search

google / google-authenticator-libpam

Apache License 2.0
1.77k stars 281 forks source link

.google_authenticator file permissions issue #115

Closed Anvano closed 5 years ago

Anvano commented 5 years ago

After setting up parameter secret=/var/unencrypted-home/${USER}/.google_authenticator option (Encrypted home directories), I have noticed error message in auth.log

"sshd(pam_google_authenticator)[15301]: Secret file permissions are 0400. Allowed permissions are 0600"

Ok. I have changed permissions to 0600. Double checked it! After login - permissions on this file has been reset to 0400.

I have tried once more: 1) changed permissions to 0600 2) tried to login 3) checked permission - and again they has been changed to 0400

It seems to be that pam_google_authenticator.so changing file permissions upon login to 0400. Thus preventing subsequent login attempts with error message above.

Anvano commented 5 years ago

-

ThomasHabets commented 5 years ago

To clarify for future readers: Allowed permissions are 0400 (read) and 0200 (write), which combines to 0600. The message means no other bits are allowed. And the difference between 0600 and 0400 doesn't prevent login.