You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 6, 2021. It is now read-only.
Original issue 341 created by superarya on 2013-11-11T03:55:42.000Z:
As a security administrator, I want the google authenticator PAM module to be enhanced with a new option that, if invoked, changes its behaviour to use an external helper program to validate token codes (instead of accessing the secret file directly), so that the secret file can be made to be unreadable by the authenticating user.
The use case here is that we use public key authentication for general login over SSH, but then everything else (eg sudo) requires both pam_unix and pam_google_authenticator to succeed. If the user's account has been compromised, the malicious attacker will be able to read the secret file and configure their own UI with the key and elevate privileges via sudo. Worse still, they will be able to read the scratch codes, which are stored in plain text (!!).
The way pam_unix has overcome the very same problem with the /etc/shadow file is to make calls to the unix_chkpwd utility, which on debian-based systems has setgid set with group shadow (and the /etc/shadow file's group is also shadow). I'd like to suggest that we follow the same approach here, and store the secret files under a subdirectory in /etc with appropriately set permissions.
The google authenticator is a fantastic product, I'm really looking forward to promoting it and implementing it for my enterprise clients.
The text was updated successfully, but these errors were encountered:
The issue 341 link doesn't seem to relate to this issue, but it seems like this behaviour is already supported.
you can remove the users' access to the file, and have RW access to root only. This is supported by the user pam option. You can also move these files out of the users's home directory with the secret pam option.
Original issue 341 created by superarya on 2013-11-11T03:55:42.000Z:
As a security administrator, I want the google authenticator PAM module to be enhanced with a new option that, if invoked, changes its behaviour to use an external helper program to validate token codes (instead of accessing the secret file directly), so that the secret file can be made to be unreadable by the authenticating user.
The use case here is that we use public key authentication for general login over SSH, but then everything else (eg sudo) requires both pam_unix and pam_google_authenticator to succeed. If the user's account has been compromised, the malicious attacker will be able to read the secret file and configure their own UI with the key and elevate privileges via sudo. Worse still, they will be able to read the scratch codes, which are stored in plain text (!!).
The way pam_unix has overcome the very same problem with the /etc/shadow file is to make calls to the unix_chkpwd utility, which on debian-based systems has setgid set with group shadow (and the /etc/shadow file's group is also shadow). I'd like to suggest that we follow the same approach here, and store the secret files under a subdirectory in /etc with appropriately set permissions.
The google authenticator is a fantastic product, I'm really looking forward to promoting it and implementing it for my enterprise clients.
The text was updated successfully, but these errors were encountered: