path: root/modules/pam_keyinit/README
diff options
authorSteve Langasek <>2019-01-03 16:26:05 -0800
committerSteve Langasek <>2019-01-03 17:26:38 -0800
commit9c52e721044e7501c3d4567b36d222dc7326224a (patch)
tree9011790770130c60a712a6f125ad50d60e07cc74 /modules/pam_keyinit/README
parent9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff)
parent186ff16e8d12ff15d518000c17f115ccab5275a4 (diff)
New upstream version 1.0.1
Diffstat (limited to 'modules/pam_keyinit/README')
1 files changed, 68 insertions, 0 deletions
diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README
new file mode 100644
index 00000000..38344d9a
--- /dev/null
+++ b/modules/pam_keyinit/README
@@ -0,0 +1,68 @@
+pam_keyinit — Kernel session keyring initialiser module
+The pam_keyinit PAM module ensures that the invoking process has a session
+keyring other than the user default session keyring.
+The session component of the module checks to see if the process's session
+keyring is the user default, and, if it is, creates a new anonymous session
+keyring with which to replace it.
+If a new session keyring is created, it will install a link to the user common
+keyring in the session keyring so that keys common to the user will be
+automatically accessible through it.
+The session keyring of the invoking process will thenceforth be inherited by
+all its children unless they override it.
+This module is intended primarily for use by login processes. Be aware that
+after the session keyring has been replaced, the old session keyring and the
+keys it contains will no longer be accessible.
+This module should not, generally, be invoked by programs like su, since it is
+usually desirable for the key set to percolate through to the alternate
+context. The keys have their own permissions system to manage this.
+This module should be included as early as possible in a PAM configuration, so
+that other PAM modules can attach tokens to the keyring.
+The keyutils package is used to manipulate keys more directly. This can be
+obtained from:
+ Log debug information with syslog(3).
+ Causes the session keyring of the invoking process to be replaced
+ unconditionally.
+ Causes the session keyring of the invoking process to be revoked when the
+ invoking process exits if the session keyring was created for this process
+ in the first place.
+Add this line to your login entries to start each login session with its own
+session keyring:
+session required
+This will prevent keys from one session leaking into another session for the
+same user.
+pam_keyinit was written by David Howells, <>.