Comment # 23 on bug 1045886 from 
Coming back to "pam_keyinit and su":

I happen to have a Fedora 24 system here, too. Fedora uses the "authconfig"
tool which is similar in purpose to "pam-config".
It creates common files such as "system-auth-ac", "password-auth-ac",
"fingerprint-auth-ac", and usually "system-auth" is a symlink to
"system-auth-ac", etc. Individual services include either "system-auth" or
"password-auth", which are identical on my system.

system-auth includes "pam_keyinit.so", and various service files include it as
well. Here's a list of the status on my system, where k,f,s,p stand for 
pam_keyinit, pam_keyinit force, system-auth, and password-auth, respectively,
and upper case means "included" and lower case means "not included":

s p k f config-util
s p k f cvs
s p k f liveinst
s p k f other
s p k f passwd
s p k f postlogin
s p k f postlogin-ac
s p k f screen
s p k f setup
s p k f sssd-shadowutils
s p k f vlock
s p k f vmtoolsd

k f s P atd
k f s P crond
k f s P ppp
k f S p chfn
k f S p chsh
k f S p kcheckpass
k f S p kscreensaver
k f S p polkit-1
k f S p su
k f S p systemd-user

K f s p cups
K f s p fingerprint-auth
K f s p fingerprint-auth-ac
K f s p password-auth
K f s p password-auth-ac
K f s p runuser
K f s p smartcard-auth
K f s p smartcard-auth-ac
K f s p system-auth
K f s p system-auth-ac
K f S p sudo

K F s p gdm-fingerprint
K F s p gdm-smartcard
K F s p runuser-l
K F s p sudo-i
K F s p su-l
K F s p xserver
K F s P gdm-password
K F s P gdm-pin
K F s P remote
K F s P sshd
K F S p gdm-autologin
K F S p gdm-launch-environment
K F S p login

All of the listed services except for the first block call "pam_keyinit.so
revoke", and those ion the last block use "pam_keyinit.so force revoke".

Note: "su" and "sudo" include pam_keyinit.so as well. Just the "login" variants
"su -l" and "sudo -i" use the "force" parameter which means that the session
key is replaced even if it is not the default session key.
In practice, on my F24 system, I see my user keys under "su" and "sudo" works
just fine, except when I use the "login" variants.

Bottom line: 
 1. using pam_keyinit doesn't harm su / sudo, at least not on Fedora.
(F24 still has systemd-229, I should add).
 2. pam_keyinit is always used with "revoke" on Fedora.

You are receiving this mail because: