diff --git a/pam_yubico.c b/pam_yubico.c
index f6af4d6..fa9f943 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -615,10 +615,14 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
       goto restpriv_out;
   }
 
-  if (fchmod (fd, S_IRUSR | S_IWUSR) != 0) {
+  if (fchmod (fd, st.st_mode) != 0) {
       DBG (("could not set correct file permissions"));
       goto restpriv_out;
   }
+  if (fchown (fd, st.st_uid, st.st_gid) != 0) {
+      DBG (("could not set correct file ownership"));
+      goto restpriv_out;
+  }
 
   f = fdopen(fd, "w");
   if (! f) {
diff --git a/ykpamcfg.c b/ykpamcfg.c
index 29b75c8..bc8be1e 100644
--- a/ykpamcfg.c
+++ b/ykpamcfg.c
@@ -145,6 +145,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
   char *fn;
   struct passwd *p;
   FILE *f = NULL;
+  struct stat st;
 
   state.iterations = iterations;
   state.slot = slot;
@@ -162,7 +163,6 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
   */
   
   if (!output_dir){
-      struct stat st;
       char fullpath[256];
       snprintf(fullpath, 256,"%s/.yubico",p->pw_dir);
       
@@ -190,6 +190,11 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
     goto out;
   }
 
+  if (stat(fn, &st) == 0) {
+    fprintf(stderr, "File %s already exists, refusing to overwrite.\n", fn);
+    goto out;
+  }
+
   if (generate_random(state.challenge, CR_CHALLENGE_SIZE)) {
     fprintf (stderr, "FAILED getting %i bytes of random data\n", CR_CHALLENGE_SIZE);
     goto out;
@@ -240,6 +245,11 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
   if (! write_chalresp_state (f, &state))
     goto out;
 
+  if (! chmod (fn, S_IRUSR | S_IWUSR)) {
+    fprintf (stderr, "Failed setting permissions on new challenge file %s.\n", fn);
+    goto out;
+  }
+
   printf ("Stored initial challenge and expected response in '%s'.\n", fn);
 
   *exit_code = 0;