Bug 1144055 – Please add "pam_keyinit.so" to the /etc/pam.d/ppp configuration file

Bug 1144055 - Please add "pam_keyinit.so" to the /etc/pam.d/ppp configuration file


Summary:	Please add "pam_keyinit.so" to the /etc/pam.d/ppp configuration file

Status:	RESOLVED INVALID

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem
Version:	Current
Hardware:	All openSUSE Factory

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	Current
Assigned To:	Reinhard Max
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-08-02 15:08 UTC by Josef Möllers
Modified:	2020-04-07 14:11 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josef Möllers 2019-08-02 15:08:58 UTC

In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the ppp package must include the pam_keyinit.so
module in its /etc/pam.d/ppp configuration file.
Please add this module to the /etc/pam.d/ppp configuration file with the
appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.

Comment 1 Josef Möllers 2019-08-15 07:49:12 UTC

Changed codestream to TW where it belongs.

Comment 2 Josef Möllers 2019-10-08 06:32:21 UTC

ping!
Any progress?

Comment 3 Reinhard Max 2019-10-08 13:42:26 UTC

Not sure if including pam_keyinit is actually needed or desirable for ppp.
Maybe the security team can help us to clarify this.

Comment 4 Marcus Meissner 2019-10-14 15:47:28 UTC

I currently have a hard time thinking if kernel keyrings are needed by PAM.

Comment 5 Josef Möllers 2019-10-14 15:53:24 UTC

(In reply to Marcus Meissner from comment #4)
> I currently have a hard time thinking if kernel keyrings are needed by PAM.

I agree that I haven't seen them in free wilderness yet, but I think it's one of the Next Great Things!

Somebody has to make sure that when you "log in", one way or the other, and may need access to the key in the new user's keyring, the keyring is properly set up.
It's not PAM who needs the keyring (more important, the keys attached) but the processes that run under the new user's UID.

Just my 2€ct!

Comment 6 Reinhard Max 2019-10-15 12:10:28 UTC

AFAIU pam_keyinit is (also) needed to keep user processes from inheriting access to keyrings from the systemd process running under root even if neither PAM nor the user process are using kernel keyrings themselves. But I am not sure whether or not this is relevant for the pppd case compared to programs that fall into the login category.

Comment 7 Josef Möllers 2019-12-05 14:05:07 UTC

Any progress?

Comment 9 Josef Möllers 2020-01-08 12:45:18 UTC

ping!
Any progress?

Comment 10 Josef Möllers 2020-04-07 14:11:23 UTC

After some more research: ppp doesn't need pam_keyinit, so closing this bug as INVALID.