Laurent Bigonville <bi...@debian.org> writes: > On Fedora they are using:
> session optional pam_keyinit force revoke force revoke looks good to me. I'm not sure that force is necessary, but it's probably a good idea in general. > As it's only available on linux architectures, I was thinking of adding > a '-' at the beginning of the call. Do you think this is OK for Debian? Yes, although this is where it would be nice if this could somehow be handled by pam-auth-update so that the PAM module wouldn't be configured at all on systems that don't have it. > I guess it should be the same in all the initial login pam services. I think so, yes. Thanks for looking at this! -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org