FS#54915 - [pambase] add pam_keyinit support

Attached to Project: Arch Linux
Opened by loqs (loqs) - Sunday, 23 July 2017, 22:04 GMT
Last edited by Christian Hesse (eworm) - Friday, 06 October 2017, 13:02 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Thomas Bächler (brain0)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring.
http://www.linux-pam.org/Linux-PAM-html/sag-pam_keyinit.html
Adding pam_keyinit support would allow the reverts used for  FS#54670  to be removed.
It is already used by some debian services
https://sources.debian.net/src/gdm3/3.22.3-4/debian/gdm3.gdm-password.pam/
and by fedora but without the force option which would be required for the reverts for  FS#54670  to be removed
https://src.fedoraproject.org/cgit/rpms/pam.git/tree/system-auth.pamd
   system-auth (0.5 KiB)
This task depends upon

Closed by  Christian Hesse (eworm)
Friday, 06 October 2017, 13:02 GMT
Reason for closing:  Implemented
Additional comments about closing:  pambase 20171006-1
Comment by David McAdoo (geecroof) - Friday, 08 September 2017, 12:25 GMT
I think pam_keyinit should be added to login/system-login config rather than system-auth which is used by polkit and sudo. See quote from linked source:

"This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this."

It's already included in /etc/pam.d/sddm config
Comment by loqs (loqs) - Monday, 18 September 2017, 19:16 GMT
https://lists.archlinux.org/pipermail/arch-dev-public/2017-September/028982.html

Loading...