diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 16:26:05 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 17:26:38 -0800 |
| commit | 9c52e721044e7501c3d4567b36d222dc7326224a (patch) | |
| tree | 9011790770130c60a712a6f125ad50d60e07cc74 /modules/pam_keyinit/README | |
| parent | 9727ff2a3fa0e94a42b34a579027bacf4146d571 (diff) | |
| parent | 186ff16e8d12ff15d518000c17f115ccab5275a4 (diff) | |
New upstream version 1.0.1
Diffstat (limited to 'modules/pam_keyinit/README')
| -rw-r--r-- | modules/pam_keyinit/README | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README new file mode 100644 index 00000000..38344d9a --- /dev/null +++ b/modules/pam_keyinit/README @@ -0,0 +1,68 @@ +pam_keyinit — Kernel session keyring initialiser module + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_keyinit PAM module ensures that the invoking process has a session +keyring other than the user default session keyring. + +The session component of the module checks to see if the process's session +keyring is the user default, and, if it is, creates a new anonymous session +keyring with which to replace it. + +If a new session keyring is created, it will install a link to the user common +keyring in the session keyring so that keys common to the user will be +automatically accessible through it. + +The session keyring of the invoking process will thenceforth be inherited by +all its children unless they override it. + +This module is intended primarily for use by login processes. Be aware that +after the session keyring has been replaced, the old session keyring and the +keys it contains will no longer be accessible. + +This module should not, generally, be invoked by programs like su, since it is +usually desirable for the key set to percolate through to the alternate +context. The keys have their own permissions system to manage this. + +This module should be included as early as possible in a PAM configuration, so +that other PAM modules can attach tokens to the keyring. + +The keyutils package is used to manipulate keys more directly. This can be +obtained from: + +Keyutils + +OPTIONS + +debug + + Log debug information with syslog(3). + +force + + Causes the session keyring of the invoking process to be replaced + unconditionally. + +revoke + + Causes the session keyring of the invoking process to be revoked when the + invoking process exits if the session keyring was created for this process + in the first place. + +EXAMPLES + +Add this line to your login entries to start each login session with its own +session keyring: + +session required pam_keyinit.so + + +This will prevent keys from one session leaking into another session for the +same user. + +AUTHOR + +pam_keyinit was written by David Howells, <dhowells@redhat.com>. + |