On Thu, Jan 09, 2014 at 06:15:21PM -0800, Steve Langasek wrote: > Control: clone -1 -2 -3 -4 -5 > Control: reassign -1 login > Control: reassign -2 openssh-server > Control: reassign -3 lightdm > Control: reassign -4 gdm3 > Control: reassign -5 kdm > > Hi Russ, > > On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote: > > It would be better for any application that uses the kernel keyring > > if pam_keyinit were run by default in the PAM session stack. Without > > this module, users are placed in a default UID-based user session, > > which doesn't isolate each session's keys. > > > Worse, currently (although this is a separate bug that's been > > separately reported and may be fixed in the future), the kernel uses > > the UID session for reading, but when writing creates a new session > > keyring that's limited to children of the writing process. This > > basically makes use of keyring Kerberos caches impossible unless one > > does the equivalent of what pam_keyinit does first. It's rather > > inobvious that this is necessary. > > > The problem with this, which will make it more complex, is that one > > generally does not want to create a new session keyring when running > > commands like su or sudo, just for login sessions, since you normally > > want to preserve the user's existing credentials. I'm not sure what > > this means for how to achieve this configuration. > > Unfortunately, there's no central way to configure PAM modules only for use > in login sessions. As with pam_selinux and pam_loginuid, the only way to do > this is for each service to include the module directly in their own PAM > config. > > Cloning this bug and reassigning it to the usual suspects.
As said on IRC, it'd had been nice to actually receive that in my mail, instead of just the clone/reassign from owner@b.d.o but eh. Notwithstanding the local fixes in the various packages, wouldn't it be possible to have a common file to be included for those “pure login”, the way we have common-*? I'm not really knowledgeable about the whole PAM configuration in Debian, but if multiple modules are in the same situation, it might make sense. What do you think? Regards, -- Yves-Alexis
signature.asc
Description: Digital signature
