GoogleAuthenticator PAM Module Permissions Issue — VPN with MFA in AWS EC2 running CentOSPermissions issue...
Are there any instances of members of different Hogwarts houses coupling up and marrying each other?
My employer wants me to do a work of 6 months in just 2 months
How do I politely hint customers to leave my store, without pretending to need leave store myself?
Creating a Master Image to roll out to 30 new Machines Licensing Issues
Where does the expression "triple-A" comes from?
How to help my 2.5-year-old daughter take her medicine when she refuses to?
Why did it become so much more expensive to start a university?
Does the amount of +1/+1 from *prowess* remain on a creature, even when a creature gets flipped face-down by Ixidron?
Why does F + F' = 1?
Which ping implementation is Cygwin using?
Do all humans have an identical nucleotide sequence for certain proteins, e.g haemoglobin?
extract lines from bottom until regex match
Action queue manager to perform action in a FIFO fashion
Are Democrats more likely to believe Astrology is a science?
Gas pipes - why does gas burn "outwards?"
If you have multiple situational racial save bonuses and are in a situation where they all apply do they stack?
Relevance of the Resurrection
Should I leave the first authourship of our paper to the student who did the project whereas I solved it?
Do ibuprofen or paracetamol cause hearing loss?
Why would "an mule" be used instead of "a mule"?
Random point on a sphere
Job offer without any details but asking me to withdraw other applications - is it normal?
Does a gnoll speak both Gnoll and Abyssal, or is Gnoll a dialect of Abyssal?
Do Milankovitch Cycles fully explain climate change?
GoogleAuthenticator PAM Module Permissions Issue — VPN with MFA in AWS EC2 running CentOS
Permissions issue with gitCentOS - Issue with write permissionsWhat does “Cannot make/remove an entry for the specified session” mean?Unable to login with password as well as otp in pam modulePermissions issue with scriptFreeradius PAM create user and home on login
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Full Disclosure:
I am writing question to then answer it myself. I searched the internet for a full day at work and was not able to find a solution that worked for me. I even compiled my own GoogleAuthenticator PAM module to add more logging. Not even running
straceon the openvpn process and its children led me to a solution.
Use Case
- Launch VPN using OpenVPN in an EC2
- Use PAM GoogleAuthenticator Module
- OS: CentOS
Setup
- login to the EC2
- create a client
- add MFA token to user (client) using the provided token generator while also saving this token to the proper location for the PAM module to detect it
- create the
<user>.ovpnfile for this user
- create the
The below script will create a Linux user, and then create an MFA secret saved to the location specified in the PAM config, note the permissions 600, MFA_USER is a pre-created user that I created named gauth
function generate_mfa() {
user_id=$1
if [ "$user_id" == "" ]; then
echo "ERROR: No user id provided to generate MFA token"
exit 1
fi
echo "INFO: Creating user ${user_id}"
useradd -s /bin/nologin "$user_id"
echo "> Please provide a password for the user"
passwd "$user_id"
echo "INFO: Generating MFA Token"
google-authenticator -t -d -r3 -R30 -f -l "${MFA_LABEL}" -s "${MFA_DIR}/${user_id}"
chown "${MFA_USER}:${MFA_USER}" "$MFA_DIR/${user_id}"
chmod 600 "${MFA_DIR}/${user_id}"
}
PAM Config for OpenVPN
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth include system-auth use_first_pass
account include system-auth use_first_pass
password include system-auth use_first_pass
session include system-auth use_first_pass
auth required pam_deny.so
Issue
- Using Tunnelblick configured with my
client.ovpn, I am then prompted to log in with my username and password.
- The format of password is inline:
<password><MFA_TOKEN>, this is stripped out with theforward_passdirective
- The format of password is inline:
- I enter in my proper credentials and am always met with unauthorized
Logs
- To check out my issue I logged onto the VPN instance via ssh and inspected my PAM/auth logs
tail /var/log/secure
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Accepted google_authenticator for ryan
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Failed to update secret file "/etc/openvpn/google-authenticator/ryan": Permission denied
Aha! "Permission Denied"
So then check my permissions:
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
- Hmm, these permissions
600seem right. The directories are executable and I am using thegauthuser in my PAM config.
What on earth could be wrong with my configuration?
