisfied with), can also generate authentication codes :)
>
> guix show keepassxc
Thanks, Wojtek! I was able to use keepassxc to create a TOTP code for
Gitlab 2FA.
I wonder if anyone is planning on fixing the broken GNOME Authenticator
package though?
Cheers,
Gary
--
GPG Key ID: C4FBEDBD
Use `gpg --search-keys tracker@disroot.org' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Why is HTML email a security nightmare? See https://useplaintext.email/
Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-02-26 20:15 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-22 22:01 Problems with Gnome Authenticator 2FA Gary Johnson
2023-02-22 23:00 ` Wojtek Kosior via
2023-02-23 9:01 ` Eugen Stan
2023-02-26 20:13 ` Gary Johnson
2023-02-23 13:22 ` Luis Felipe
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.