Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#54915 - [pambase] add pam_keyinit support

Attached to Project: Arch Linux
Opened by loqs (loqs) - Sunday, 23 July 2017, 22:04 GMT
Last edited by Christian Hesse (eworm) - Friday, 06 October 2017, 13:02 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Thomas B├Ąchler (brain0)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring.
Adding pam_keyinit support would allow the reverts used for  FS#54670  to be removed.
It is already used by some debian services
and by fedora but without the force option which would be required for the reverts for  FS#54670  to be removed
This task depends upon

Closed by  Christian Hesse (eworm)
Friday, 06 October 2017, 13:02 GMT
Reason for closing:  Implemented
Additional comments about closing:  pambase 20171006-1
Comment by David McAdoo (geecroof) - Friday, 08 September 2017, 12:25 GMT
I think pam_keyinit should be added to login/system-login config rather than system-auth which is used by polkit and sudo. See quote from linked source:

"This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this."

It's already included in /etc/pam.d/sddm config
Comment by loqs (loqs) - Monday, 18 September 2017, 19:16 GMT