Comment # 63 on bug 1081947 from Josef M�llers

(In reply to Stanislav Brabec from comment #62)
> I am just preparing a big util-linux update for all released products.
> 
> I realized that
> session  optional       pam_keyinit.so force revoke
> is already present in SLE-15:Update and SLE-15-SP1:Update.
> 
> But it is in an inconsistent state.
> 
> This one is included:
> 
> Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
> - Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
>   runuser-l.pamd, runuser.pamd).
> 
> This one is not included:
> 
> Mon Mar  4 15:23:27 CET 2019 - sbrabec@suse.com
> - Integrate pam_keyinit pam module to login
>   (boo#1081947, login.pamd, remote.pamd).
> 
> 
> I would like to see it in a consistent state. What do you recommend for
> SLE-15:Update and SLE-15-SP1:Update?
> 1) Remove pam_keyinit integration from all files?

I would vote against removing it completely as it doesn't do any damage if it
is there (it just creates a small kernel-data structure) and this would undo
the work already done. The files where it IS included are correct in their use,
see below.

> 2) Add pam_keyinit consistently to all pam files?

You can't add "pam_keyinit" to all PAM config files as this might create a
keyring when you don't want one and even may dispose of the old one, which is
not what you want.
Also the options differ between types of invocation: some require "force" (eg
"sudo -i" or "su -l"), some must not have this option (eg "sudo" without "-l",
"su" without "-l").

I'm currently working on a list of 57 packages to find out which ones need
pam_keyinit and which ones need "force". It's a tedious activity.