Your message dated Thu, 19 Jan 2017 18:20:00 +0000
with message-id <[email protected]>
and subject line Bug#734671: fixed in shadow 1:4.4-2
has caused the Debian Bug report #734671,
regarding enable pam_keyinit by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
734671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734671
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-runtime
Version: 1.1.3-10
Severity: wishlist
It would be better for any application that uses the kernel keyring
if pam_keyinit were run by default in the PAM session stack. Without
this module, users are placed in a default UID-based user session,
which doesn't isolate each session's keys.
Worse, currently (although this is a separate bug that's been
separately reported and may be fixed in the future), the kernel uses
the UID session for reading, but when writing creates a new session
keyring that's limited to children of the writing process. This
basically makes use of keyring Kerberos caches impossible unless one
does the equivalent of what pam_keyinit does first. It's rather
inobvious that this is necessary.
The problem with this, which will make it more complex, is that one
generally does not want to create a new session keyring when running
commands like su or sudo, just for login sessions, since you normally
want to preserve the user's existing credentials. I'm not sure what
this means for how to achieve this configuration.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.11-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-runtime depends on:
ii debconf [debconf-2.0] 1.5.52
ii libpam-modules 1.1.3-10
libpam-runtime recommends no packages.
libpam-runtime suggests no packages.
-- debconf information:
libpam-runtime/profiles: unix, systemd, consolekit
libpam-runtime/no_profiles_chosen:
libpam-runtime/conflicts:
libpam-runtime/title:
libpam-runtime/override: false
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.4-2
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <[email protected]> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 19 Jan 2017 18:22:49 +0100
Source: shadow
Binary: passwd login uidmap
Architecture: source
Version: 1:4.4-2
Distribution: unstable
Urgency: medium
Maintainer: Shadow package maintainers
<[email protected]>
Changed-By: Balint Reczey <[email protected]>
Description:
login - system login tools
passwd - change and administer password and group data
uidmap - programs to help use subuids
Closes: 663117 734609 734671 747115 747313 759113 768020 772470 777107 800553
805182 817971 824391 830255 850338
Changes:
shadow (1:4.4-2) unstable; urgency=medium
.
[ Balint Reczey ]
* Update homepage to new upstream
* Always use /bin/sh shell in the build (Closes: #817971)
* Replace user´s -> user's to make login.def file valid ASCII
(Closes: #850338)
* Update patch naming docmentation
* Fix typos in German man pages (Closes: #734609)
* Send 1000_configure_userns patch upstream
* Add call to pam_keyinit for login pam service.
This module is linux-any only, so copy what openssh has already done and
remove the call at build time for other architectures.
The call to this module is needed to have proper per-session kernel
keyring. (Closes: #734671)
* Add pts/0 and pts/1 to securetty (Closes: #830255)
* Add ttySAC* to securetty (Closes: #824391)
* Add ttySC[4-9] to securetty (Closes: #768020)
.
[ Laurent Bigonville ]
* Move pam_selinux open call higher in the session stack (Closes: #747313)
.
[ Christian Perrier ]
* Fix typos in login.pam (thanks to Jakub Wilk for reporting)
(Closes: #747115)
* Include groupmems(8) in the passwd package (Closes: #663117)
.
[ Frans Spiesschaert ]
* Dutch translation update (Closes: #772470)
.
[ Trần Ngọc Quân ]
* Update Vietnamese translation (Closes: #777107)
.
[ Miroslav Kuře ]
* Updated Czech translation. (Closes: #759113)
.
[ Holger Wansing ]
* Update for German man pages
.
[ Thomas Blein ]
* French manpage translation (Closes: #805182)
.
[ Lars Bahner ]
* Fix some spelling issues in the Norwegian translation (Closes: #800553)
Checksums-Sha1:
78bd8c80c4403467db2ce9fbf2893816ef58c4b2 2262 shadow_4.4-2.dsc
25d2dfd6ab86a9620cfad9f73735d65271ab28e9 600592 shadow_4.4-2.debian.tar.xz
Checksums-Sha256:
a57f2b28f751e32b6890c7e1dc1608e5df0a0acd1229239fee902e6586ddf035 2262
shadow_4.4-2.dsc
b866a5736664268bc81864278772cd2d5444929d1195a2acd42c5d5245edf486 600592
shadow_4.4-2.debian.tar.xz
Files:
e1a9651dffd03b9b0cea69d59453ecca 2262 admin required shadow_4.4-2.dsc
4992d2679578eed217df2630aba2f860 600592 admin required
shadow_4.4-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYgP3ZAAoJEPZk0la0aRp9ZC8P/jc+6MTvnpecD8hTY4+ydC43
sB+2v4FyxKuIhLfcwszc1c5jUjLnngnqaXX7XmwHkCyK/JWyB4Y9REHbwjAzgtn+
N/CR4tBOljZOgnv5ZZ9REO0OQ1CkCkffpl4oN2n+qZHv39d97pz75Pz+e/OzEKaC
EfjSFlOa+lNGXbY07pmRTk1cfdRslC3FfUCO86udQOBZ5HugfI1BEV/v84uYx0MS
QIZ9R/kV/H/W6XoQQmhhIwa3AmozLSsNGZAILhAEKUO1LecalI3jm+I2LhE08eh0
ZQ7bWUExv5ILSu8yCieXHJBOy30DyZUWd9CU1/2lTEUGNRjq0JdVZDsmBrTI7Xea
0ks1qyoDmsTmjfrRR9f6J18Lmk4rrMLb+PAd2c3uQDvpK+GFCj3Ls8SArjxEz74Q
4t/I/X3Z9vu9lAoR250aFErJUtOUsVHQA2HwWmyri9uu1SacCTmnIZG+qIunKZTh
nt2iPP6d20kjvNeAqWAx/wIZjQADeuRQzfwu2Bb8fvaJdvNfl/u/tcaS1IQgyGaV
8Q13r2+wOW07cgWCAFyjabEKspCT3pkKY2/qyFPafe2SOGkEoKF7oFUAIEHtdv8I
kSLCUCb10weV1RqdnS+2Rr3HSF+aR79KkSeVer0PVwnjfAMMJQfLm1wMrMgGtRea
qZ8dQfaIYqT/w/fI9kHm
=+z0s
-----END PGP SIGNATURE-----
--- End Message ---