Hi Marc, * Marc Haber <mh+debian-packa...@zugschlus.de> [220705 15:53]: > I'm coming back to this after being busy with other things. > > On Sun, Feb 06, 2022 at 05:09:10PM +0100, Chris Hofstaedtler wrote: > > * Marc Haber <mh+debian-packa...@zugschlus.de> [220206 12:36]: > > > in sudo, we have currently the situation whether to add calls to > > > pam_keyinit in our pam configuration files. There is quite a number of > > > packages doing this, but the pam_keyinit documentation advises "programs > > > like su" against doing so. However, in Debian, /etc/pam.d/su-l > > > references pam_keyinit, while /etc/pam.d/su doesn't. On the other hand, > > > doas doesnt seem to reference pam_keyinit at all. > > > > > > If sudo goes the way to mimic what su does, we would reference > > > pam_keyinit in /etc/pam.d/sudo-i which is our form of giving the caller > > > an interactive session, but not in /etc/pam.d/sudo. > > > > > > May I ask for you rationale to do things the way you did them for su and > > > pam_keyinit? Your insights might help us to take a wise decision for > > > sudo. > > > > I do not know why this was done for su-l and not su. My speculation > > would be that we have inherited the su-l PAM config from Fedora, and > > the su PAM config from src:shadow before 2018. Maybe the distinction > > is an accident.
[..] > > It would appear to me that keyutils and pam_keyinit, and most of the > > util-linux PAM config originate in Fedora(/RH). The Fedora folks > > are probably the ones to ask how all of this is supposed to work. > > Chris, > Can you give me a pointer to whom in Fedora I'm supposed to reach out? Well, the pam_keyinit man page says it was written by David Howells <dhowe...@redhat.com>, but I don't know if he is still working on it. This openSUSE bug seems to touch on related questions: https://bugzilla.suse.com/show_bug.cgi?id=1081947 Unfortunately the only real doc appears to be the man page :-| Chris