http://bugzilla.opensuse.org/show_bug.cgi?id=1081947 http://bugzilla.opensuse.org/show_bug.cgi?id=1081947#c22 Kristyna Streitova <kstreitova@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(kstreitova@suse.c | |om) | --- Comment #22 from Kristyna Streitova <kstreitova@suse.com> --- (In reply to Josef Möllers from comment #20)
Hello Krystina,
As you can see from the comments 11 and following, pam_keyinit.so must be added to the sudo configuration: * in the "sudo -l" case, "force must be specified * in the "sudo" case, no "force" must be specified.
You probably mean "sudo -i".
My understanding is that 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force revoke"
Yes, and the line "session optional pam_keyinit.so revoke" should be added to the original "/etc/pam.d/sudo" file.
2) plugins/sudoers/defaults.c must be changed as to use that file for def_pam_login_service.
It seems that this is not needed. Upstream added the support for a sudo-i pam.d file [1] while ago. So we just need to build it with "--with-pam-login" option.
Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO and assign back to me.
Please review my OBS request. If it's ok then I will send it also to SLE15. OBS request: https://build.opensuse.org/request/show/597150 The relevant change only: https://build.opensuse.org/package/rdiff/home:kstreitova:branches:Base:System/sudo?linkrev=base&rev=3 Thanks! [1] https://www.sudo.ws/repos/sudo/rev/06d34f16520b -- You are receiving this mail because: You are on the CC list for the bug.