diff --git a/VM_OPENSSL_APACHE.sh b/VM_OPENSSL_APACHE.sh
index 2b60fba..668faff 100644
--- a/VM_OPENSSL_APACHE.sh
+++ b/VM_OPENSSL_APACHE.sh
@@ -43,11 +43,9 @@ systemctl daemon-reload
 # serviço !!!
 systemctl enable --now httpd
 
-# acho ?????
-sudo chgrp apache /etc/shadow
-sudo chmod o+x /home/john
-sudo chown apache /home/john/.google_authenticator
-sudo chmod 400 /home/john/.google_authenticator
-sudo chmod o+x /home/user
-sudo chown apache /home/user/.google_authenticator
-sudo chmod 400 /home/user/.google_authenticator
+# mover totp para pasta do apache (SELinux bloqueia /home)
+sudo mkdir -p /etc/httpd/totp
+sudo cp /home/john/.google_authenticator /etc/httpd/totp/john 2>/dev/null || true
+sudo cp /home/user/.google_authenticator /etc/httpd/totp/user 2>/dev/null || true
+sudo chown -R apache:apache /etc/httpd/totp
+sudo chmod 400 /etc/httpd/totp/*
diff --git a/conf/httpd-totp b/conf/httpd-totp
index f6fd386..26e24ae 100644
--- a/conf/httpd-totp
+++ b/conf/httpd-totp
@@ -1,3 +1,3 @@
-auth    required    pam_google_authenticator.so forward_pass secret=/home/${USER}/.google_authenticator user=apache
+auth    required    pam_google_authenticator.so forward_pass secret=/etc/httpd/totp/${USER} user=apache
 auth    required    pam_unix.so use_first_pass
 account required    pam_unix.so