[arch-general] [arch-dev-public] systemd, kernel keyring and pam_keyinit

Jordan Glover Golden_Miller83 at protonmail.ch
Mon Sep 18 17:54:47 UTC 2017


That was already requested some time ago [1], see also comments. Good move.
[1] https://bugs.archlinux.org/task/54915

> -------- Original Message --------
> Subject: [arch-dev-public] systemd, kernel keyring and pam_keyinit
> Local Time: September 18, 2017 12:29 PM
> UTC Time: September 18, 2017 12:29 PM
> From: list at eworm.de
> To: arch-dev-public at archlinux.org
>
> Hello everybody,
>
> systemd v233 introduced code that makes use of the kernel keyring,
> initializing a private keyring for every service and adding a protected key
> named "invocation_id". This caused some trouble and we reverted it since then.
>
> Things will change with systemd v235, which adds a new option "KeyringMode="
> for units. The values are "inherit", "private" and "shared". The commit [0]
> message and changes give the details. Now cryptsetup units are generated with
> "KeyringMode=shared", which unbreaks this use case.
> Other services that use the kernel keyring and want to share secrets with
> other services have to add this as well.
>
> However login sessions where user context is changed can not be handled by
> systemd. Looks like we have to update our PAM configurations and add a line
> for every service where session is expected to use the kernel keyring:
>
> session optional pam_keyinit.so force revoke
>
> This is required for eCryptfs to function properly.
> Any comments on this? Any concerns?
>
> I would like to keep the upstream keyring behavior with release version 235.
> Would be nice to have this sorted before.
>
> [0]
> https://github.com/systemd/systemd/commit/b1edf4456eabc5951d76b96bc7df2db3feebe669
> --
> main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
> "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
> putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}


More information about the arch-general mailing list