Bug 1144063 – Please add "pam_keyinit.so" to the /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files

Bug 1144063 - Please add "pam_keyinit.so" to the /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files


Summary:	Please add "pam_keyinit.so" to the /etc/pam.d/xdm and /etc/pam.d/xdm-up confi...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem
Version:	Current
Hardware:	All openSUSE Factory

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	Current
Assigned To:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-08-02 15:21 UTC by Josef Möllers
Modified:	2019-08-19 15:40 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Josef Möllers 2019-08-02 15:21:55 UTC

In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the xdm package must include the pam_keyinit.so
module in its /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files.
Please add this module to the /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files with the
appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.

Comment 1 Josef Möllers 2019-08-15 07:51:58 UTC

Changed codestream to TW where it belongs.

Comment 2 Stefan Dirsch 2019-08-19 14:54:22 UTC

Done. Hope it's correct that way. I'm not sure about the options for pam_keyinit.so. It looks weird to me.

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etc/pam.d/xdm new/etc/pam.d/xdm
--- old/etc/pam.d/xdm   2014-03-04 13:53:31.000000000 +0100
+++ new/etc/pam.d/xdm   2019-08-19 16:47:20.123174000 +0200
@@ -4,3 +4,4 @@
 password include        common-password
 session  required       pam_loginuid.so
 session  include        common-session
+session  optional       pam_keyinit.so revoke [force]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etc/pam.d/xdm-np new/etc/pam.d/xdm-np
--- old/etc/pam.d/xdm-np        2014-03-04 13:53:31.000000000 +0100
+++ new/etc/pam.d/xdm-np        2019-08-19 16:50:28.071650000 +0200
@@ -4,3 +4,4 @@
 password include        common-password
 session  required       pam_loginuid.so
 session  include        common-session
+session  optional       pam_keyinit.so revoke [force]

Comment 3 Stefan Dirsch 2019-08-19 14:55:32 UTC

Closing as fixed. Please reopen if I did something stupid.

Comment 4 Josef Möllers 2019-08-19 15:01:16 UTC

The brackets "[" and "]" should not be there!
If you "log in" a user, then "force" must be supplied:
session  optional       pam_keyinit.so revoke force

If you just open a new session without properly loggin in a user (ie without starting a login shell or the like), then no force is required.

"xdm" being a login manager, I assume the former.

Please remove the brackets!

Comment 5 Stefan Dirsch 2019-08-19 15:09:43 UTC

Ok. Fixed.

Comment 6 Swamp Workflow Management 2019-08-19 15:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1144063) was mentioned in
https://build.opensuse.org/request/show/724603 Factory / xdm