[Pkg-shadow-devel] Bug#734671: enable pam_keyinit by default
Laurent Bigonville
bigon at debian.org
Tue Jan 10 08:19:21 UTC 2017
On Wed, 08 Jan 2014 19:00:54 -0800 Russ Allbery <rra at debian.org> wrote:
Hi,
> It would be better for any application that uses the kernel keyring
> if pam_keyinit were run by default in the PAM session stack. Without
> this module, users are placed in a default UID-based user session,
> which doesn't isolate each session's keys.
>
> Worse, currently (although this is a separate bug that's been
> separately reported and may be fixed in the future), the kernel uses
> the UID session for reading, but when writing creates a new session
> keyring that's limited to children of the writing process. This
> basically makes use of keyring Kerberos caches impossible unless one
> does the equivalent of what pam_keyinit does first. It's rather
> inobvious that this is necessary.
>
> The problem with this, which will make it more complex, is that one
> generally does not want to create a new session keyring when running
> commands like su or sudo, just for login sessions, since you normally
> want to preserve the user's existing credentials. I'm not sure what
> this means for how to achieve this configuration.
What is the status of this?
Could this be implemented for stretch? The number of "login" pam
services is quite limited IMHO (xDM, login, openssh,...) so I'm not sure
that waiting for pam-auth-update support for these (#677288) is really
needed, for example we have added pam_selinux modules already in all
these login services.
openssh and gdm are already calling the pam_keyinit.so module for quite
sometimes now without any visible complains.
Regards,
Laurent Bigonville
More information about the Pkg-shadow-devel
mailing list