On Wed, Feb 02, 2022 at 12:44:44PM +0100, Marc Haber wrote: > X-Debbugs-CC: vor...@debian.org > thanks > > On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > > The pam_keyring(8) manpage advises against adding pam_keyinit
I guess this is supposed to be pam_keyinit(8) since I do find the text there. > > ,---- > > | This module should not, generally, be invoked by programs like su, > > | since it is usually desirable for the key set to percolate through to > > | the alternate context. The keys have their own permissions system to > > | manage this. > > `---- > > However, there's no mentioning of the issue described here. > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > > contains a line. > > ,---- > > | session optional pam_keyinit.so revoke > > `---- > > and they also seem to have different intended behavior for interactive > > usage – there's a separate /etc/pam.d/sudo-i which contains > > ,---- > > | session optional pam_keyinit.so force revoke > > `---- > So we need to make up our minds whether to follow up the pam_keyinit > maintainers or Red Hat. Maybe the PAM maintainer can comment here? I would suggest consulting the maintainers of other packages that currently ship references to pam_keyinit and try to get a consensus with them. For example, /etc/pam.d/su-l does reference pam_keyinit in Debian, which seems like it directly contradicts the above manpage but addresses this exact issue. I believe debian-devel is the appropriate for venue for such a discussion. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: PGP signature