- the
gauthuser exists:check:
- the permissions are right
:check:
centos permissions vpn pam selinux
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
add a comment |
Full Disclosure:
I am writing question to then answer it myself. I searched the internet for a full day at work and was not able to find a solution that worked for me. I even compiled my own GoogleAuthenticator PAM module to add more logging. Not even running
straceon the openvpn process and its children led me to a solution.
Use Case
- Launch VPN using OpenVPN in an EC2
- Use PAM GoogleAuthenticator Module
- OS: CentOS
Setup
- login to the EC2
- create a client
- add MFA token to user (client) using the provided token generator while also saving this token to the proper location for the PAM module to detect it
- create the
<user>.ovpnfile for this user
- create the
The below script will create a Linux user, and then create an MFA secret saved to the location specified in the PAM config, note the permissions 600, MFA_USER is a pre-created user that I created named gauth
function generate_mfa() {
user_id=$1
if [ "$user_id" == "" ]; then
echo "ERROR: No user id provided to generate MFA token"
exit 1
fi
echo "INFO: Creating user ${user_id}"
useradd -s /bin/nologin "$user_id"
echo "> Please provide a password for the user"
passwd "$user_id"
echo "INFO: Generating MFA Token"
google-authenticator -t -d -r3 -R30 -f -l "${MFA_LABEL}" -s "${MFA_DIR}/${user_id}"
chown "${MFA_USER}:${MFA_USER}" "$MFA_DIR/${user_id}"
chmod 600 "${MFA_DIR}/${user_id}"
}
PAM Config for OpenVPN
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth include system-auth use_first_pass
account include system-auth use_first_pass
password include system-auth use_first_pass
session include system-auth use_first_pass
auth required pam_deny.so
Issue
- Using Tunnelblick configured with my
client.ovpn, I am then prompted to log in with my username and password.
- The format of password is inline:
<password><MFA_TOKEN>, this is stripped out with theforward_passdirective
- The format of password is inline:
- I enter in my proper credentials and am always met with unauthorized
Logs
- To check out my issue I logged onto the VPN instance via ssh and inspected my PAM/auth logs
tail /var/log/secure
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Accepted google_authenticator for ryan
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Failed to update secret file "/etc/openvpn/google-authenticator/ryan": Permission denied
Aha! "Permission Denied"
So then check my permissions:
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
- Hmm, these permissions
600seem right. The directories are executable and I am using thegauthuser in my PAM config.
What on earth could be wrong with my configuration?
- the
gauthuser exists:check:
- the permissions are right
:check:
centos permissions vpn pam selinux
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
add a comment |
Full Disclosure:
I am writing question to then answer it myself. I searched the internet for a full day at work and was not able to find a solution that worked for me. I even compiled my own GoogleAuthenticator PAM module to add more logging. Not even running
straceon the openvpn process and its children led me to a solution.
Use Case
- Launch VPN using OpenVPN in an EC2
- Use PAM GoogleAuthenticator Module
- OS: CentOS
Setup
- login to the EC2
- create a client
- add MFA token to user (client) using the provided token generator while also saving this token to the proper location for the PAM module to detect it
- create the
<user>.ovpnfile for this user
- create the
The below script will create a Linux user, and then create an MFA secret saved to the location specified in the PAM config, note the permissions 600, MFA_USER is a pre-created user that I created named gauth
function generate_mfa() {
user_id=$1
if [ "$user_id" == "" ]; then
echo "ERROR: No user id provided to generate MFA token"
exit 1
fi
echo "INFO: Creating user ${user_id}"
useradd -s /bin/nologin "$user_id"
echo "> Please provide a password for the user"
passwd "$user_id"
echo "INFO: Generating MFA Token"
google-authenticator -t -d -r3 -R30 -f -l "${MFA_LABEL}" -s "${MFA_DIR}/${user_id}"
chown "${MFA_USER}:${MFA_USER}" "$MFA_DIR/${user_id}"
chmod 600 "${MFA_DIR}/${user_id}"
}
PAM Config for OpenVPN
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth include system-auth use_first_pass
account include system-auth use_first_pass
password include system-auth use_first_pass
session include system-auth use_first_pass
auth required pam_deny.so
Issue
- Using Tunnelblick configured with my
client.ovpn, I am then prompted to log in with my username and password.
- The format of password is inline:
<password><MFA_TOKEN>, this is stripped out with theforward_passdirective
- The format of password is inline:
- I enter in my proper credentials and am always met with unauthorized
Logs
- To check out my issue I logged onto the VPN instance via ssh and inspected my PAM/auth logs
tail /var/log/secure
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Accepted google_authenticator for ryan
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Failed to update secret file "/etc/openvpn/google-authenticator/ryan": Permission denied
Aha! "Permission Denied"
So then check my permissions:
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
- Hmm, these permissions
600seem right. The directories are executable and I am using thegauthuser in my PAM config.
