|
Bugzilla – Full Text Bug Listing |
| Summary: | Please add "pam_keyinit.so" to the /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin configuration files | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Josef Möllers <josef.moellers> |
| Component: | Basesystem | Assignee: | S. B. <sb56637> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | alynx.zhou, fvogt, sor.alexei |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | openSUSE Factory | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Josef Möllers
2019-08-02 14:57:33 UTC
I wonder why this is a SLE 15 GM bug, that seems odd to me. If pam_keyinit should be part of all session lists, this needs to be done in pam/pam-config. Reassigning. (In reply to Fabian Vogt from comment #1) > I wonder why this is a SLE 15 GM bug, that seems odd to me. Please add it to factory. I coulnd't find an appropriate release. Sorry. > If pam_keyinit should be part of all session lists, this needs to be done in > pam/pam-config. Reassigning. And ... no, it should not be added to EVERY session list, only to those that really open a new session for a different user and, as such, need to abandon the old keyring and create a new one. (In reply to Josef Möllers from comment #2) > (In reply to Fabian Vogt from comment #1) > > I wonder why this is a SLE 15 GM bug, that seems odd to me. > > Please add it to factory. I coulnd't find an appropriate release. Sorry. Changed the target to openSUSE factory. (In reply to Josef Möllers from comment #2) > (In reply to Fabian Vogt from comment #1) > > I wonder why this is a SLE 15 GM bug, that seems odd to me. > > Please add it to factory. I coulnd't find an appropriate release. Sorry. Ok, moved to Tumbleweed. > > If pam_keyinit should be part of all session lists, this needs to be done in > > pam/pam-config. Reassigning. > > And ... no, it should not be added to EVERY session list, only to those that > really open a new session for a different user and, as such, need to abandon > the old keyring and create a new one. That's what common-session is for, right? (In reply to Fabian Vogt from comment #4) > (In reply to Josef Möllers from comment #2) > > (In reply to Fabian Vogt from comment #1) > > > If pam_keyinit should be part of all session lists, this needs to be done in > > > pam/pam-config. Reassigning. > > > > And ... no, it should not be added to EVERY session list, only to those that > > really open a new session for a different user and, as such, need to abandon > > the old keyring and create a new one. > > That's what common-session is for, right? The verdict is still out if really EVERY package/program which opens a new session MUST have a new keyring. So rather than having pam_keyinit in common-session and later discover that quite a number of packages should not obtain a new keyring (or maybe do not need a keyring in the first place), we decided to pick those packages that MUST have one and ask for inclusion. (In reply to Josef Möllers from comment #5) > (In reply to Fabian Vogt from comment #4) > > (In reply to Josef Möllers from comment #2) > > > (In reply to Fabian Vogt from comment #1) > > > > > If pam_keyinit should be part of all session lists, this needs to be done in > > > > pam/pam-config. Reassigning. > > > > > > And ... no, it should not be added to EVERY session list, only to those that > > > really open a new session for a different user and, as such, need to abandon > > > the old keyring and create a new one. > > > > That's what common-session is for, right? > > The verdict is still out if really EVERY package/program which opens a new > session MUST have a new keyring. I'm not familiar with pam_keyinit at all, so what would be a reason to use pam_keyinit and what would be a reason not to? > So rather than having pam_keyinit in > common-session and later discover that quite a number of packages should not > obtain a new keyring (or maybe do not need a keyring in the first place), we > decided to pick those packages that MUST have one and ask for inclusion. Note that lightdm and lightdm-autologins are just symlinks to xdm anyway. Reassigning to lightdm. (In reply to Fabian Vogt from comment #6) > (In reply to Josef Möllers from comment #5) > > The verdict is still out if really EVERY package/program which opens a new > > session MUST have a new keyring. > > I'm not familiar with pam_keyinit at all, so what would be a reason to use > pam_keyinit and what would be a reason not to? Keyrings are a fairly new concept, not yet widely used and can be used to hold keys for use by the kernel (eg so that encrypted filesystems can be mounted without repeatedly asking for the respective key). pam_keyinit creates a new kernel keyring for a process, linking to a possibly already existing keyring of the new user. While there are access restrictions to keys, it is desired not to have too many keys of (an)other user(s) in a process' keyring. Hence sometimes it is desired to keep the keyring (because a process may have added keys for use by the new user) and sometimes it is desired to dispose of the old keyring and start afresh with only the new user's keyring. ping! Any progress? ping! Any progress? As lightdm uses xdm's /etc/pam.d config files, this bug is fixed with https://build.opensuse.org/request/show/724603 |