* Marc Haber <[email protected]> [220714 14:10]: > On Thu, Jul 14, 2022 at 12:20:48PM +0200, Chris Hofstaedtler wrote: > > Well, the pam_keyinit man page says it was written by David Howells > > <[email protected]>, but I don't know if he is still working on > > it. > > I reached out to that address a few months ago, they didnt bother > replying. > > > This openSUSE bug seems to touch on related questions: > > https://bugzilla.suse.com/show_bug.cgi?id=1081947 > > Lesson learned: The major distributions ALL do not know what they're > doing, they're blindly copying from each other. And nobody cares.
Yes, and I think in this case nobody really knows what the expected behaviour is. Judging by the man page, su, runuser, sudo should probably NOT invoke pam_keyinit, expect if run with a flag simulating login (su/runuser -l, sudo -i?). As we have seen before, there's also a "force" flag, and I really have no idea why it exists or what happens if "force" is not given. My current thinking: 1) should figure out what "force" really does, and more importantly: what happens if "force" is not given 2) su-l, runuser-l, sudo-i should probably call pam_keyinit with force 3) depending on 1), su, runuser, sudo pam files should either all invoke pam_keyinit.so, or none of them should. Chris