What on earth could be wrong with my configuration?
- the
gauthuser exists:check:
- the permissions are right
:check:
centos permissions vpn pam selinux
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
Full Disclosure:
I am writing question to then answer it myself. I searched the internet for a full day at work and was not able to find a solution that worked for me. I even compiled my own GoogleAuthenticator PAM module to add more logging. Not even running
straceon the openvpn process and its children led me to a solution.
Use Case
- Launch VPN using OpenVPN in an EC2
- Use PAM GoogleAuthenticator Module
- OS: CentOS
Setup
- login to the EC2
- create a client
- add MFA token to user (client) using the provided token generator while also saving this token to the proper location for the PAM module to detect it
- create the
<user>.ovpnfile for this user
- create the
The below script will create a Linux user, and then create an MFA secret saved to the location specified in the PAM config, note the permissions 600, MFA_USER is a pre-created user that I created named gauth
function generate_mfa() {
user_id=$1
if [ "$user_id" == "" ]; then
echo "ERROR: No user id provided to generate MFA token"
exit 1
fi
echo "INFO: Creating user ${user_id}"
useradd -s /bin/nologin "$user_id"
echo "> Please provide a password for the user"
passwd "$user_id"
echo "INFO: Generating MFA Token"
google-authenticator -t -d -r3 -R30 -f -l "${MFA_LABEL}" -s "${MFA_DIR}/${user_id}"
chown "${MFA_USER}:${MFA_USER}" "$MFA_DIR/${user_id}"
chmod 600 "${MFA_DIR}/${user_id}"
}
PAM Config for OpenVPN
auth required /usr/lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
auth include system-auth use_first_pass
account include system-auth use_first_pass
password include system-auth use_first_pass
session include system-auth use_first_pass
auth required pam_deny.so
Issue
- Using Tunnelblick configured with my
client.ovpn, I am then prompted to log in with my username and password.
- The format of password is inline:
<password><MFA_TOKEN>, this is stripped out with theforward_passdirective
- The format of password is inline:
- I enter in my proper credentials and am always met with unauthorized
Logs
- To check out my issue I logged onto the VPN instance via ssh and inspected my PAM/auth logs
tail /var/log/secure
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Accepted google_authenticator for ryan
Sep 10 22:33:43 ip-10-1-101-177 openvpn(pam_google_authenticator)[12862]: Failed to update secret file "/etc/openvpn/google-authenticator/ryan": Permission denied
Aha! "Permission Denied"
So then check my permissions:
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
- Hmm, these permissions
600seem right. The directories are executable and I am using thegauthuser in my PAM config.
What on earth could be wrong with my configuration?
- the
gauthuser exists:check:
- the permissions are right
:check:
centos permissions vpn pam selinux
centos permissions vpn pam selinux
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
edited 5 hours ago
Ryan Mahaffey
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
asked 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
83 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
THE AHA MOMENT
what are those
.'s at the end of my permissions listing?
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
...Searchin' the web...
- So apparently there's this thing called SELinux (security enhanced linux)
That is what those dots were at the end of the file permissions when running ls -lah, it indicated that special contexts/ACL stuff existed for the file.
See: SELinux Docs
So, to see the contexts:
ls -Z
Before one login
The file context was unconfined_u:object_r:openvpn_etc_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-rw-------. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 ryan
- Then I temporarily disabled selinux with
setenforce 0
After one login
The file was able to be written to and the context was coerced to system_u:object_r:openvpn_etc_rw_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-r--------. gauth gauth system_u:object_r:openvpn_etc_rw_t:s0 ryan
reenable SELinux:
setenforce 1still able to log in. :)
Commands to run to fix a file with SELinux turned on:
semanage fcontext -a -t openvpn_etc_rw_t "${MFA_DIR}/${user}"
restorecon "${MFA_DIR}/${user}"
- This allows the
rwbits!
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f540080%2fgoogleauthenticator-pam-module-permissions-issue-vpn-with-mfa-in-aws-ec2-runn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
THE AHA MOMENT
what are those
.'s at the end of my permissions listing?
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
...Searchin' the web...
