Hello, Steve Langasek wrote: > Hi Russ, > > On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote: > > It would be better for any application that uses the kernel keyring > > if pam_keyinit were run by default in the PAM session stack. > > Without this module, users are placed in a default UID-based user > > session, which doesn't isolate each session's keys. > > > Worse, currently (although this is a separate bug that's been > > separately reported and may be fixed in the future), the kernel uses > > the UID session for reading, but when writing creates a new session > > keyring that's limited to children of the writing process. This > > basically makes use of keyring Kerberos caches impossible unless one > > does the equivalent of what pam_keyinit does first. It's rather > > inobvious that this is necessary. > > > The problem with this, which will make it more complex, is that one > > generally does not want to create a new session keyring when running > > commands like su or sudo, just for login sessions, since you > > normally want to preserve the user's existing credentials. I'm not > > sure what this means for how to achieve this configuration. > > Unfortunately, there's no central way to configure PAM modules only > for use in login sessions. As with pam_selinux and pam_loginuid, the > only way to do this is for each service to include the module > directly in their own PAM config.
Do you have an idea on how it should be called? On Fedora they are using: session optional pam_keyinit force revoke As it's only available on linux architectures, I was thinking of adding a '-' at the beginning of the call. Do you think this is OK for Debian? I guess it should be the same in all the initial login pam services. Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org