[Pkg-shadow-devel] Bug#734671: enable pam_keyinit by default
Russ Allbery
rra at debian.org
Fri Jan 10 02:38:04 UTC 2014
Steve Langasek <vorlon at debian.org> writes:
> On Thu, Jan 09, 2014 at 06:20:55PM -0800, Russ Allbery wrote:
>> Regardless, thanks! I spent some time day before yesterday debugging this
>> with MIT Kerberos upstream, since the behavior of keyring caches without
>> an active session is really weird. Everything works but then the results
>> disappear.
> I had vaguely wondered why I hadn't seen any sign of pam_keyinit being used
> before now. :)
I think it's mostly because keyrings aren't widely used outside of AFS,
and AFS automatically creates a session keyring when you call setpag().
MIT Kerberos keyring caches are kind of a curiosity, and they have some
weird limitations due to the limit on keyring sizes in the kernel without
the new large keyring stuff. I think Red Hat uses them for some stuff,
but they're still not widespread. (And Heimdal doesn't support them at
all.)
But I do support them in some of my software and happen to have some test
cases, and discovered they started failing on a system where I wasn't
setting up PAGs for users....
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shadow-devel
mailing list