Coming back to "pam_keyinit and su": I happen to have a Fedora 24 system here, too. Fedora uses the "authconfig" tool which is similar in purpose to "pam-config". It creates common files such as "system-auth-ac", "password-auth-ac", "fingerprint-auth-ac", and usually "system-auth" is a symlink to "system-auth-ac", etc. Individual services include either "system-auth" or "password-auth", which are identical on my system. system-auth includes "pam_keyinit.so", and various service files include it as well. Here's a list of the status on my system, where k,f,s,p stand for pam_keyinit, pam_keyinit force, system-auth, and password-auth, respectively, and upper case means "included" and lower case means "not included": s p k f config-util s p k f cvs s p k f liveinst s p k f other s p k f passwd s p k f postlogin s p k f postlogin-ac s p k f screen s p k f setup s p k f sssd-shadowutils s p k f vlock s p k f vmtoolsd k f s P atd k f s P crond k f s P ppp k f S p chfn k f S p chsh k f S p kcheckpass k f S p kscreensaver k f S p polkit-1 k f S p su k f S p systemd-user K f s p cups K f s p fingerprint-auth K f s p fingerprint-auth-ac K f s p password-auth K f s p password-auth-ac K f s p runuser K f s p smartcard-auth K f s p smartcard-auth-ac K f s p system-auth K f s p system-auth-ac K f S p sudo K F s p gdm-fingerprint K F s p gdm-smartcard K F s p runuser-l K F s p sudo-i K F s p su-l K F s p xserver K F s P gdm-password K F s P gdm-pin K F s P remote K F s P sshd K F S p gdm-autologin K F S p gdm-launch-environment K F S p login All of the listed services except for the first block call "pam_keyinit.so revoke", and those ion the last block use "pam_keyinit.so force revoke". Note: "su" and "sudo" include pam_keyinit.so as well. Just the "login" variants "su -l" and "sudo -i" use the "force" parameter which means that the session key is replaced even if it is not the default session key. In practice, on my F24 system, I see my user keys under "su" and "sudo" works just fine, except when I use the "login" variants. Bottom line: 1. using pam_keyinit doesn't harm su / sudo, at least not on Fedora. (F24 still has systemd-229, I should add). 2. pam_keyinit is always used with "revoke" on Fedora.