I got error : Failed to update secret file "/home/fatmin/.google_authenticator": Permission denied

[matineit]

After i key in verify code then i got error as below :

Sep 13 16:35:19 sshlinux sshd(pam_google_authenticator)[12375]: debug: start of google_authenticator for "fatmin" Sep 13 16:35:19 sshlinux sshd(pam_google_authenticator)[12375]: debug: Secret file permissions are 0400. Allowed permissions are 0770 Sep 13 16:35:19 sshlinux sshd(pam_google_authenticator)[12375]: debug: "/home/fatmin/.google_authenticator" read Sep 13 16:35:19 sshlinux sshd(pam_google_authenticator)[12375]: debug: shared secret in "/home/fatmin/.google_authenticator" processed Sep 13 16:35:40 sshlinux sshd(pam_google_authenticator)[12375]: debug: no scratch code used from "/home/fatmin/.google_authenticator" Sep 13 16:35:40 sshlinux sshd(pam_google_authenticator)[12375]: Accepted google_authenticator for fatmin Sep 13 16:35:40 sshlinux sshd(pam_google_authenticator)[12375]: Failed to update secret file "/home/fatmin/.google_authenticator": Permission denied

[matineit]

below is content of file : /etc/pam.d/sshd

#%PAM-1.0
auth       required     /usr/local/lib/security/pam_google_authenticator.so debug secret=${HOME}/.google_authenticator allowed_perm=0770 no_strict_owner
auth       required pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Regards,

matine

[ThomasHabets]

1) Why do you have no_strict_owner? 2) Why do you set secret to what's already default? 3) Who owns the file? (user and group owner)

[matineit]

Dear ThomasHabets, 1-Why do you have no_strict_owner? 2-Why do you set secret to what's already default? ans :1&2 I got this error and tried to search google they suggested to used no_strict_owner and secret can help. Do i need to remove them ?

Who owns the file? (user and group owner)

[fatmin@sshlinux ~]$ pwd /home/fatmin [fatmin@sshlinux ~]$ ls -all .google_authenticator -r--------. 1 fatmin fatmin 136 Sep 13 16:26 .google_authenticator

Regards,

matine

[akerl]

Your file is 0400. So it's not writable. Which is why the PAM module can't write to it.

Best bet would be to make it writable if you want stuff to be able to write to it.

Also would recommend removing no_strict_owner and the secret settings.

[matineit]

Dear Akerl,

Can you suggest file permission mode ? pls give me command.

Regards,

matine

[akerl]

https://www.linode.com/docs/tools-reference/linux-users-and-groups

[matineit]

Dear Akerl, You said because of file is 0400 not writable. Which permission let to solve this issue ?

Regards,

matine

[akerl]

If you read the link I sent you, you should be able to identify the correct permission.

[matineit]

Dear Akerl, I try with permission 600,664,666 then message show

Sep 14 11:20:01 sshlinux sshd(pam_google_authenticator)[13294]: debug: start of google_authenticator for "fatmin" Sep 14 11:20:01 sshlinux sshd(pam_google_authenticator)[13294]: debug: Secret file permissions are 0664. Allowed permissions are 0770 Sep 14 11:20:01 sshlinux sshd(pam_google_authenticator)[13294]: Secret file "/home/fatmin/.google_authenticator" permissions (0664) are more permissive than 0770 Sep 14 11:20:01 sshlinux sshd(pam_google_authenticator)[13294]: No secret configured for user fatmin, asking for code anyway. Sep 14 11:20:06 sshlinux sshd(pam_google_authenticator)[13294]: Invalid verification code for fatmin Sep 14 11:20:10 sshlinux sshd[13292]: Connection closed by 127.0.0.1 Sep 14 11:20:35 sshlinux sshd(pam_google_authenticator)[13310]: debug: start of google_authenticator for "fatmin" Sep 14 11:20:35 sshlinux sshd(pam_google_authenticator)[13310]: debug: Secret file permissions are 0666. Allowed permissions are 0770 Sep 14 11:20:35 sshlinux sshd(pam_google_authenticator)[13310]: Secret file "/home/fatmin/.google_authenticator" permissions (0666) are more permissive than 0770 Sep 14 11:20:35 sshlinux sshd(pam_google_authenticator)[13310]: No secret configured for user fatmin, asking for code anyway. Sep 14 11:20:42 sshlinux sshd(pam_google_authenticator)[13310]: Invalid verification code for fatmin Sep 14 11:20:45 sshlinux sshd[13308]: Connection closed by 127.0.0.1

Regards,

matine

[akerl]

Those logs show 666 and 664. Both show an error message indicating why they don't work. There are no logs for 600 in your post.

[matineit]

Dear Akerl, [fatmin@sshlinux ~]$ chmod 755 .google_authenticator [fatmin@sshlinux ~]$ ssh fatmin@192.168.43.141

But log show :

Sep 14 11:31:14 sshlinux sshd(pam_google_authenticator)[13468]: debug: start of google_authenticator for "fatmin" Sep 14 11:31:14 sshlinux sshd(pam_google_authenticator)[13468]: debug: Secret file permissions are 0755. Allowed permissions are 0770 Sep 14 11:31:14 sshlinux sshd(pam_google_authenticator)[13468]: Secret file "/home/fatmin/.google_authenticator" permissions (0755) are more permissive than 0770 Sep 14 11:31:14 sshlinux sshd(pam_google_authenticator)[13468]: No secret configured for user fatmin, asking for code anyway. Sep 14 11:31:23 sshlinux sshd(pam_google_authenticator)[13468]: Invalid verification code for fatmin

Regards, mainte

[akerl]

You really ought to read the error messages you're posting. It says exactly why it's not working.

[matineit]

Dear Akerl, Now i think that we can read/write file /home/fatmin/.google_authenticator. but new issue is invalid code.

Regards,

matine

[ThomasHabets]

You're not giving us anything to go on.

[degerrit]

I hope this may help. I had the same issue syslog messages - "sshd(pam_google_authenticator)[17747]: Failed to update secret file "/home/username/.google_authenticator". Playing around with permissions (it was initially 0600, which seems to make sense) gave other errors - "Secret file "/home/username/.google_authenticator" must only be accessible", so I reverted back to 0600 which is quite sensible.

Long story short, after reinitializing by running google-authenticator again (and also failing)- I troubleshooted with strace and discovered "/home/username/.google_authenticator~" was being written to, and that file already existed, timestamped weeks ago.

My hunch is that a full disk during an attempted update of .google_authenticator~ and .google_authenticator (after login attempt?) resulted in the "~" file being left behind, and preventing future login attempts.

I can now replicate this error by simply running "touch \~/.google_authenticator~"

Bugfix: perhaps this '\~' tempfile should be deleted if it exists? Or the syslog error message should refer to the existence of the '\~' tempfile itself, not the .google_authenticator file itself.

[ThomasHabets]

@degerrit The error message you quote tells me you're not running the latest version, but something from before https://github.com/google/google-authenticator-libpam/commit/ac18a012cecc46c7603f5ce5597411461a3854d8.

One solution is to use mkstemp(3), creating a new unique file name each time. That's better than deleting a file that we don't know how it was created.

I have the code almost ready for this. Will upload soon, and will assume this closes this issue.

[tagorenathv]

M having same issue. Whats the work around for this?

[akerl]

You should probably open a fresh issue and provide details on your configuration, what behavior you're seeing, what you expect to see, and the exact error message you're getting.