This is a blanket bug for tracking FC6 configuration alteration. WHAT NEEDS TO BE DONE ===================== The PAM scripts for the login programs need to be altered to forcibly create a new session keyring when a login event occurs. These simply require the following line adding to their PAM scripts: session optional pam_keyinit.so force revoke This forces them to create a new session keyring during login, replacing the one inherited from their parent, and causes the session keyring so created to be revoked when the login process exits. Ideally, this should be "required" not "optional", but it still has to work if the pam_keyinit.so library is absent. The authlogin program needs modifying to add: session optional pam_keyinit.so revoke To the default session (system-auth). This just creates a new session keyring if one doesn't yet exist for this process. The "su" program needs to split its "su - [user]" mode PAM script from its "su [user]" PAM script, so that the former can forcibly create a keyring whilst the latter doesn't.
The keyring in question is the session keyring maintained by the kernel for each process and manageable through the keyutils package.
/usr/sbin/in.telnetd uses /bin/login $ rpm -qf /bin/login util-linux-2.13-0.20.3
| These simply require the following line adding to their PAM scripts: Aargh! I forgot to mention: this needs to go *above* the other session lines, so that any key they add gets placed in the new keyring.
Added 'session optional pam_keyinit.so revoke' to the default /etc/pam.d/system-auth in pam package. Leaving the bug report open for tracking.
All deps fixed, pam fixed, closing