Control: clone -1 -2 -3 -4 -5 Control: reassign -1 login Control: reassign -2 openssh-server Control: reassign -3 lightdm Control: reassign -4 gdm3 Control: reassign -5 kdm
Hi Russ, On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote: > It would be better for any application that uses the kernel keyring > if pam_keyinit were run by default in the PAM session stack. Without > this module, users are placed in a default UID-based user session, > which doesn't isolate each session's keys. > Worse, currently (although this is a separate bug that's been > separately reported and may be fixed in the future), the kernel uses > the UID session for reading, but when writing creates a new session > keyring that's limited to children of the writing process. This > basically makes use of keyring Kerberos caches impossible unless one > does the equivalent of what pam_keyinit does first. It's rather > inobvious that this is necessary. > The problem with this, which will make it more complex, is that one > generally does not want to create a new session keyring when running > commands like su or sudo, just for login sessions, since you normally > want to preserve the user's existing credentials. I'm not sure what > this means for how to achieve this configuration. Unfortunately, there's no central way to configure PAM modules only for use in login sessions. As with pam_selinux and pam_loginuid, the only way to do this is for each service to include the module directly in their own PAM config. Cloning this bug and reassigning it to the usual suspects. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
