[Pkg-shadow-devel] Bug#734671: enable pam_keyinit by default

Russ Allbery rra at debian.org
Fri Jan 10 02:38:04 UTC 2014

Steve Langasek <vorlon at debian.org> writes:
> On Thu, Jan 09, 2014 at 06:20:55PM -0800, Russ Allbery wrote:

>> Regardless, thanks!  I spent some time day before yesterday debugging this
>> with MIT Kerberos upstream, since the behavior of keyring caches without
>> an active session is really weird.  Everything works but then the results
>> disappear.

> I had vaguely wondered why I hadn't seen any sign of pam_keyinit being used
> before now. :)

I think it's mostly because keyrings aren't widely used outside of AFS,
and AFS automatically creates a session keyring when you call setpag().
MIT Kerberos keyring caches are kind of a curiosity, and they have some
weird limitations due to the limit on keyring sizes in the kernel without
the new large keyring stuff.  I think Red Hat uses them for some stuff,
but they're still not widespread.  (And Heimdal doesn't support them at

But I do support them in some of my software and happen to have some test
cases, and discovered they started failing on a system where I wasn't
setting up PAGs for users....

Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shadow-devel mailing list