On Wed, May 07, 2014 at 10:13:02AM +0200, Laurent Bigonville wrote: > Le Tue, 6 May 2014 09:36:59 -0700, > Steve Langasek <[email protected]> a écrit :
> > On Tue, May 06, 2014 at 09:12:59AM -0700, Russ Allbery wrote: > > > Laurent Bigonville <[email protected]> writes: > > > > On Fedora they are using: > > > > session optional pam_keyinit force revoke > > > force revoke looks good to me. I'm not sure that force is > > > necessary, but it's probably a good idea in general. > > > > As it's only available on linux architectures, I was thinking of > > > > adding a '-' at the beginning of the call. Do you think this is > > > > OK for Debian? > > > Yes, although this is where it would be nice if this could somehow > > > be handled by pam-auth-update so that the PAM module wouldn't be > > > configured at all on systems that don't have it. > > As discussed on IRC, we don't want this to silently fail on Linux > > systems because of some unrelated bug; that will just cause > > difficult-to-diagnose problems. Since the module will be present on > > all Linux systems, it's better to ship a different pam config on > > Linux vs. non-Linux architectures, which can be done fairly easily > > without duplication using dh-exec. > And couldn't we use the (dirty) trick we are using for pam_selinux? Which trick are you talking about? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected]
signature.asc
Description: Digital signature
