Hello Marc, Hello Andreas (added to CC:), * Marc Haber <mh+debian-packa...@zugschlus.de> [220206 12:36]: > in sudo, we have currently the situation whether to add calls to > pam_keyinit in our pam configuration files. There is quite a number of > packages doing this, but the pam_keyinit documentation advises "programs > like su" against doing so. However, in Debian, /etc/pam.d/su-l > references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, > doas doesnt seem to reference pam_keyinit at all. > > If sudo goes the way to mimic what su does, we would reference > pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller > an interactive session, but not in /etc/pam.d/sudo. > > May I ask for you rationale to do things the way you did them for su and > pam_keyinit? Your insights might help us to take a wise decision for > sudo.
I do not know why this was done for su-l and not su. My speculation would be that we have inherited the su-l PAM config from Fedora, and the su PAM config from src:shadow before 2018. Maybe the distinction is an accident. Andreas, you worked on the su takeover from src:shadow. Do you have insights to share? > On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > > The pam_keyring(8) manpage advises against adding pam_keyinit > > > > ,---- > > | This module should not, generally, be invoked by programs like su, > > | since it is usually desirable for the key set to percolate through to > > | the alternate context. The keys have their own permissions system to > > | manage this. > > `---- > > > > However, there's no mentioning of the issue described here. > > > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > > contains a line. > > > > ,---- > > | session optional pam_keyinit.so revoke > > `---- > > > > and they also seem to have different intended behavior for interactive > > usage – there's a separate /etc/pam.d/sudo-i which contains > > > > ,---- > > | session optional pam_keyinit.so force revoke > > `---- I will note that our runuser(-l) PAM config also mirrors this: runuser: session optional pam_keyinit.so revoke runuser-l: session optional pam_keyinit.so force revoke It would appear to me that keyutils and pam_keyinit, and most of the util-linux PAM config originate in Fedora(/RH). The Fedora folks are probably the ones to ask how all of this is supposed to work. > Thanks for your help, which is greatly appreciated. Sorry that I cannot add much useful info here. Chris
