Bug 198623 - Make login processes inialise session keyring
Summary: Make login processes inialise session keyring
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact:
Depends On: 198626 198628 198629 198630 198631 198632 198636 198637 198638 198639 198755 245578
Blocks: 198799
TreeView+ depends on / blocked
Reported: 2006-07-12 13:05 UTC by David Howells
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-07-19 10:42:54 UTC

Attachments (Terms of Use)

Description David Howells 2006-07-12 13:05:41 UTC
This is a blanket bug for tracking FC6 configuration alteration.

The PAM scripts for the login programs need to be altered to forcibly create a 
new session keyring when a login event occurs.

These simply require the following line adding to their PAM scripts:

	session	    optional    pam_keyinit.so    force revoke

This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.

Ideally, this should be "required" not "optional", but it still has to work if 
the pam_keyinit.so library is absent.

The authlogin program needs modifying to add:

	session	    optional    pam_keyinit.so    revoke

To the default session (system-auth).  This just creates a new session keyring 
if one doesn't yet exist for this process.

The "su" program needs to split its "su - [user]" mode PAM script from its "su 
[user]" PAM script, so that the former can forcibly create a keyring whilst 
the latter doesn't.

Comment 1 David Howells 2006-07-12 14:00:40 UTC
The keyring in question is the session keyring maintained by the kernel for 
each process and manageable through the keyutils package.

Comment 2 Harald Hoyer 2006-07-12 14:24:37 UTC
/usr/sbin/in.telnetd uses /bin/login
$ rpm -qf /bin/login

Comment 3 David Howells 2006-07-13 12:58:10 UTC
| These simply require the following line adding to their PAM scripts:

Aargh! I forgot to mention: this needs to go *above* the other session lines, 
so that any key they add gets placed in the new keyring.

Comment 4 Tomas Mraz 2006-07-17 14:32:27 UTC
Added 'session optional pam_keyinit.so revoke' to the default
/etc/pam.d/system-auth in pam package. Leaving the bug report open for tracking.

Comment 5 Tomas Mraz 2006-07-19 10:42:54 UTC
All deps fixed, pam fixed, closing

Note You need to log in before you can comment on or make changes to this bug.