Open MureDanta opened 4 years ago
Old topic, but is there some solution to this? I ran into similar issue with CentOS 8. It sounds like SELinux problem, but I didn't find anything from auditd logs.
If the challenge is in home directory, pam works flawlessly. I'm quite happy with that because I don't see any added value in having it in system directory, but people will try to do as documented.
I'm experimenting with challenge-response using a Yubikey 5 NFC on Fedora 30 with the pam_yubico-0:2.26-3.fc30.x86_64 package installed. When I set things up in the default mode, with the challenge file in ~/.yubico, everything seems to work OK, but when I modify the configuration to use a systemwide directory to hold the challenges I get a permissions error when the module attempts to write back the new challenge.
I configured the systemwide directory as /etc/yubico and set permissions as recommended:
What happens when I log in (with the Yubikey inserted, of course), is that I am able to log in, but in the debug log I see this:
so what happens is that, because the module is unable to write back the updated challenge, the next time I log in, it presents the same challenge, so the Yubikey computes a response based on that, which is then accepted, and what should be an OTP turns, essentially, into a static password. Do I need to set some SELinux labels to allow PAM access to /etc/yubico? Obviously I don't want to give users write access to this directory. Right now the directory/files have: