Bug 1144063 - Please add "pam_keyinit.so" to the /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files
Please add "pam_keyinit.so" to the /etc/pam.d/xdm and /etc/pam.d/xdm-up confi...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
All openSUSE Factory
: P5 - None : Normal (vote)
: Current
Assigned To: E-mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-02 15:21 UTC by Josef Möllers
Modified: 2019-08-19 15:40 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Josef Möllers 2019-08-02 15:21:55 UTC
In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the xdm package must include the pam_keyinit.so
module in its /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files.
Please add this module to the /etc/pam.d/xdm and /etc/pam.d/xdm-up configuration files with the
appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.
Comment 1 Josef Möllers 2019-08-15 07:51:58 UTC
Changed codestream to TW where it belongs.
Comment 2 Stefan Dirsch 2019-08-19 14:54:22 UTC
Done. Hope it's correct that way. I'm not sure about the options for pam_keyinit.so. It looks weird to me.

diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etc/pam.d/xdm new/etc/pam.d/xdm
--- old/etc/pam.d/xdm   2014-03-04 13:53:31.000000000 +0100
+++ new/etc/pam.d/xdm   2019-08-19 16:47:20.123174000 +0200
@@ -4,3 +4,4 @@
 password include        common-password
 session  required       pam_loginuid.so
 session  include        common-session
+session  optional       pam_keyinit.so revoke [force]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/etc/pam.d/xdm-np new/etc/pam.d/xdm-np
--- old/etc/pam.d/xdm-np        2014-03-04 13:53:31.000000000 +0100
+++ new/etc/pam.d/xdm-np        2019-08-19 16:50:28.071650000 +0200
@@ -4,3 +4,4 @@
 password include        common-password
 session  required       pam_loginuid.so
 session  include        common-session
+session  optional       pam_keyinit.so revoke [force]
Comment 3 Stefan Dirsch 2019-08-19 14:55:32 UTC
Closing as fixed. Please reopen if I did something stupid.
Comment 4 Josef Möllers 2019-08-19 15:01:16 UTC
The brackets "[" and "]" should not be there!
If you "log in" a user, then "force" must be supplied:
session  optional       pam_keyinit.so revoke force

If you just open a new session without properly loggin in a user (ie without starting a login shell or the like), then no force is required.

"xdm" being a login manager, I assume the former.

Please remove the brackets!
Comment 5 Stefan Dirsch 2019-08-19 15:09:43 UTC
Ok. Fixed.
Comment 6 Swamp Workflow Management 2019-08-19 15:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1144063) was mentioned in
https://build.opensuse.org/request/show/724603 Factory / xdm