What | Removed | Added |
---|---|---|
Flags | needinfo?(kstreitova@suse.com) |
(In reply to Josef M�llers from comment #20) > Hello Krystina, > > As you can see from the comments 11 and following, pam_keyinit.so must be > added to the sudo configuration: > * in the "sudo -l" case, "force must be specified > * in the "sudo" case, no "force" must be specified. You probably mean "sudo -i". > My understanding is that > 1) a "sudo-l" file should be created in "/etc/pam.d" with the same contents > as "/etc/pam.d/sudo" PLUS the line "session optional pam_keyinit.so force > revoke" Yes, and the line "session optional pam_keyinit.so revoke" should be added to the original "/etc/pam.d/sudo" file. > 2) plugins/sudoers/defaults.c must be changed as to use that file for > def_pam_login_service. It seems that this is not needed. Upstream added the support for a sudo-i pam.d file [1] while ago. So we just need to build it with "--with-pam-login" option. > Please make the changes ASAP (if possible for SLE-15), then clear NEEDINFO > and assign back to me. Please review my OBS request. If it's ok then I will send it also to SLE15. OBS request: https://build.opensuse.org/request/show/597150 The relevant change only: https://build.opensuse.org/package/rdiff/home:kstreitova:branches:Base:System/sudo?linkrev=base&rev=3 Thanks! [1] https://www.sudo.ws/repos/sudo/rev/06d34f16520b