Bug 1144049 - Please add "pam_keyinit.so" to the /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin configuration files
Please add "pam_keyinit.so" to the /etc/pam.d/lightdm and /etc/pam.d/lightdm-...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
All openSUSE Factory
: P5 - None : Normal (vote)
: ---
Assigned To: S. B.
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-02 14:57 UTC by Josef Möllers
Modified: 2020-04-07 13:48 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josef Möllers 2019-08-02 14:57:33 UTC
In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the lightdm package must include the pam_keyinit.so
module in its /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin configuration files.
Please add this module to the /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin configuration files with the appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.
Comment 1 Fabian Vogt 2019-08-05 07:22:22 UTC
I wonder why this is a SLE 15 GM bug, that seems odd to me.

If pam_keyinit should be part of all session lists, this needs to be done in pam/pam-config. Reassigning.
Comment 2 Josef Möllers 2019-08-05 07:27:29 UTC
(In reply to Fabian Vogt from comment #1)
> I wonder why this is a SLE 15 GM bug, that seems odd to me.

Please add it to factory. I coulnd't find an appropriate release. Sorry.

> If pam_keyinit should be part of all session lists, this needs to be done in
> pam/pam-config. Reassigning.

And ... no, it should not be added to EVERY session list, only to those that really open a new session for a different user and, as such, need to abandon the old keyring and create a new one.
Comment 3 Josef Möllers 2019-08-05 07:30:39 UTC
(In reply to Josef Möllers from comment #2)
> (In reply to Fabian Vogt from comment #1)
> > I wonder why this is a SLE 15 GM bug, that seems odd to me.
> 
> Please add it to factory. I coulnd't find an appropriate release. Sorry.


Changed the target to openSUSE factory.
Comment 4 Fabian Vogt 2019-08-05 07:52:42 UTC
(In reply to Josef Möllers from comment #2)
> (In reply to Fabian Vogt from comment #1)
> > I wonder why this is a SLE 15 GM bug, that seems odd to me.
> 
> Please add it to factory. I coulnd't find an appropriate release. Sorry.

Ok, moved to Tumbleweed.

> > If pam_keyinit should be part of all session lists, this needs to be done in
> > pam/pam-config. Reassigning.
> 
> And ... no, it should not be added to EVERY session list, only to those that
> really open a new session for a different user and, as such, need to abandon
> the old keyring and create a new one.

That's what common-session is for, right?
Comment 5 Josef Möllers 2019-08-05 07:58:37 UTC
(In reply to Fabian Vogt from comment #4)
> (In reply to Josef Möllers from comment #2)
> > (In reply to Fabian Vogt from comment #1)

> > > If pam_keyinit should be part of all session lists, this needs to be done in
> > > pam/pam-config. Reassigning.
> > 
> > And ... no, it should not be added to EVERY session list, only to those that
> > really open a new session for a different user and, as such, need to abandon
> > the old keyring and create a new one.
> 
> That's what common-session is for, right?

The verdict is still out if really EVERY package/program which opens a new session MUST have a new keyring. So rather than having pam_keyinit in common-session and later discover that quite a number of packages should not obtain a new keyring (or maybe do not need a keyring in the first place), we decided to pick those packages that MUST have one and ask for inclusion.
Comment 6 Fabian Vogt 2019-08-05 08:20:20 UTC
(In reply to Josef Möllers from comment #5)
> (In reply to Fabian Vogt from comment #4)
> > (In reply to Josef Möllers from comment #2)
> > > (In reply to Fabian Vogt from comment #1)
> 
> > > > If pam_keyinit should be part of all session lists, this needs to be done in
> > > > pam/pam-config. Reassigning.
> > > 
> > > And ... no, it should not be added to EVERY session list, only to those that
> > > really open a new session for a different user and, as such, need to abandon
> > > the old keyring and create a new one.
> > 
> > That's what common-session is for, right?
> 
> The verdict is still out if really EVERY package/program which opens a new
> session MUST have a new keyring.

I'm not familiar with pam_keyinit at all, so what would be a reason to use pam_keyinit and what would be a reason not to?

> So rather than having pam_keyinit in
> common-session and later discover that quite a number of packages should not
> obtain a new keyring (or maybe do not need a keyring in the first place), we
> decided to pick those packages that MUST have one and ask for inclusion.

Note that lightdm and lightdm-autologins are just symlinks to xdm anyway.

Reassigning to lightdm.
Comment 7 Josef Möllers 2019-08-05 08:30:58 UTC
(In reply to Fabian Vogt from comment #6)
> (In reply to Josef Möllers from comment #5)

> > The verdict is still out if really EVERY package/program which opens a new
> > session MUST have a new keyring.
> 
> I'm not familiar with pam_keyinit at all, so what would be a reason to use
> pam_keyinit and what would be a reason not to?

Keyrings are a fairly new concept, not yet widely used and can be used to hold keys for use by the kernel (eg so that encrypted filesystems can be mounted without repeatedly asking for the respective key).

pam_keyinit creates a new kernel keyring for a process, linking to a possibly already existing keyring of the new user. While there are access restrictions to keys, it is desired not to have too many keys of (an)other user(s) in a process' keyring. Hence sometimes it is desired to keep the keyring (because a process may have added keys for use by the new user) and sometimes it is desired to dispose of the old keyring and start afresh with only the new user's keyring.
Comment 8 Josef Möllers 2019-10-08 06:31:32 UTC
ping!
Any progress?
Comment 9 Josef Möllers 2020-01-08 12:44:45 UTC
ping!
Any progress?
Comment 10 Josef Möllers 2020-04-07 13:48:23 UTC
As lightdm uses xdm's /etc/pam.d config files, this bug is fixed with https://build.opensuse.org/request/show/724603