Bug#734816: Bug#734671: enable pam_keyinit by default

To: Colin Watson <cjwatson@debian.org>
Cc: 734816@bugs.debian.org, Steve Langasek <vorlon@debian.org>
Subject: Bug#734816: Bug#734671: enable pam_keyinit by default
From: Russ Allbery <rra@debian.org>
Date: Sun, 09 Feb 2014 17:48:23 -0800
Message-id: <[🔎] 87wqh3g2l4.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 734816@bugs.debian.org
In-reply-to: <[🔎] 20140210013303.GA21551@riva.ucam.org> (Colin Watson's message of "Mon, 10 Feb 2014 01:33:03 +0000")
References: <20140109030054.2275.28445.reportbug@wanderer.eyrie.org> <[🔎] 20140210013303.GA21551@riva.ucam.org>

Colin Watson <cjwatson@debian.org> writes:
> On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote:

>> It would be better for any application that uses the kernel keyring if
>> pam_keyinit were run by default in the PAM session stack.  Without this
>> module, users are placed in a default UID-based user session, which
>> doesn't isolate each session's keys.

> OK, I'll do this for 1:6.5p1-1.  Following Fedora's configuration, I'll
> use "session optional pam_keyinit.so force revoke", which seems
> reasonable; let me know if there's some reason this won't work properly
> for Debian.

That looks correct to me.  Thanks!

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#734816: Bug#734671: enable pam_keyinit by default
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#734816: Bug#734671: enable pam_keyinit by default
Next by Date: Re: Debian openssh repository migrated to git
Previous by thread: Bug#734816: Bug#734671: enable pam_keyinit by default
Next by thread: Bug#482023: marked as done (new generated keys are vulnerable)
Index(es):
- Date
- Thread