diff --git a/NEWS b/NEWS
index 622f51226aa214babc8d94bd65349457ffadcd58..23ad29eb1b05622f5511a7d252f8b49de8fecb56 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+release/005.012 (2018-10-09)
+
+    [ssh] Make sure that the pam duo ssh file in /etc/security can only
+    be read by root. [adamhl]
+
 release/005.011 (2018-06-29)
 
     [postfix] Add the parameter "enable_postfix_compat2" to the
diff --git a/manifests/duo/config.pp b/manifests/duo/config.pp
index bf2902bae231491e1a11a124556c9558c2b57ff7..9e5e57bc6ff0c69c19f4294644b7b9583593a407 100644
--- a/manifests/duo/config.pp
+++ b/manifests/duo/config.pp
@@ -1,8 +1,8 @@
 # Set up a custom Duo configuration. Note that this class does not _enable_ Duo.
-# Instead, this type downloads a common Duo integration, copies it, and then 
+# Instead, this type downloads a common Duo integration, copies it, and then
 # customizes it according to the parameters you specify.
 #
-# Your client code is responsible for leveraging the configuration, such as by 
+# Your client code is responsible for leveraging the configuration, such as by
 # using PAM.
 #
 # See base::sudo and base::ssh for services that leverage this class.
@@ -16,15 +16,15 @@
 # wallet_name: the name for the common Duo wallet object. Defaults to the
 # fully-qualified domain name of the host.
 #
-# use_gecos: A boolean, defaults to false.  When true, Duo will get the 
-# username from the GECOS field (known in Puppet as the comment field) in the 
-# system passwd file.  When false, Duo will use the user's username.  This is 
-# used when a user is logging in with an account where their username does not 
+# use_gecos: A boolean, defaults to false.  When true, Duo will get the
+# username from the GECOS field (known in Puppet as the comment field) in the
+# system passwd file.  When false, Duo will use the user's username.  This is
+# used when a user is logging in with an account where their username does not
 # match their Duo username.
 #
-# fail_secure: A boolean, defaults to false.  When false, a Duo timeout will 
-# cause the Duo authentication to pass, allowing the user to continue logging 
-# in.  When true, a Duo timeout will cause the Duo authentication to fail, 
+# fail_secure: A boolean, defaults to false.  When false, a Duo timeout will
+# cause the Duo authentication to pass, allowing the user to continue logging
+# in.  When true, a Duo timeout will cause the Duo authentication to fail,
 # blocking the user from logging in.
 
 define base::duo::config (
@@ -72,6 +72,9 @@ define base::duo::config (
       ensure  => present,
       source  => "/etc/security/pam_duo_${wallet_name}.conf",
       replace => false,
+      mode    => '0600',
+      owner   => 'root',
+      group   => 'root',
       require => Base::Duo::Config::Common[$wallet_name],
     }