diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_keyinit/README | 67 | ||||
-rw-r--r-- | modules/pam_keyinit/README.xml | 41 |
2 files changed, 108 insertions, 0 deletions
diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README new file mode 100644 index 0000000..fa50370 --- /dev/null +++ b/modules/pam_keyinit/README @@ -0,0 +1,67 @@ +pam_keyinit — Kernel session keyring initialiser module + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_keyinit PAM module ensures that the invoking process has a session +keyring other than the user default session keyring. + +The module checks to see if the process's session keyring is the +user-session-keyring(7), and, if it is, creates a new session-keyring(7) with +which to replace it. If a new session keyring is created, it will install a +link to the user-keyring(7) in the session keyring so that keys common to the +user will be automatically accessible through it. The session keyring of the +invoking process will thenceforth be inherited by all its children unless they +override it. + +In order to allow other PAM modules to attach tokens to the keyring, this +module provides both an auth (limited to pam_setcred(3) and a session +component. The session keyring is created in the module called. Moreover this +module should be included as early as possible in a PAM configuration. + +This module is intended primarily for use by login processes. Be aware that +after the session keyring has been replaced, the old session keyring and the +keys it contains will no longer be accessible. + +This module should not, generally, be invoked by programs like su, since it is +usually desirable for the key set to percolate through to the alternate +context. The keys have their own permissions system to manage this. + +The keyutils package is used to manipulate keys more directly. This can be +obtained from: + +Keyutils + +OPTIONS + +debug + + Log debug information with syslog(3). + +force + + Causes the session keyring of the invoking process to be replaced + unconditionally. + +revoke + + Causes the session keyring of the invoking process to be revoked when the + invoking process exits if the session keyring was created for this process + in the first place. + +EXAMPLES + +Add this line to your login entries to start each login session with its own +session keyring: + +session required pam_keyinit.so + + +This will prevent keys from one session leaking into another session for the +same user. + +AUTHOR + +pam_keyinit was written by David Howells, <dhowells@redhat.com>. + diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml new file mode 100644 index 0000000..47659e8 --- /dev/null +++ b/modules/pam_keyinit/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/> + </section> + +</article> |