This repository has been archived by the owner on Apr 6, 2021. It is now read-only.
Enhance PAM module so that the secret file is not visible to the user #340
Labels
Comments
|
The issue 341 link doesn't seem to relate to this issue, but it seems like this behaviour is already supported. you can remove the users' access to the file, and have RW access to root only. This is supported by the I think this issue can be marked resolved. |
|
Yeah, this feature has existed since 2011, I think. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Original issue 341 created by superarya on 2013-11-11T03:55:42.000Z:
As a security administrator, I want the google authenticator PAM module to be enhanced with a new option that, if invoked, changes its behaviour to use an external helper program to validate token codes (instead of accessing the secret file directly), so that the secret file can be made to be unreadable by the authenticating user.
The use case here is that we use public key authentication for general login over SSH, but then everything else (eg sudo) requires both pam_unix and pam_google_authenticator to succeed. If the user's account has been compromised, the malicious attacker will be able to read the secret file and configure their own UI with the key and elevate privileges via sudo. Worse still, they will be able to read the scratch codes, which are stored in plain text (!!).
The way pam_unix has overcome the very same problem with the /etc/shadow file is to make calls to the unix_chkpwd utility, which on debian-based systems has setgid set with group shadow (and the /etc/shadow file's group is also shadow). I'd like to suggest that we follow the same approach here, and store the secret files under a subdirectory in /etc with appropriately set permissions.
The google authenticator is a fantastic product, I'm really looking forward to promoting it and implementing it for my enterprise clients.
The text was updated successfully, but these errors were encountered: