[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Updated SELlinux settings for pam_oath after 2.6.12 uprade
|
From: |
Simon Josefsson |
|
Subject: |
Re: Updated SELlinux settings for pam_oath after 2.6.12 uprade |
|
Date: |
Tue, 19 Nov 2024 10:37:46 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Paul Klump <paul.klump@gmail.com> writes:
> Hello,
>
> After I recently updated to the latest 2.6.12 packages on a Rocky Linux 8
> installation (liboath, oathtool, pam_oath), the 2FA configuration for SSH
> that uses the pam_oath module stopped working correctly. This host has
> SELinux set to enforcing mode by default, and when I set the SELinux mode
> to 'permissive', the 2FA configuration for SSH works.
>
> I'm not well versed with SELinux, so I'm doing some research now, but I
> figured I'd post something here in case someone has some insight on this.
>
> This is the line added to /etc/pam.d/sshd on this host for pam_oath.so:
>
> ---
> auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so
> usersfile=/etc/liboath/users.oath window=10 digits=6
> ---
>
> Thanks in advance, and if you need any further information, please let me
> know.
Thanks for the report! I am not familiar enough with SELinux to know,
but presumably something related to dropping privileges cause problems.
There were no filename changes. I haven't seen similar reports. Could
you enable SELinux debugging somehow, and send us any error messages?
Does anyone know if it is possible to setup SELinux in a GitLab
pipeline? If so we could test this configuration continously. Some
help from people familiar with SELinux is needed here.
/Simon
signature.asc
Description: PGP signature