X-Debbugs-CC: vor...@debian.org
thanks

On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote:
> The pam_keyring(8) manpage advises against adding pam_keyinit 
> 
> ,----
> | This module should not, generally, be invoked by programs like su,
> | since it is usually desirable for the key set to percolate through to
> | the alternate context. The keys have their own permissions system to
> | manage this.
> `----
> 
> However, there's no mentioning of the issue described here.
> 
> For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which
> contains a line.
> 
> ,----
> | session    optional     pam_keyinit.so revoke
> `----
> 
> and they also seem to have different intended behavior for interactive
> usage – there's a separate /etc/pam.d/sudo-i which contains
> 
> ,----
> | session    optional     pam_keyinit.so force revoke
> `----

So we need to make up our minds whether to follow up the pam_keyinit
maintainers or Red Hat. Maybe the PAM maintainer can comment here?

Greetings
Marc

Reply via email to