What | Removed | Added |
---|---|---|
CC | mkoutny@suse.com, systemd-maintainers@suse.de | |
Flags | needinfo?(systemd-maintainers@suse.de) |
The issue is that the session keyring created by pam_keyinit is only inherited through fork/execve/..., but all the session does is "systemctl start plasma-workspace-(wayland/x11).target". The session itself (plasmashell, krunner, all processes started by those) are actually children of the systemd user instance, which is in turn a system service. How is this meant to work in combination with session keyrings? Can pam_systemd somehow forward the session keyring to the systemd user instance it starts? If not, the only option I see is to have separate session keyrings for systemd user services and other parts of the session. That could be implemented simply by adding session optional pam_keyinit.so force revoke to /usr/lib/pam.d/systemd-user. That works in my testing, after logout and login there is a session keyring visible in konsole instances and cifscreds works as expected.