X-Debbugs-Cc: util-li...@packages.debian.org Dear Util-Linux Maintainers,
in sudo, we have currently the situation whether to add calls to pam_keyinit in our pam configuration files. There is quite a number of packages doing this, but the pam_keyinit documentation advises "programs like su" against doing so. However, in Debian, /etc/pam.d/su-l references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, doas doesnt seem to reference pam_keyinit at all. If sudo goes the way to mimic what su does, we would reference pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller an interactive session, but not in /etc/pam.d/sudo. May I ask for you rationale to do things the way you did them for su and pam_keyinit? Your insights might help us to take a wise decision for sudo. On Sat, Feb 27, 2021 at 06:38:00PM +0100, Hilko Bengen wrote: > The pam_keyring(8) manpage advises against adding pam_keyinit > > ,---- > | This module should not, generally, be invoked by programs like su, > | since it is usually desirable for the key set to percolate through to > | the alternate context. The keys have their own permissions system to > | manage this. > `---- > > However, there's no mentioning of the issue described here. > > For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which > contains a line. > > ,---- > | session optional pam_keyinit.so revoke > `---- > > and they also seem to have different intended behavior for interactive > usage – there's a separate /etc/pam.d/sudo-i which contains > > ,---- > | session optional pam_keyinit.so force revoke > `---- Thanks for your help, which is greatly appreciated. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
