Red Hat Bugzilla – Bug 198628
Make login processes initialise session keyring
Last modified: 2007-11-30 17:11:37 EST
+++ This bug was initially created as a clone of Bug #198623 +++
This package contains the "ssh" service for which the PAM script needs to be
WHAT NEEDS TO BE DONE
The PAM scripts for the login programs need to be altered to forcibly create a
new session keyring when a login event occurs.
These simply require the following line adding to their PAM scripts:
session optional pam_keyinit.so force revoke
This forces them to create a new session keyring during login, replacing the
one inherited from their parent, and causes the session keyring so created to
be revoked when the login process exits.
Ideally, this should be "required" not "optional", but it still has to work if
the pam_keyinit.so library is absent.
The authlogin program needs modifying to add:
session optional pam_keyinit.so revoke
To the default session (system-auth). This just creates a new session keyring
if one doesn't yet exist for this process.
The "su" program needs to split its "su - [user]" mode PAM script from its "su
[user]" PAM script, so that the former can forcibly create a keyring whilst
the latter doesn't.
Created attachment 132364 [details]
Add keyinit instruction to PAM script
This patch patches the devel/ directory to modify the SPEC file and the PAM
script to add a keyinit instruction to the latter.