.\"Generated by db2man.xsl. Don't modify this, modify the source. .de Sh \" Subsection .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Ip \" List item .br .ie \\n(.$>=3 .ne \\$3 .el .ne 3 .IP "\\$1" \\$2 .. .TH "PAM_KEYINIT" 8 "" "" "" .SH NAME pam_keyinit \- Kernel session keyring initialiser module .SH "SYNOPSIS" .ad l .hy 0 .HP 15 \fBpam_keyinit\&.so\fR [debug] [force] [revoke] .ad .hy .SH "DESCRIPTION" .PP The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. .PP The session component of the module checks to see if the process's session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. .PP If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. .PP The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. .PP This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. .PP This module should not, generally, be invoked by programs like \fIsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. .PP This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. .PP The keyutils package is used to manipulate keys more directly\&. This included in the Fedora Extras 5+ and Red Hat Enterprise Linux 4 U2+ and can also be obtained from: .PP Keyutils : \fIhttp://people.redhat.com/~dhowells/keyutils/\fR .SH "OPTIONS" .TP \fBdebug\fR Log debug information with \fBsyslog\fR(3)\&. .TP \fBforce\fR Causes the session keyring of the invoking process to be replaced unconditionally\&. .TP \fBrevoke\fR Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. .SH "MODULE SERVICES PROVIDED" .PP Only the \fIsession\fR service is supported\&. .SH "RETURN VALUES" .TP PAM_SUCCESS This module will usually return this value .TP PAM_AUTH_ERR Authentication failure\&. .TP PAM_BUF_ERR Memory buffer error\&. .TP PAM_IGNORE The return value should be ignored by PAM dispatch\&. .TP PAM_SERVICE_ERR Cannot determine the user name\&. .TP PAM_SESSION_ERR This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. .TP PAM_USER_UNKNOWN User not known\&. .SH "EXAMPLES" .PP Add this line to your login entries to start each login session with its own session keyring: .nf session required pam_keyinit\&.so .fi .PP This will prevent keys from one session leaking into another session for the same user\&. .SH "SEE ALSO" .PP \fBpam\&.conf\fR(5), \fBpam\&.d\fR(8), \fBpam\fR(8) \fBkeyctl\fR(1) .SH "AUTHOR" .PP pam_keyinit was written by David Howells, \&.