pam_keyinit(8)

1PAM_KEYINIT(8)                                                  PAM_KEYINIT(8)
2
3
4

NAME

6       pam_keyinit - Kernel session keyring initialiser module
7

SYNOPSIS

9       pam_keyinit.so [debug] [force] [revoke]
10
11

DESCRIPTION

13       The pam_keyinit PAM module ensures that the invoking process has a ses‐
14       sion keyring other than the user default session keyring.
15
16
17       The session component of the module checks to see if the process's ses‐
18       sion  keyring  is the user default, and, if it is, creates a new anony‐
19       mous session keyring with which to replace it.
20
21
22       If a new session keyring is created, it will install a link to the user
23       common  keyring  in the session keyring so that keys common to the user
24       will be automatically accessible through it.
25
26
27       The session keyring of the invoking process will thenceforth be  inher‐
28       ited by all its children unless they override it.
29
30
31       This  module is intended primarily for use by login processes. Be aware
32       that after the session keyring  has  been  replaced,  the  old  session
33       keyring and the keys it contains will no longer be accessible.
34
35
36       This  module  should  not,  generally,  be invoked by programs like su,
37       since it is usually desirable for the key set to percolate  through  to
38       the  alternate  context.  The keys have their own permissions system to
39       manage this.
40
41
42       This module should be included as early as possible in a PAM configura‐
43       tion, so that other PAM modules can attach tokens to the keyring.
44
45
46       The keyutils package is used to manipulate keys more directly. This in‐
47       cluded in the Fedora Extras 5+ and Red Hat Enterprise Linux 4  U2+  and
48       can also be obtained from:
49
50
51        Keyutils : http://people.redhat.com/~dhowells/keyutils/
52
53

OPTIONS

55       debug  Log debug information with syslog(3).
56
57
58       force  Causes  the  session  keyring  of the invoking process to be re‐
59              placed unconditionally.
60
61
62       revoke Causes the session keyring of the invoking process to be revoked
63              when  the invoking process exits if the session keyring was cre‐
64              ated for this process in the first place.
65
66

MODULE SERVICES PROVIDED

68       Only the session service is supported.
69
70

RETURN VALUES

72       PAM_SUCCESS
73              This module will usually return this value
74
75
76       PAM_AUTH_ERR
77              Authentication failure.
78
79
80       PAM_BUF_ERR
81              Memory buffer error.
82
83
84       PAM_IGNORE
85              The return value should be ignored by PAM dispatch.
86
87
88       PAM_SERVICE_ERR
89              Cannot determine the user name.
90
91
92       PAM_SESSION_ERR
93              This module will return this value if its arguments are  invalid
94              or if a system error such as ENOMEM occurs.
95
96
97       PAM_USER_UNKNOWN
98              User not known.
99
100

EXAMPLES

102       Add  this  line  to your login entries to start each login session with
103       its own session keyring:
104
105
106       session  required  pam_keyinit.so
107
108
109
110
111       This will prevent keys from one session leaking  into  another  session
112       for the same user.
113
114

AUTHOR

120       pam_keyinit was written by David Howells, <dhowells@redhat.com>.
121
122
123
124
125                                                                PAM_KEYINIT(8)