X-Debbugs-CC: vor...@debian.org thanks On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > The pam_keyring(8) manpage advises against adding pam_keyinit > > ,---- > | This module should not, generally, be invoked by programs like su, > | since it is usually desirable for the key set to percolate through to > | the alternate context. The keys have their own permissions system to > | manage this. > `---- > > However, there's no mentioning of the issue described here. > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > contains a line. > > ,---- > | session optional pam_keyinit.so revoke > `---- > > and they also seem to have different intended behavior for interactive > usage – there's a separate /etc/pam.d/sudo-i which contains > > ,---- > | session optional pam_keyinit.so force revoke > `----
So we need to make up our minds whether to follow up the pam_keyinit maintainers or Red Hat. Maybe the PAM maintainer can comment here? Greetings Marc