summaryrefslogtreecommitdiffstats
path: root/modules/pam_keyinit/README
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/pam_keyinit/README67
-rw-r--r--modules/pam_keyinit/README.xml41
2 files changed, 108 insertions, 0 deletions
diff --git a/modules/pam_keyinit/README b/modules/pam_keyinit/README
new file mode 100644
index 0000000..fa50370
--- /dev/null
+++ b/modules/pam_keyinit/README
@@ -0,0 +1,67 @@
+pam_keyinit — Kernel session keyring initialiser module
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+The pam_keyinit PAM module ensures that the invoking process has a session
+keyring other than the user default session keyring.
+
+The module checks to see if the process's session keyring is the
+user-session-keyring(7), and, if it is, creates a new session-keyring(7) with
+which to replace it. If a new session keyring is created, it will install a
+link to the user-keyring(7) in the session keyring so that keys common to the
+user will be automatically accessible through it. The session keyring of the
+invoking process will thenceforth be inherited by all its children unless they
+override it.
+
+In order to allow other PAM modules to attach tokens to the keyring, this
+module provides both an auth (limited to pam_setcred(3) and a session
+component. The session keyring is created in the module called. Moreover this
+module should be included as early as possible in a PAM configuration.
+
+This module is intended primarily for use by login processes. Be aware that
+after the session keyring has been replaced, the old session keyring and the
+keys it contains will no longer be accessible.
+
+This module should not, generally, be invoked by programs like su, since it is
+usually desirable for the key set to percolate through to the alternate
+context. The keys have their own permissions system to manage this.
+
+The keyutils package is used to manipulate keys more directly. This can be
+obtained from:
+
+Keyutils
+
+OPTIONS
+
+debug
+
+ Log debug information with syslog(3).
+
+force
+
+ Causes the session keyring of the invoking process to be replaced
+ unconditionally.
+
+revoke
+
+ Causes the session keyring of the invoking process to be revoked when the
+ invoking process exits if the session keyring was created for this process
+ in the first place.
+
+EXAMPLES
+
+Add this line to your login entries to start each login session with its own
+session keyring:
+
+session required pam_keyinit.so
+
+
+This will prevent keys from one session leaking into another session for the
+same user.
+
+AUTHOR
+
+pam_keyinit was written by David Howells, <dhowells@redhat.com>.
+
diff --git a/modules/pam_keyinit/README.xml b/modules/pam_keyinit/README.xml
new file mode 100644
index 0000000..47659e8
--- /dev/null
+++ b/modules/pam_keyinit/README.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_keyinit.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_keyinit.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_keyinit-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/>
+ </section>
+
+</article>