From Michael Eliachevitch to ~kennylevinsen/greetd-devel
Hi,
I have configured a Yubikey as an alternative authentication method via pam_u2f by prepending the following line to my /etc/pam.d/greetd file:
auth sufficient pam_u2f.so cue nouserok origin=pam://hostname appid=pam://hostname
This works with any other security key. When I enter my username in gtkgreet, previously, I got prompted for a password. Now, when I have my Yubikey plugged in, after entering my username I see the cue "Please touch the device" (due to the "cue" in the pam.d/greetd line above) and I see a button named "login". Once I _click_ the button named "login", my Yubikey starts blinking and if I touch the Yubikey, I get logged in.
I would prefer if the Yubikey immediately starts blinking (requesting to be touched) once I enter my username and press enter, in the same screen that displays the "Please touch the device" hint. That I have to confirm first by pressing the "login" button seems redundant, as I confirm by pressing the Yubikey. Taking the password authentication as an example, this feels as if I would have to press another confirmation button between entering my username and entering my password.
Also it's annoying that I can't confirm the "login" button via my keyboard, I have to use my mouse. At least using "tab" to select didn't work, maybe there are some GTK shotcuts that I could use to select buttons by keyboard that I don't know.
Anyway, I'm not sure if this is easily solvable, because I assume the code is written in a general way, not assuming as specific pam.d login method. For those, where some text field input is required (like passwords or OTP via pam_google_authenticator.so), a confirmation of the text input makes sense. Also it makes sense to have it when pam_u2f.so is used as a second factor and not a standalone login method, as then the user needs to enter a password first anyway. But purely from a user point of view, I think for my specific use-case the user experience could be improved, so I thought I might point it out.