Bug#734818: enable pam_keyinit by default
Laurent Bigonville
bigon at debian.org
Tue May 6 15:06:41 UTC 2014
Hello,
Steve Langasek wrote:
> Hi Russ,
>
> On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote:
> > It would be better for any application that uses the kernel keyring
> > if pam_keyinit were run by default in the PAM session stack.
> > Without this module, users are placed in a default UID-based user
> > session, which doesn't isolate each session's keys.
>
> > Worse, currently (although this is a separate bug that's been
> > separately reported and may be fixed in the future), the kernel uses
> > the UID session for reading, but when writing creates a new session
> > keyring that's limited to children of the writing process. This
> > basically makes use of keyring Kerberos caches impossible unless one
> > does the equivalent of what pam_keyinit does first. It's rather
> > inobvious that this is necessary.
>
> > The problem with this, which will make it more complex, is that one
> > generally does not want to create a new session keyring when running
> > commands like su or sudo, just for login sessions, since you
> > normally want to preserve the user's existing credentials. I'm not
> > sure what this means for how to achieve this configuration.
>
> Unfortunately, there's no central way to configure PAM modules only
> for use in login sessions. As with pam_selinux and pam_loginuid, the
> only way to do this is for each service to include the module
> directly in their own PAM config.
Do you have an idea on how it should be called?
On Fedora they are using:
session optional pam_keyinit force revoke
As it's only available on linux architectures, I was thinking of adding
a '-' at the beginning of the call. Do you think this is OK for Debian?
I guess it should be the same in all the initial login pam services.
Cheers,
Laurent Bigonville
More information about the pkg-gnome-maintainers
mailing list