summaryrefslogtreecommitdiff
path: root/Linux-PAM/modules/pam_keyinit/README
diff options
context:
space:
mode:
Diffstat (limited to 'Linux-PAM/modules/pam_keyinit/README')
-rw-r--r--Linux-PAM/modules/pam_keyinit/README76
1 files changed, 60 insertions, 16 deletions
diff --git a/Linux-PAM/modules/pam_keyinit/README b/Linux-PAM/modules/pam_keyinit/README
index da22a535..38344d9a 100644
--- a/Linux-PAM/modules/pam_keyinit/README
+++ b/Linux-PAM/modules/pam_keyinit/README
@@ -1,24 +1,68 @@
-# $Id: README,v 1.1 2006/06/27 12:34:07 t8m Exp $ -*- text -*-
-#
+pam_keyinit — Kernel session keyring initialiser module
-This module makes sure the calling process has its own session keyring rather
-than using the default per-user session keyring.
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-The following words may be supplied as arguments to the module through the PAM
-configuration scripts:
+DESCRIPTION
- (*) "force"
+The pam_keyinit PAM module ensures that the invoking process has a session
+keyring other than the user default session keyring.
- This will cause the process's current session keyring to be replaced with
- a new one. If this isn't supplied, a session keyring will only be created
- if the process doesn't already have its own.
+The session component of the module checks to see if the process's session
+keyring is the user default, and, if it is, creates a new anonymous session
+keyring with which to replace it.
- (*) "revoke"
+If a new session keyring is created, it will install a link to the user common
+keyring in the session keyring so that keys common to the user will be
+automatically accessible through it.
- If the module actually created a keyring, this will cause that keyring to
- be revoked on session closure.
+The session keyring of the invoking process will thenceforth be inherited by
+all its children unless they override it.
- (*) "debug"
+This module is intended primarily for use by login processes. Be aware that
+after the session keyring has been replaced, the old session keyring and the
+keys it contains will no longer be accessible.
+
+This module should not, generally, be invoked by programs like su, since it is
+usually desirable for the key set to percolate through to the alternate
+context. The keys have their own permissions system to manage this.
+
+This module should be included as early as possible in a PAM configuration, so
+that other PAM modules can attach tokens to the keyring.
+
+The keyutils package is used to manipulate keys more directly. This can be
+obtained from:
+
+Keyutils
+
+OPTIONS
+
+debug
+
+ Log debug information with syslog(3).
+
+force
+
+ Causes the session keyring of the invoking process to be replaced
+ unconditionally.
+
+revoke
+
+ Causes the session keyring of the invoking process to be revoked when the
+ invoking process exits if the session keyring was created for this process
+ in the first place.
+
+EXAMPLES
+
+Add this line to your login entries to start each login session with its own
+session keyring:
+
+session required pam_keyinit.so
+
+
+This will prevent keys from one session leaking into another session for the
+same user.
+
+AUTHOR
+
+pam_keyinit was written by David Howells, <dhowells@redhat.com>.
- This will cause the module to write some debugging information to the
- syslog.
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-13 06:07:50 +0000