Two Factor Authentication App on Pinephone

Published 2020-04-09 on Anjan's Homepage

I picked up the pinephone but it wasn’t daily driver ready. A couple days ago, my android phone completely broke so I needed to make the pinephone daily driver ready. First things first - I need a two factor authentication app for my phone.

Issues with gnome-authenticator

On postmarketos, gnome-authenticator is my preferred two factor authentication app because it is in the main repositories and it works. However, debian is currently a much better experience daily driving. I’ve fixed a couple of issues in postmarketos and I’d love to use it but right now I need an os that works¹.

Debian lacks a package for gnome-authenticator. I tried installing gnome-authenticator from flatpak and the app did launch but adding a provider caused the app to crash. Launching gnome-authenticator a second time caused a giant error and the app never opened again ².

pass-otp

Using the command line on the pinephone is a pain. I often leave my phone upstairs and when a totp/hotp challenge appears in my web browser, I have to walk upstairs and get the totp pin. However, if I use a command line two factor application, I can simply ssh and get the otp.

Currently, I use gopass and I found a simple application that integrates with gopass: pass-otp ³. Furthermore, pass-otp has support for importing my android otp client’s (freeotp) uri backup.

Installing pass-otp on debian is as simple as running:

sudo apt install pass-extension-otp

RTC and pass-otp

After installing pass-otp and trying to generate some otps, I would always get the incorrect otp. The time on my system was correct but the time on my rtc was incorrect.

To check the time, ran sudo timedatectl and got the following output:

debian@pinephone:~/go/gopass$ sudo timedatectl
               Local time: Thu 2020-04-09 19:43:42 PDT
           Universal time: Fri 2020-04-10 02:43:42 UTC
                 RTC time: Fri 2020-04-10 02:43:43
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

My RTC time is universal time. To change RTC time to local time, I ran:

sudo timedatectl set-local-rtc true

Finally, as a check I ran sudo timedatectl and found my RTC time was now synced with local time:

               Local time: Thu 2020-04-09 19:44:13 PDT
           Universal time: Fri 2020-04-10 02:44:13 UTC
                 RTC time: Thu 2020-04-09 19:44:14
                Time zone: America/Vancouver (PDT, -0700)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: yes

Warning: The system is configured to read the RTC time in the local time zone.
         This mode cannot be fully supported. It will create various problems
         with time zone changes and daylight saving time adjustments. The RTC
         time is never updated, it relies on external facilities to maintain it.
         If at all possible, use RTC in UTC by calling
         'timedatectl set-local-rtc 0'.

Now, I get the correct otp with pass-otp but I may run into problems like the warning above says. If you have a better way to fix this issue, please email me.

For now, it works and I might write a gui for pass-otp like I did for gopass with mobpass. I still need to change mobpass to work with kirigami.

Footnotes:

My issues with daily driving postmarketos are documented here.

I should probably report the following error:

debian@pinephone:~$ flatpak run com.github.bilelmoussaoui.Authenticator
Traceback (most recent call last):
  File "/app/lib/python3.7/site-packages/Authenticator/application.py", 
    line 59, in do_startup self._setup_actions()
  File "/app/lib/python3.7/site-packages/Authenticator/application.py", 
    line 142, in _setup_actions Keyring.get_default().
    connect("notify::can-be-locked",
  File "/app/lib/python3.7/site-packages/Authenticator/models/keyring.py", 
    line 49, in get_default Keyring.instance = Keyring()
  File "/app/lib/python3.7/site-packages/Authenticator/models/keyring.py", 
    line 44, in __init__ self.props.can_be_locked = 
    self.is_password_enabled() and self.has_password()
  File "/app/lib/python3.7/site-packages/Authenticator/models/keyring.py", 
    line 136, in is_password_enabled
    state = Secret.password_lookup_sync(schema, {}, None)
gi.repository.GLib.Error: g-io-error-quark: user interaction failed (0)
Traceback (most recent call last):
  File "/app/lib/python3.7/site-packages/Authenticator/application.py", 
    line 77, in do_activate 
    window = Window.get_default()
  File "/app/lib/python3.7/site-packages/Authenticator/widgets/window.py", 
    line 70, in get_default
    Window.instance = Window()
  File "/app/lib/python3.7/site-packages/Authenticator/widgets/window.py", 
    line 62, in __init__
    AccountsManager.get_default()

I know gopass has otp support but gopass in debian’s official repos is ancient. When I go get gopass but I got a known error. Building from source is not an option cause I want my password manager to auto-update.

Have a comment on one of my posts? Start a discussion in my public inbox by sending an email to ~anjan/public-inbox@lists.sr.ht [mailing list etiquette]

Articles from blogs I follow around the net

These articles/blogs do not represent my own opinions or views.

Text processing on the Command Line - sharing my tools

Text processing on the command line - sharing my tools Introduction I'm quite fond of the command-line and spend a larger chunk of my life in a terminal emulator than I dare admit. I try to embrace the unix philosophy of using tools that "do one thing…

via Proycon's website July 7, 2024

Linux phones are not automatically secure

A common point in the Linux community is that escaping the walled garden of ecosystems like Android or iOS is already a means to higher security. Having no contact with Google or Apple servers ever again, nor cloud providers ever snooping on your private …

via TuxPhones - Linux phones, tablets and portable devices January 25, 2023

Generated by openring