diff --git a/pam_yubico.c b/pam_yubico.c
index 10ee6fc..c36ca0e 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -535,7 +535,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
     }
   }
 
-  fd = open(userfile, O_RDONLY, 0);
+  fd = open(userfile, O_RDONLY | O_CLOEXEC, 0);
   if (fd < 0) {
       DBG ("Cannot open file: %s (%s)", userfile, strerror(errno));
       goto restpriv_out;
diff --git a/util.c b/util.c
index e6e8095..2112a58 100644
--- a/util.c
+++ b/util.c
@@ -109,7 +109,7 @@ check_user_token (const char *authfile,
   struct stat st;
   FILE *opwfile;
 
-  fd = open(authfile, O_RDONLY, 0);
+  fd = open(authfile, O_RDONLY | O_CLOEXEC, 0);
   if (fd < 0) {
       if(verbose)
 	  D (debug_file, "Cannot open file: %s (%s)", authfile, strerror(errno));