Bug 1144045 - Please add "pam_keyinit.so" to the /etc/pam.d/racoon configuration file
Please add "pam_keyinit.so" to the /etc/pam.d/racoon configuration file
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
All openSUSE Factory
: P5 - None : Normal (vote)
: Current
Assigned To: Jiri Bohac
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-02 14:49 UTC by Josef Möllers
Modified: 2019-10-22 11:01 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josef Möllers 2019-08-02 14:49:49 UTC
In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the ipsec-tools package must include the pam_keyinit.so
module in its /etc/pam.d/racoon configuration file.
Please add this module to the /etc/pam.d/racoon configuration file with the
appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.
Comment 1 Josef Möllers 2019-08-15 07:45:46 UTC
Changed codestream to TW.
Comment 2 Josef Möllers 2019-10-08 06:30:51 UTC
ping!
Any progress?
Comment 3 Jiri Bohac 2019-10-18 15:00:41 UTC
Why is this needed?
I don't think racoon uses any keyrings. It uses the keys specified by the racoon.conf file.
Is it a new feature that you want working? Is it documented somewhere?
Or would something stop working if we don't do this? What is it?

(ipsec-tools us basically dead, I understand we keep it in the distro for current deployments to remain working but I don't think we need any new features.)
Comment 4 Josef Möllers 2019-10-21 06:40:39 UTC
(In reply to Jiri Bohac from comment #3)
> Why is this needed?

The main reason is that systemd will enable keyrings, so every process will have a keyring. If the process changes the UID, the keyring will not belong to that user and therefore should be abandoned. This is done by pam_keyinit. As a side-effect the process gets a new keyring belonging to the new user.
As racoon calls pam_open_session, I have opened this BZ. If racoon does not change UIDs, then this is not needed.

> I don't think racoon uses any keyrings. It uses the keys specified by the
> racoon.conf file.

Then, maybe in the future, racoon may use the new feature!?

> Is it a new feature that you want working? Is it documented somewhere?

Eg here http://man7.org/linux/man-pages/man7/session-keyring.7.html

> Or would something stop working if we don't do this? What is it?

As far as I know, nobody is really using keyrings at this moment, but before we roll out keyrings, we must make sure that the infrastructure is set.
Comment 5 Jiri Bohac 2019-10-22 11:01:18 UTC
(In reply to Josef Möllers from comment #4)
> > I don't think racoon uses any keyrings. It uses the keys specified by the
> > racoon.conf file.
> 
> Then, maybe in the future, racoon may use the new feature!?

No, there is really no future for racoon, the project is dead.
Let's do this once it's really needed (very unlikely).