Bug#734816: Bug#734671: enable pam_keyinit by default
Colin Watson <cjwatson@debian.org> writes:
> On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote:
>> It would be better for any application that uses the kernel keyring if
>> pam_keyinit were run by default in the PAM session stack. Without this
>> module, users are placed in a default UID-based user session, which
>> doesn't isolate each session's keys.
> OK, I'll do this for 1:6.5p1-1. Following Fedora's configuration, I'll
> use "session optional pam_keyinit.so force revoke", which seems
> reasonable; let me know if there's some reason this won't work properly
> for Debian.
That looks correct to me. Thanks!
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: