Bug#734818: enable pam_keyinit by default
Steve Langasek
vorlon at debian.org
Wed May 7 15:18:09 UTC 2014
On Wed, May 07, 2014 at 10:13:02AM +0200, Laurent Bigonville wrote:
> Le Tue, 6 May 2014 09:36:59 -0700,
> Steve Langasek <vorlon at debian.org> a écrit :
> > On Tue, May 06, 2014 at 09:12:59AM -0700, Russ Allbery wrote:
> > > Laurent Bigonville <bigon at debian.org> writes:
> > > > On Fedora they are using:
> > > > session optional pam_keyinit force revoke
> > > force revoke looks good to me. I'm not sure that force is
> > > necessary, but it's probably a good idea in general.
> > > > As it's only available on linux architectures, I was thinking of
> > > > adding a '-' at the beginning of the call. Do you think this is
> > > > OK for Debian?
> > > Yes, although this is where it would be nice if this could somehow
> > > be handled by pam-auth-update so that the PAM module wouldn't be
> > > configured at all on systems that don't have it.
> > As discussed on IRC, we don't want this to silently fail on Linux
> > systems because of some unrelated bug; that will just cause
> > difficult-to-diagnose problems. Since the module will be present on
> > all Linux systems, it's better to ship a different pam config on
> > Linux vs. non-Linux architectures, which can be done fairly easily
> > without duplication using dh-exec.
> And couldn't we use the (dirty) trick we are using for pam_selinux?
Which trick are you talking about?
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20140507/8bab5d62/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list