Bug 245578
Summary: | login's "remote" PAM configuration inits the keyring at an inconvenient time | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Nalin Dahyabhai <nalin> |
Component: | util-linux | Assignee: | Karel Zak <kzak> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 5.0 | CC: | azelinka, rvokal, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.13-0.52.fc7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-01-13 23:43:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 198623 |
Description
Nalin Dahyabhai
2007-06-25 14:50:06 UTC
Somehow I missed that the "login" configuration has the same problem, but it appears to as well. Well, there is also "pam_selinux close" that should be the first PAM session module, I've moved the pam_keyinit behind the pam_selinux. Updated version: #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_ck_connector.so ok? (Note, I'm changing this in devel & F7 now.) I think so -- the SELinux module doesn't interact with the keyring (to double-check, running ldd on pam_selinux.so didn't list the keyutils library, so I'm pretty sure), so that should be fine. The important thing on my test box is that the keyring is set up before pam_krb5 is run, because it may put AFS session data in the keyring. Thanks! util-linux-2.13-0.52.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. util-linux-2.13-0.52.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. This request will be reviewed for a future Red Hat Enterprise Linux release. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0085.html |