From 9ada0093e92388590c7368600ca4e9e3e376f0d0 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:22:51 +0200 Subject: Adding upstream version 1.5.2. Signed-off-by: Daniel Baumann --- modules/pam_keyinit/pam_keyinit.8.xml | 250 ++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 modules/pam_keyinit/pam_keyinit.8.xml (limited to 'modules/pam_keyinit/pam_keyinit.8.xml') diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml new file mode 100644 index 0000000..ff1e7d0 --- /dev/null +++ b/modules/pam_keyinit/pam_keyinit.8.xml @@ -0,0 +1,250 @@ + + + + + + + pam_keyinit + 8 + Linux-PAM Manual + + + + pam_keyinit + Kernel session keyring initialiser module + + + + + pam_keyinit.so + + debug + + + force + + + revoke + + + + + + DESCRIPTION + + The pam_keyinit PAM module ensures that the invoking process has a + session keyring other than the user default session keyring. + + + The module checks to see if the process's session keyring is the + + user-session-keyring7 + , + and, if it is, creates a new + + session-keyring7 + + with which to replace it. If a new session keyring is created, it will + install a link to the + + user-keyring7 + + in the session keyring so that keys common to the user will be + automatically accessible through it. The session keyring of the invoking + process will thenceforth be inherited by all its children unless they override it. + + + In order to allow other PAM modules to attach tokens to the keyring, this module + provides both an auth (limited to + + pam_setcred3 + + and a session component. The session keyring is created + in the module called. Moreover this module should be included as early as + possible in a PAM configuration. + + + This module is intended primarily for use by login processes. Be aware + that after the session keyring has been replaced, the old session keyring + and the keys it contains will no longer be accessible. + + + This module should not, generally, be invoked by programs like + su, since it is usually desirable for the + key set to percolate through to the alternate context. The keys have + their own permissions system to manage this. + + + The keyutils package is used to manipulate keys more directly. This + can be obtained from: + + + + Keyutils + + + + + + OPTIONS + + + + + + + + Log debug information with + syslog3 + . + + + + + + + + + + + Causes the session keyring of the invoking process to be replaced + unconditionally. + + + + + + + + + + + Causes the session keyring of the invoking process to be revoked + when the invoking process exits if the session keyring was created + for this process in the first place. + + + + + + + + + MODULE TYPES PROVIDED + + Only the module type is provided. + + + + + RETURN VALUES + + + PAM_SUCCESS + + + This module will usually return this value + + + + + + PAM_AUTH_ERR + + + Authentication failure. + + + + + + PAM_BUF_ERR + + + Memory buffer error. + + + + + + PAM_IGNORE + + + The return value should be ignored by PAM dispatch. + + + + + + PAM_SERVICE_ERR + + + Cannot determine the user name. + + + + + + PAM_SESSION_ERR + + + This module will return this value if its arguments are invalid or + if a system error such as ENOMEM occurs. + + + + + + PAM_USER_UNKNOWN + + + User not known. + + + + + + + + + EXAMPLES + + Add this line to your login entries to start each login session with its + own session keyring: + +session required pam_keyinit.so + + + + This will prevent keys from one session leaking into another session for + the same user. + + + + + SEE ALSO + + + pam.conf5 + , + + pam.d5 + , + + pam8 + , + + keyctl1 + + + + + + AUTHOR + + pam_keyinit was written by David Howells, <dhowells@redhat.com>. + + + + -- cgit v1.2.3