What | Removed | Added |
---|---|---|
Flags | needinfo?(fbui@suse.com) |
(In reply to Stanislav Brabec from comment #62) > I am just preparing a big util-linux update for all released products. > > I realized that > session optional pam_keyinit.so force revoke > is already present in SLE-15:Update and SLE-15-SP1:Update. > > But it is in an inconsistent state. > > This one is included: > > Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com > - Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, > runuser-l.pamd, runuser.pamd). > > This one is not included: > > Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com > - Integrate pam_keyinit pam module to login > (boo#1081947, login.pamd, remote.pamd). > > > I would like to see it in a consistent state. What do you recommend for > SLE-15:Update and SLE-15-SP1:Update? > 1) Remove pam_keyinit integration from all files? I would vote against removing it completely as it doesn't do any damage if it is there (it just creates a small kernel-data structure) and this would undo the work already done. The files where it IS included are correct in their use, see below. > 2) Add pam_keyinit consistently to all pam files? You can't add "pam_keyinit" to all PAM config files as this might create a keyring when you don't want one and even may dispose of the old one, which is not what you want. Also the options differ between types of invocation: some require "force" (eg "sudo -i" or "su -l"), some must not have this option (eg "sudo" without "-l", "su" without "-l"). I'm currently working on a list of 57 packages to find out which ones need pam_keyinit and which ones need "force". It's a tedious activity.