Bug 1144045 – Please add "pam_keyinit.so" to the /etc/pam.d/racoon configuration file

Bug 1144045 - Please add "pam_keyinit.so" to the /etc/pam.d/racoon configuration file


Summary:	Please add "pam_keyinit.so" to the /etc/pam.d/racoon configuration file

Status:	RESOLVED INVALID

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem
Version:	Current
Hardware:	All openSUSE Factory

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	Current
Assigned To:	Jiri Bohac
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-08-02 14:49 UTC by Josef Möllers
Modified:	2019-10-22 11:01 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josef Möllers 2019-08-02 14:49:49 UTC

In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the ipsec-tools package must include the pam_keyinit.so
module in its /etc/pam.d/racoon configuration file.
Please add this module to the /etc/pam.d/racoon configuration file with the
appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.

Comment 1 Josef Möllers 2019-08-15 07:45:46 UTC

Changed codestream to TW.

Comment 2 Josef Möllers 2019-10-08 06:30:51 UTC

ping!
Any progress?

Comment 3 Jiri Bohac 2019-10-18 15:00:41 UTC

Why is this needed?
I don't think racoon uses any keyrings. It uses the keys specified by the racoon.conf file.
Is it a new feature that you want working? Is it documented somewhere?
Or would something stop working if we don't do this? What is it?

(ipsec-tools us basically dead, I understand we keep it in the distro for current deployments to remain working but I don't think we need any new features.)

Comment 4 Josef Möllers 2019-10-21 06:40:39 UTC

(In reply to Jiri Bohac from comment #3)
> Why is this needed?

The main reason is that systemd will enable keyrings, so every process will have a keyring. If the process changes the UID, the keyring will not belong to that user and therefore should be abandoned. This is done by pam_keyinit. As a side-effect the process gets a new keyring belonging to the new user.
As racoon calls pam_open_session, I have opened this BZ. If racoon does not change UIDs, then this is not needed.

> I don't think racoon uses any keyrings. It uses the keys specified by the
> racoon.conf file.

Then, maybe in the future, racoon may use the new feature!?

> Is it a new feature that you want working? Is it documented somewhere?

Eg here http://man7.org/linux/man-pages/man7/session-keyring.7.html

> Or would something stop working if we don't do this? What is it?

As far as I know, nobody is really using keyrings at this moment, but before we roll out keyrings, we must make sure that the infrastructure is set.

Comment 5 Jiri Bohac 2019-10-22 11:01:18 UTC

(In reply to Josef Möllers from comment #4)
> > I don't think racoon uses any keyrings. It uses the keys specified by the
> > racoon.conf file.
> 
> Then, maybe in the future, racoon may use the new feature!?

No, there is really no future for racoon, the project is dead.
Let's do this once it's really needed (very unlikely).