-
Notifications
You must be signed in to change notification settings - Fork 204
-
From the containerfile we have installed google-authenticator in the container. After having the container deployed to the physical server, the google authenticator PAM module can not open/write the .google-authenticator file. The file rights and owner seem to be correct.
Dec 15 13:13:30 ses2-hypervisor-test login(pam_google_auth)[2060]: Failed to create tempfile "/var/home/admin/.google_authenticator~ovZ6Nd": Permission denied
Dec 15 13:13:30 ses2-hypervisor-test login(pam_google_auth)[2060]: Failed to update secret file "/var/home/admin/.google_authenticator": Permission denied
35963568 4 -rw-------. 1 admin admin 181 Dec 15 09:08 .google_authenticator
As root or admin I can open and edit .google-authenticator
For the moment SELINUX has been disabled. In readonly mode everything works as expected.
Has anyone seen this?
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 2 comments
-
Im not quite sure about how the google-authenticator works here but this does seem to be an odd permission issue. Does the google-authenticator use your admin user when attempting to write to this file? Do you have a Containerfile you can share?
Beta Was this translation helpful? Give feedback.
All reactions
-
We have tried changing the file rights but no solution has been found. I think a PAM proces is not able to open the file .google_authenticator. For testing we are now using in readonly mode. But prefer not to this in production.
We are installing the google authenticator RPM and then configuring as follow:
Setup google-authenticator
chmod 0600 /home/admin/.google_authenticator
chown admin:admin /home/admin/.google_authenticator
echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/login
echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd
This will lead to the error unless we add allow_readonly to the pam lines.
Beta Was this translation helpful? Give feedback.