Bug#734818: enable pam_keyinit by default
Laurent Bigonville
bigon at debian.org
Wed May 7 08:13:02 UTC 2014
Le Tue, 6 May 2014 09:36:59 -0700,
Steve Langasek <vorlon at debian.org> a écrit :
> On Tue, May 06, 2014 at 09:12:59AM -0700, Russ Allbery wrote:
> > Laurent Bigonville <bigon at debian.org> writes:
>
> > > On Fedora they are using:
>
> > > session optional pam_keyinit force revoke
>
> > force revoke looks good to me. I'm not sure that force is
> > necessary, but it's probably a good idea in general.
>
> > > As it's only available on linux architectures, I was thinking of
> > > adding a '-' at the beginning of the call. Do you think this is
> > > OK for Debian?
>
> > Yes, although this is where it would be nice if this could somehow
> > be handled by pam-auth-update so that the PAM module wouldn't be
> > configured at all on systems that don't have it.
>
> As discussed on IRC, we don't want this to silently fail on Linux
> systems because of some unrelated bug; that will just cause
> difficult-to-diagnose problems. Since the module will be present on
> all Linux systems, it's better to ship a different pam config on
> Linux vs. non-Linux architectures, which can be done fairly easily
> without duplication using dh-exec.
>
And couldn't we use the (dirty) trick we are using for pam_selinux?
More information about the pkg-gnome-maintainers
mailing list