- So apparently there's this thing called SELinux (security enhanced linux)
That is what those dots were at the end of the file permissions when running ls -lah, it indicated that special contexts/ACL stuff existed for the file.
See: SELinux Docs
So, to see the contexts:
ls -Z
Before one login
The file context was unconfined_u:object_r:openvpn_etc_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-rw-------. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 ryan
- Then I temporarily disabled selinux with
setenforce 0
After one login
The file was able to be written to and the context was coerced to system_u:object_r:openvpn_etc_rw_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-r--------. gauth gauth system_u:object_r:openvpn_etc_rw_t:s0 ryan
reenable SELinux:
setenforce 1still able to log in. :)
Commands to run to fix a file with SELinux turned on:
semanage fcontext -a -t openvpn_etc_rw_t "${MFA_DIR}/${user}"
restorecon "${MFA_DIR}/${user}"
- This allows the
rwbits!
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
add a comment |
THE AHA MOMENT
what are those
.'s at the end of my permissions listing?
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
...Searchin' the web...
- So apparently there's this thing called SELinux (security enhanced linux)
That is what those dots were at the end of the file permissions when running ls -lah, it indicated that special contexts/ACL stuff existed for the file.
See: SELinux Docs
So, to see the contexts:
ls -Z
Before one login
The file context was unconfined_u:object_r:openvpn_etc_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-rw-------. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 ryan
- Then I temporarily disabled selinux with
setenforce 0
After one login
The file was able to be written to and the context was coerced to system_u:object_r:openvpn_etc_rw_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-r--------. gauth gauth system_u:object_r:openvpn_etc_rw_t:s0 ryan
reenable SELinux:
setenforce 1still able to log in. :)
Commands to run to fix a file with SELinux turned on:
semanage fcontext -a -t openvpn_etc_rw_t "${MFA_DIR}/${user}"
restorecon "${MFA_DIR}/${user}"
- This allows the
rwbits!
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
add a comment |
THE AHA MOMENT
what are those
.'s at the end of my permissions listing?
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
...Searchin' the web...
- So apparently there's this thing called SELinux (security enhanced linux)
That is what those dots were at the end of the file permissions when running ls -lah, it indicated that special contexts/ACL stuff existed for the file.
See: SELinux Docs
So, to see the contexts:
ls -Z
Before one login
The file context was unconfined_u:object_r:openvpn_etc_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-rw-------. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 ryan
- Then I temporarily disabled selinux with
setenforce 0
After one login
The file was able to be written to and the context was coerced to system_u:object_r:openvpn_etc_rw_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-r--------. gauth gauth system_u:object_r:openvpn_etc_rw_t:s0 ryan
reenable SELinux:
setenforce 1still able to log in. :)
Commands to run to fix a file with SELinux turned on:
semanage fcontext -a -t openvpn_etc_rw_t "${MFA_DIR}/${user}"
restorecon "${MFA_DIR}/${user}"
- This allows the
rwbits!
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
THE AHA MOMENT
what are those
.'s at the end of my permissions listing?
[root@ip-OMITTED centos]# ls -lah /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth .
drwxr-xr-x. root root ..
-rw-------. gauth gauth ryan
...Searchin' the web...
- So apparently there's this thing called SELinux (security enhanced linux)
That is what those dots were at the end of the file permissions when running ls -lah, it indicated that special contexts/ACL stuff existed for the file.
See: SELinux Docs
So, to see the contexts:
ls -Z
Before one login
The file context was unconfined_u:object_r:openvpn_etc_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-rw-------. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 ryan
- Then I temporarily disabled selinux with
setenforce 0
After one login
The file was able to be written to and the context was coerced to system_u:object_r:openvpn_etc_rw_t:s0
[root@ip-OMITTED centos]# ls -lahZ /etc/openvpn/google-authenticator/
drwxr-xr-x. gauth gauth unconfined_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 ..
-r--------. gauth gauth system_u:object_r:openvpn_etc_rw_t:s0 ryan
reenable SELinux:
setenforce 1still able to log in. :)
Commands to run to fix a file with SELinux turned on:
semanage fcontext -a -t openvpn_etc_rw_t "${MFA_DIR}/${user}"
restorecon "${MFA_DIR}/${user}"
- This allows the
rwbits!
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
answered 5 hours ago
Ryan MahaffeyRyan Mahaffey
83 bronze badges
83 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f540080%2fgoogleauthenticator-pam-module-permissions-issue-vpn-with-mfa-in-aws-ec2-runn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
