[Pkg-shadow-devel] Bug#734671: enable pam_keyinit by default
Steve Langasek
vorlon at debian.org
Fri Jan 10 02:31:56 UTC 2014
On Thu, Jan 09, 2014 at 06:20:55PM -0800, Russ Allbery wrote:
> Steve Langasek <vorlon at debian.org> writes:
> > Unfortunately, there's no central way to configure PAM modules only for
> > use in login sessions. As with pam_selinux and pam_loginuid, the only
> > way to do this is for each service to include the module directly in
> > their own PAM config.
> I gather this isn't the same thing as what common-session-noninteractive
> is for? I hadn't completely followed how that worked.
Unfortunately not. Ultimately, there are two axes that we care about for
PAM sessions: interactive vs. noninteractive sessions, and login vs.
non-login sessions. pam-auth-update currently only caters to modules that
are suitable for both login and non-login sessions.
> Regardless, thanks! I spent some time day before yesterday debugging this
> with MIT Kerberos upstream, since the behavior of keyring caches without
> an active session is really weird. Everything works but then the results
> disappear.
I had vaguely wondered why I hadn't seen any sign of pam_keyinit being used
before now. :)
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20140109/5cf0d782/attachment.sig>
More information about the Pkg-shadow-devel
mailing list