[arch-dev-public] systemd, kernel keyring and pam_keyinit

Christian Hesse list at eworm.de
Mon Sep 18 12:29:16 UTC 2017


Hello everybody,

systemd v233 introduced code that makes use of the kernel keyring,
initializing a private keyring for every service and adding a protected key
named "invocation_id". This caused some trouble and we reverted it since then.

Things will change with systemd v235, which adds a new option "KeyringMode="
for units. The values are "inherit", "private" and "shared". The commit [0]
message and changes give the details. Now cryptsetup units are generated with
"KeyringMode=shared", which unbreaks this use case.
Other services that use the kernel keyring and want to share secrets with
other services have to add this as well.

However login sessions where user context is changed can not be handled by
systemd. Looks like we have to update our PAM configurations and add a line
for every service where session is expected to use the kernel keyring:

session optional pam_keyinit.so force revoke

This is required for eCryptfs to function properly.
Any comments on this? Any concerns?

I would like to keep the upstream keyring behavior with release version 235.
Would be nice to have this sorted before.

[0]
https://github.com/systemd/systemd/commit/b1edf4456eabc5951d76b96bc7df2db3feebe669
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170918/dc1988aa/attachment.asc>


More information about the arch-dev-public mailing list