On Tue, May 06, 2014 at 09:12:59AM -0700, Russ Allbery wrote: > Laurent Bigonville <bi...@debian.org> writes:
> > On Fedora they are using: > > session optional pam_keyinit force revoke > force revoke looks good to me. I'm not sure that force is necessary, but > it's probably a good idea in general. > > As it's only available on linux architectures, I was thinking of adding > > a '-' at the beginning of the call. Do you think this is OK for Debian? > Yes, although this is where it would be nice if this could somehow be > handled by pam-auth-update so that the PAM module wouldn't be configured > at all on systems that don't have it. As discussed on IRC, we don't want this to silently fail on Linux systems because of some unrelated bug; that will just cause difficult-to-diagnose problems. Since the module will be present on all Linux systems, it's better to ship a different pam config on Linux vs. non-Linux architectures, which can be done fairly easily without duplication using dh-exec. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature