On Thu, Jan 09, 2014 at 06:20:55PM -0800, Russ Allbery wrote: > Steve Langasek <vor...@debian.org> writes:
> > Unfortunately, there's no central way to configure PAM modules only for > > use in login sessions. As with pam_selinux and pam_loginuid, the only > > way to do this is for each service to include the module directly in > > their own PAM config. > I gather this isn't the same thing as what common-session-noninteractive > is for? I hadn't completely followed how that worked. Unfortunately not. Ultimately, there are two axes that we care about for PAM sessions: interactive vs. noninteractive sessions, and login vs. non-login sessions. pam-auth-update currently only caters to modules that are suitable for both login and non-login sessions. > Regardless, thanks! I spent some time day before yesterday debugging this > with MIT Kerberos upstream, since the behavior of keyring caches without > an active session is really weird. Everything works but then the results > disappear. I had vaguely wondered why I hadn't seen any sign of pam_keyinit being used before now. :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
