I wanted to de some kind of tutorial ( https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring) on the subject, but I don't find a lot of resources (apart from "reference documentation")
This might be helpful: https://mjg59.dreamwidth.org/37333.html On Thu, Dec 6, 2018 at 12:57 PM Sietse van Zanen <[email protected]> wrote: > Hi Dinesh, > > Did you do a 'keyctl link @us @s' after logging in? > > And could you tell me how you aceive 2. Because according to documentation > it is not possible to have systemd-ask-password insert a key into a users > keylist: > --keyname= > Configure a kernel keyring key name to use as cache for the > password. If set, then the tool will try to push any collected passwords > into the > kernel keyring of the root user > > -Sietse > ________________________________________ > From: systemd-devel <[email protected]> on > behalf of Dinesh Prasanth Moluguwan Krishnamoorthy <[email protected]> > Sent: Thursday, December 6, 2018 04:11 > To: [email protected] > Subject: [systemd-devel] Systemd and kernel keyring > > Hi team, > > I'm working on accessing kernel keyring in my application started using > systemd. > > The list of steps I'm doing: > > 1. Starting a systemd service with `KeyringMode=shared` as a SPECIFIC > USER > 2. In the `ExecStartPre`, I'm launching a subprocess that invokes > `systemd-ask-password` to accept the input and store it in the USER's > kernel keyring > 3. In the main program started using `ExecStart`, I'm accessing the > value stored in the keyring > > I'm able to access the values from my main program -- everything works > as expected! When I try to login as that specific user and do a `keyctl > show @u`, I find the entry. > > However, when I try to do `keyctl print <keyID>`, it throws "Permission > Denied" error. IIUC, this protects the keys in the keyring from > accessing outside the systemd service. Is it the desired behaviour? > > I have the sample systemd unit file available in [1]. > > [1] > > https://github.com/SilleBille/keyctl-java-test/blob/master/pki-tomcatd-nuxwdog%40pki-tomcat.service > > Thanks, > Dinesh > > _______________________________________________ > systemd-devel mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/systemd-devel > _______________________________________________ > systemd-devel mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- Bruno VERNAY
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
