Cant set up google authenticator (2FA)

Ask Fedora
1

Hello. How to install google_authenticator (2FA) on Fedora ? Selinux doesnt allow it to work.

“sudo tail -f /var/log/secure” gives me this:

Apr 14 20:11:05 fedora login(pam_google_auth)[82258]: Failed to create tempfile “/home/pavel/.config/.google_authenticator~sc80rC”: Permission denied
Apr 14 20:11:05 fedora login(pam_google_auth)[82258]: Failed to update secret file “/home/pavel/.config/.google_authenticator”: Permission denied

I have all the needed rights for the file and still get these messages.

2

Likely a SELinux (authlogin_yubikey) policy issue blocking at a lower level, although file permissions are correct.

  1. First ‘sudo ausearch -m avc -ts recent | audit2why’, may give a hint.

Next is ‘restorecon’ to reset .google_authenticator ( wrong SELinux context label), but lets see option 1 first.

5

sudo ausearch -m avc -ts recent | audit2why

[sudo] password for pavel:
type=AVC msg=audit(1776209502.108:1666): avc: denied { create } for pid=86129 comm=“login” name=“.google_authenticator~mpPJij” scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:config_home_t:s0 tclass=file permissive=0

Was caused by:
	Missing type enforcement (TE) allow rule.

	You can use audit2allow to generate a loadable module to allow this access.

sudo grep “denied” /var/log/audit/audit.log | sudo audit2allow -a

#============= local_login_t ==============
allow local_login_t config_home_t:file { create read };
allow local_login_t user_home_dir_t:file { create getattr open read rename setattr write };

#============= thumb_t ==============
allow thumb_t cache_home_t:dir rmdir;

#============= xdm_t ==============
allow xdm_t user_home_t:file create;

6

Alternatively, you can create a /var/lib/google-authenticator directory, run restorecon -rv on it, and configure your PAM module to use that location. The SELinux rules are pre-defined for that location:

$ grep google-authenticator /etc/selinux/targeted/contexts/files/file_contexts
/var/lib/google-authenticator(/.*)?	system_u:object_r:var_auth_t:s0
7

I still get these errors

Apr 15 07:23:19 fedora login(pam_google_auth)[119771]: Failed to create tempfile “/var/lib/google-authenticator/.google_authenticator~lFjR86”: Permission denied
Apr 15 07:23:19 fedora login(pam_google_auth)[119771]: Failed to update secret file “/var/lib/google-authenticator/.google_authenticator”: Permission denied

And “sudo grep “denied” /var/log/audit/audit.log | sudo audit2allow -a” now gives me: “no matches”

“ls -Z .google_authenticator”:

unconfined_u:object_r:var_auth_t:s0 .google_authenticator

8

Does the parent directory have the right permissions?

# ls -Zld /var/lib/google-authenticator
drwxrwxrwt. 2 root root system_u:object_r:container_file_t:s0:c2 12 Aug 29  2022 /var/lib/google-authenticator

It is OK to run sudo chmod 1777 /var/lib/google-authenticator so that any user can (re)create their OTP key at any time (but another non-root user will not be able to change the key).

The line in your PAM config’s auth stack might look something like the following.

auth       required     pam_google_authenticator.so grace_period=3600 secret=/var/lib/google-authenticator/${USER}

Edit: Correction, when you run /usr/bin/google-authenticator (not PAM’s pam_google_authenticator.so), it will generate the files under /var/lib/google-authenticator and set restrictive permissions on them.[1]

  1. Assuming you supply -s /var/lib/google-authenticator/${USER} as a parameter. ↩︎

9

Thank you very much ! Finally all works.