Package: libpam-runtime Version: 1.1.3-10 Severity: wishlist It would be better for any application that uses the kernel keyring if pam_keyinit were run by default in the PAM session stack. Without this module, users are placed in a default UID-based user session, which doesn't isolate each session's keys.
Worse, currently (although this is a separate bug that's been separately reported and may be fixed in the future), the kernel uses the UID session for reading, but when writing creates a new session keyring that's limited to children of the writing process. This basically makes use of keyring Kerberos caches impossible unless one does the equivalent of what pam_keyinit does first. It's rather inobvious that this is necessary. The problem with this, which will make it more complex, is that one generally does not want to create a new session keyring when running commands like su or sudo, just for login sessions, since you normally want to preserve the user's existing credentials. I'm not sure what this means for how to achieve this configuration. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-runtime depends on: ii debconf [debconf-2.0] 1.5.52 ii libpam-modules 1.1.3-10 libpam-runtime recommends no packages. libpam-runtime suggests no packages. -- debconf information: libpam-runtime/profiles: unix, systemd, consolekit libpam-runtime/no_profiles_chosen: libpam-runtime/conflicts: libpam-runtime/title: libpam-runtime/override: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
