Re comment #3: Why should it be in the stack? It needs to be added explicitly by calling pam-config with appropriate parameters (eg "pam-config --service vnc -a --keyinit"). The lengthy discussion in Bug #1045886 shows that it would not be advisable to just automatically add pam_keyinit to pam config files! The infrastructure is there, it just needs to be used.