[Pkg-shadow-devel] Bug#734671: enable pam_keyinit by default

Steve Langasek vorlon at debian.org
Fri Jan 10 02:31:56 UTC 2014

On Thu, Jan 09, 2014 at 06:20:55PM -0800, Russ Allbery wrote:
> Steve Langasek <vorlon at debian.org> writes:

> > Unfortunately, there's no central way to configure PAM modules only for
> > use in login sessions.  As with pam_selinux and pam_loginuid, the only
> > way to do this is for each service to include the module directly in
> > their own PAM config.

> I gather this isn't the same thing as what common-session-noninteractive
> is for?  I hadn't completely followed how that worked.

Unfortunately not.  Ultimately, there are two axes that we care about for
PAM sessions:  interactive vs. noninteractive sessions, and login vs.
non-login sessions.  pam-auth-update currently only caters to modules that
are suitable for both login and non-login sessions.

> Regardless, thanks!  I spent some time day before yesterday debugging this
> with MIT Kerberos upstream, since the behavior of keyring caches without
> an active session is really weird.  Everything works but then the results
> disappear.

I had vaguely wondered why I hadn't seen any sign of pam_keyinit being used
before now. :)

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20140109/5cf0d782/attachment.sig>

More information about the Pkg-shadow-devel mailing list