Is it ok if I resurrect this one? It feels similar to an issue I had today, trying to enable 2FA for my login.
I messed up big time today - and spent the whole day troubleshooting - trying to set up 2FA/TOTP password for my user in Garuda Linux (KDE Dragonized).
Following ChatGPT instructions, I ran:
sudo pacman -S libpam-google-authenticator
Then
google-authenticator
Went through the script, and got the totp tested and saved to my password manager.
I also edited the system-auth file, and included the line:
auth required pam_google_authenticator.so
What happened was that when asking for my password, trying to log in or run “sudo”, it didn’t accept my password anymore.
When asking to input a “password”, only the TOTP was accepted. But then it kept asking for a “verification code” and nothing worked there.
It was as if it forgot about my original password. I had to boot on a second distro I own, mounted the garuda drive, and edited the file back to original.
I still want to set 2fa for logins and sudo, etc. What should I have done additionally?
Give a look at this Wiki article (just seen for the first time): https://wiki.archlinux.org/title/Google_Authenticator
It seems mainly focused on ssh access, but there’s a section for Desktop Login.
Unfortunately it seems to be feasible only with GDM, not with SDDM.
This seems to be confirmed here (and somewhere else searching on the Internet):
But in this other issue there are some suggested workarounds:
It might be quite complex, but at least it is a starting pint…