Kristyna Streitova changed bug 1081947
What Removed Added
Flags needinfo?(kstreitova@suse.com)  

Comment # 22 on bug 1081947 from
(In reply to Josef M�llers from comment #20)
> Hello Krystina,
> 
> As you can see from the comments 11 and following, pam_keyinit.so must be
> added to the sudo configuration:
> * in the "sudo -l" case, "force must be specified
> * in the "sudo" case, no "force" must be specified.

You probably mean "sudo -i".

> My understanding is that
> 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents
> as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force
> revoke"

Yes, and the line "session optional pam_keyinit.so revoke" should be added to
the original "/etc/pam.d/sudo" file.

> 2) plugins/sudoers/defaults.c must be changed as to use that file for
> def_pam_login_service.

It seems that this is not needed. Upstream added the support for a sudo-i pam.d
file [1] while ago. So we just need to build it with "--with-pam-login" option.

> Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO
> and assign back to me.

Please review my OBS request. If it's ok then I will send it also to SLE15.

OBS request:
https://build.opensuse.org/request/show/597150

The relevant change only: 
https://build.opensuse.org/package/rdiff/home:kstreitova:branches:Base:System/sudo?linkrev=base&rev=3

Thanks!


[1] https://www.sudo.ws/repos/sudo/rev/06d34f16520b


You are receiving this mail because: