Paul Klump <[email protected]> writes: > Hello, > > After I recently updated to the latest 2.6.12 packages on a Rocky Linux 8 > installation (liboath, oathtool, pam_oath), the 2FA configuration for SSH > that uses the pam_oath module stopped working correctly. This host has > SELinux set to enforcing mode by default, and when I set the SELinux mode > to 'permissive', the 2FA configuration for SSH works. > > I'm not well versed with SELinux, so I'm doing some research now, but I > figured I'd post something here in case someone has some insight on this. > > This is the line added to /etc/pam.d/sshd on this host for pam_oath.so: > > --- > auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so > usersfile=/etc/liboath/users.oath window=10 digits=6 > --- > > Thanks in advance, and if you need any further information, please let me > know.
Thanks for the report! I am not familiar enough with SELinux to know, but presumably something related to dropping privileges cause problems. There were no filename changes. I haven't seen similar reports. Could you enable SELinux debugging somehow, and send us any error messages? Does anyone know if it is possible to setup SELinux in a GitLab pipeline? If so we could test this configuration continously. Some help from people familiar with SELinux is needed here. /Simon
signature.asc
Description: PGP signature
