Two Factor Authentication App on Pinephone

Published 2020-04-09 on Anjan's Homepage

I picked up the pinephone but it wasn't daily driver ready. A couple days ago, my android phone completely broke so I needed to make the pinephone daily driver ready. First things first - I need a two factor authentication app for my phone.

1 Issues with gnome-authenticator

On postmarketos, gnome-authenticator is my preferred two factor authentication app because it is in the main repositories and it works. However, debian is currently a much better experience daily driving. I've fixed a couple of issues in postmarketos and I'd love to use it but right now I need an os that works1.

Debian lacks a package for gnome-authenticator. I tried installing gnome-authenticator from flatpak and the app did launch but adding a provider caused the app to crash. Launching gnome-authenticator a second time caused a giant error and the app never opened again 2.

2 pass-otp

Using the command line on the pinephone is a pain. I often leave my phone upstairs and when a totp/hotp challenge appears in my web browser, I have to walk upstairs and get the totp pin. However, if I use a command line two factor application, I can simply ssh and get the otp.

Currently, I use gopass and I found a simple application that integrates with gopass: pass-otp 3. Furthermore, pass-otp has support for importing my android otp client's (freeotp) uri backup.

Installing pass-otp on debian is as simple as running:

sudo apt install pass-extension-otp

2.1 RTC and pass-otp

After installing pass-otp and trying to generate some otps, I would always get the incorrect otp. The time on my system was correct but the time on my rtc was incorrect.

To check the time, ran sudo timedatectl and got the following output:

debian@pinephone:~/go/gopass$ sudo timedatectl
               Local time: Thu 2020-04-09 19:43:42 PDT
           Universal time: Fri 2020-04-10 02:43:42 UTC
                 RTC time: Fri 2020-04-10 02:43:43
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

My RTC time is universal time. To change RTC time to local time, I ran:

sudo timedatectl set-local-rtc true

Finally, as a check I ran sudo timedatectl and found my RTC time was now synced with local time:

               Local time: Thu 2020-04-09 19:44:13 PDT
           Universal time: Fri 2020-04-10 02:44:13 UTC
                 RTC time: Thu 2020-04-09 19:44:14
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: yes

Warning: The system is configured to read the RTC time in the local time zone.
         This mode cannot be fully supported. It will create various problems
         with time zone changes and daylight saving time adjustments. The RTC
         time is never updated, it relies on external facilities to maintain it.
         If at all possible, use RTC in UTC by calling
         'timedatectl set-local-rtc 0'.

Now, I get the correct otp with pass-otp but I may run into problems like the warning above says. If you have a better way to fix this issue, please email me.

For now, it works and I might write a gui for pass-otp like I did for gopass with mobpass. I still need to change mobpass to work with kirigami.

Footnotes:

1

My issues with daily driving postmarketos are documented here.

2

I should probably report the following error:

debian@pinephone:~$ flatpak run com.github.bilelmoussaoui.Authenticator
Traceback (most recent call last):
  File "/app/lib/python3.7/site-packages/Authenticator/application.py", 
    line 59, in do_startup self._setup_actions()
  File "/app/lib/python3.7/site-packages/Authenticator/application.py", 
    line 142, in _setup_actions Keyring.get_default().
    connect("notify::can-be-locked",
  File "/app/lib/python3.7/site-packages/Authenticator/models/keyring.py", 
    line 49, in get_default Keyring.instance = Keyring()
  File "/app/lib/python3.7/site-packages/Authenticator/models/keyring.py", 
    line 44, in __init__ self.props.can_be_locked = 
    self.is_password_enabled() and self.has_password()
  File "/app/lib/python3.7/site-packages/Authenticator/models/keyring.py", 
    line 136, in is_password_enabled
    state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.Error: g-io-error-quark: user interaction failed (0)
Traceback (most recent call last):
  File "/app/lib/python3.7/site-packages/Authenticator/application.py", 
    line 77, in do_activate 
    window = Window.get_default()
  File "/app/lib/python3.7/site-packages/Authenticator/widgets/window.py", 
    line 70, in get_default
    Window.instance = Window()
  File "/app/lib/python3.7/site-packages/Authenticator/widgets/window.py", 
    line 62, in __init__
    AccountsManager.get_default()
3

I know gopass has otp support but gopass in debian's official repos is ancient. When I go get gopass but I got a known error. Building from source is not an option cause I want my password manager to auto-update.

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~anjan/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I follow around the net

These articles/blogs do not represent my own opinions or views.

Linux development is distributed - profoundly so

The standard introduction to git starts with an explanation of what it means to use a “distributed” version control system. It’s pointed out that every developer has a complete local copy of the repository and can work independently and offline, often contra…

via Blogs on Drew DeVault's blog September 2, 2020

Eshell versus M-x shell

I’ve used and defended Eshell for years. Sadly, Eshell has some long standing issues that I grew tired of in the long run. So I’ve decided to switch to M-x shell and see how much of my Eshell workflow I could port. Language and the underlying shell pr…

via Pierre Neidhardt's homepage June 26, 2020

Thermoelectric Stoves: Ditch the Solar Panels?

Wood stoves equipped with thermoelectric generators can produce electricity that is more sustainable, more reliable, and less costly than power from solar PV panels.

via LOW←TECH MAGAZINE May 26, 2020

Generated by openring