[Pkg-xfce-devel] Bug#734817: Bug#734671: enable pam_keyinit by default
Yves-Alexis Perez
corsac at debian.org
Fri Jan 10 07:10:27 UTC 2014
On Thu, Jan 09, 2014 at 06:15:21PM -0800, Steve Langasek wrote:
> Control: clone -1 -2 -3 -4 -5
> Control: reassign -1 login
> Control: reassign -2 openssh-server
> Control: reassign -3 lightdm
> Control: reassign -4 gdm3
> Control: reassign -5 kdm
>
> Hi Russ,
>
> On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote:
> > It would be better for any application that uses the kernel keyring
> > if pam_keyinit were run by default in the PAM session stack. Without
> > this module, users are placed in a default UID-based user session,
> > which doesn't isolate each session's keys.
>
> > Worse, currently (although this is a separate bug that's been
> > separately reported and may be fixed in the future), the kernel uses
> > the UID session for reading, but when writing creates a new session
> > keyring that's limited to children of the writing process. This
> > basically makes use of keyring Kerberos caches impossible unless one
> > does the equivalent of what pam_keyinit does first. It's rather
> > inobvious that this is necessary.
>
> > The problem with this, which will make it more complex, is that one
> > generally does not want to create a new session keyring when running
> > commands like su or sudo, just for login sessions, since you normally
> > want to preserve the user's existing credentials. I'm not sure what
> > this means for how to achieve this configuration.
>
> Unfortunately, there's no central way to configure PAM modules only for use
> in login sessions. As with pam_selinux and pam_loginuid, the only way to do
> this is for each service to include the module directly in their own PAM
> config.
>
> Cloning this bug and reassigning it to the usual suspects.
As said on IRC, it'd had been nice to actually receive that in my mail,
instead of just the clone/reassign from owner at b.d.o but eh.
Notwithstanding the local fixes in the various packages, wouldn't it
be possible to have a common file to be included for those “pure login”,
the way we have common-*?
I'm not really knowledgeable about the whole PAM configuration in
Debian, but if multiple modules are in the same situation, it might make
sense. What do you think?
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20140110/3ee59f8d/attachment.sig>
More information about the Pkg-xfce-devel
mailing list