http://bugzilla.suse.com/show_bug.cgi?id=1081947
http://bugzilla.suse.com/show_bug.cgi?id=1081947#c63
Josef Möllers
I am just preparing a big util-linux update for all released products.
I realized that session optional pam_keyinit.so force revoke is already present in SLE-15:Update and SLE-15-SP1:Update.
But it is in an inconsistent state.
This one is included:
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com - Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, runuser-l.pamd, runuser.pamd).
This one is not included:
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com - Integrate pam_keyinit pam module to login (boo#1081947, login.pamd, remote.pamd).
I would like to see it in a consistent state. What do you recommend for SLE-15:Update and SLE-15-SP1:Update? 1) Remove pam_keyinit integration from all files?
I would vote against removing it completely as it doesn't do any damage if it is there (it just creates a small kernel-data structure) and this would undo the work already done. The files where it IS included are correct in their use, see below.
2) Add pam_keyinit consistently to all pam files?
You can't add "pam_keyinit" to all PAM config files as this might create a keyring when you don't want one and even may dispose of the old one, which is not what you want. Also the options differ between types of invocation: some require "force" (eg "sudo -i" or "su -l"), some must not have this option (eg "sudo" without "-l", "su" without "-l"). I'm currently working on a list of 57 packages to find out which ones need pam_keyinit and which ones need "force". It's a tedious activity. -- You are receiving this mail because: You are on the CC list for the bug.