Bug#734816: Bug#734671: enable pam_keyinit by default

To: Russ Allbery <rra@debian.org>, 734816@bugs.debian.org
Cc: Steve Langasek <vorlon@debian.org>
Subject: Bug#734816: Bug#734671: enable pam_keyinit by default
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 10 Feb 2014 01:33:03 +0000
Message-id: <[🔎] 20140210013303.GA21551@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 734816@bugs.debian.org
In-reply-to: <20140109030054.2275.28445.reportbug@wanderer.eyrie.org>
References: <20140109030054.2275.28445.reportbug@wanderer.eyrie.org>

On Wed, Jan 08, 2014 at 07:00:54PM -0800, Russ Allbery wrote:
> It would be better for any application that uses the kernel keyring
> if pam_keyinit were run by default in the PAM session stack.  Without
> this module, users are placed in a default UID-based user session,
> which doesn't isolate each session's keys.

OK, I'll do this for 1:6.5p1-1.  Following Fedora's configuration, I'll
use "session optional pam_keyinit.so force revoke", which seems
reasonable; let me know if there's some reason this won't work properly
for Debian.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Bug#734816: Bug#734671: enable pam_keyinit by default
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Processed: tagging 732441
Next by Date: Bug#734816: Bug#734671: enable pam_keyinit by default
Previous by thread: Processed: tagging 732441
Next by thread: Bug#734816: Bug#734671: enable pam_keyinit by default
Index(es):
- Date
- Thread