That was already requested some time ago [1], see also comments. Good move. [1] https://bugs.archlinux.org/task/54915
-------- Original Message -------- Subject: [arch-dev-public] systemd, kernel keyring and pam_keyinit Local Time: September 18, 2017 12:29 PM UTC Time: September 18, 2017 12:29 PM From: list@eworm.de To: arch-dev-public@archlinux.org
Hello everybody,
systemd v233 introduced code that makes use of the kernel keyring, initializing a private keyring for every service and adding a protected key named "invocation_id". This caused some trouble and we reverted it since then.
Things will change with systemd v235, which adds a new option "KeyringMode=" for units. The values are "inherit", "private" and "shared". The commit [0] message and changes give the details. Now cryptsetup units are generated with "KeyringMode=shared", which unbreaks this use case. Other services that use the kernel keyring and want to share secrets with other services have to add this as well.
However login sessions where user context is changed can not be handled by systemd. Looks like we have to update our PAM configurations and add a line for every service where session is expected to use the kernel keyring:
session optional pam_keyinit.so force revoke
This is required for eCryptfs to function properly. Any comments on this? Any concerns?
I would like to keep the upstream keyring behavior with release version 235. Would be nice to have this sorted before.
[0] https://github.com/systemd/systemd/commit/b1edf4456eabc5951d76b96bc7df2db3fe... -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}