--- Comment #37 from Franck Bui <fbui(a)suse.com> ---
(In reply to Andrei Borzenkov from comment #36)
(In reply to Franck Bui from comment #35)
And in this case session key are visible by all process running with the
same UID, which is not too good.
Still it is better than what we have now.
Nobody is saying the contrary and as already said it will be temporarily
reverted until we will find a better solution.
But something better than something broken doesn't necessarily mean that it's
something good to keep...
You miss the point. It makes pam_keyinit mandatory
without as much as giving
any heads up to users (just try to search for pam_keyinit in systemd NEWS).
Before this change pam_keyinit was recommended, but the whole system still
worked reasonably well without it.
It's not working reasonably well see my previous comment.
pam_keyinit is not recommended but *strongly* recommended.
What do you think the emphasis implies ?
So the actual question is whether we want
to mandate pam_keyinit and risk security implications if it is missing for
That's what this bug is all about now I guess: integrate pam_keyinit in the PAM
config so the kernel keyring stuff works as it should and the risk is keep as
low as possible.
This way we can improve the old setup and may reconsider restoring the keyring
feature in systemd.
You are receiving this mail because:
You are on the CC list for the bug.