On Mon, 17 Aug 2015 16:51:42 +0200 Christoph Anton Mitterer <[email protected]> wrote: > On Mon, 2015-08-17 at 12:23 +0200, Laurent Bigonville wrote: > > The correct solution is IMVHO is to use libpam-systemd with UsePAM > > set > > to yes. On other solution is to change the KillMode, but doing so, > > you'll probably loose the connection if the ssh service is > > restarted. > Both doesn't seem to be ideal... > > I think we should simply add a new unit file, that cleans up any "left > over" sessions which haven't been killed via the cgroup (either > because of the pam module not installed or simply because the user > doesn't want to use UsePAM.
I personally don't like this solution. IMO, if you are using systemd you need to call libpam-systemd in your entry point service (sshd, login, xDM,...) otherwise you are loosing 1/2 of the nice features. We need to be certain that if systemd is used as pid1 the pam module is also installed. And if you are setting UsePAM to false there will be other stuffs missing/being broken, (like missing entries in the lastlog, the loginuid using for auditing not being set properly,...). BTW, if I understand the things correctly (I didn't check the code), but disabling PAM in sshd or removing libpam-systemd would also mean that the user processes started via ssh will not be killed gracefully if somebody is rebooting/shutting down the machine. Cheers, Laurent Bigonville
