ssh+pam replaced /root/.google-authenticator with a zero-sized file #177
Comments
|
Note: I found the whole idea of storing the last connection attempt timestamp in the configuration file somewhat fragile. i.e., trying to rewrite dynamically the configuration file sounds like a potential source of endless problems. Maybe it would make sense to store this somewhere else. |
|
Strange. That should not happen. Looking at the code now I don't see how a zero byte file can be created, even in the presence of failures. This was a local filesystem, or something like NFS? Could you try reproducing this with code at If you can, while doing this, keep a separate terminal logged in so that you can fix the problem if you do manage to reproduce it. |
This is a local filesystem, ext4: kernel: This happened twice over the past 2 weeks on this server.
Will get back to you with new logs if we manage to do this. |
|
This is reproducible multiple times per day now. I have depoyed the HEAD version and will report on /var/log/auth.log when it is triggered |
Someone on the team managed to make ssh+pam+google authenticator to replace a good /root/.google-authenticator file with a zero-sized one.
I have no idea how they managed this but I have a log that you might find helpful:
auth.log
I suspect you guess what happened after .google-authenticator was zero-sized: no one could connect anymore on the that box: I had to use a console attached to the VM to put it back to a working state...
The text was updated successfully, but these errors were encountered: