That was already requested some time ago [1], see also comments. Good move. [1] https://bugs.archlinux.org/task/54915 > -------- Original Message -------- > Subject: [arch-dev-public] systemd, kernel keyring and pam_keyinit > Local Time: September 18, 2017 12:29 PM > UTC Time: September 18, 2017 12:29 PM > From: list@xxxxxxxx > To: arch-dev-public@xxxxxxxxxxxxx > > Hello everybody, > > systemd v233 introduced code that makes use of the kernel keyring, > initializing a private keyring for every service and adding a protected key > named "invocation_id". This caused some trouble and we reverted it since then. > > Things will change with systemd v235, which adds a new option "KeyringMode=" > for units. The values are "inherit", "private" and "shared". The commit [0] > message and changes give the details. Now cryptsetup units are generated with > "KeyringMode=shared", which unbreaks this use case. > Other services that use the kernel keyring and want to share secrets with > other services have to add this as well. > > However login sessions where user context is changed can not be handled by > systemd. Looks like we have to update our PAM configurations and add a line > for every service where session is expected to use the kernel keyring: > > session optional pam_keyinit.so force revoke > > This is required for eCryptfs to function properly. > Any comments on this? Any concerns? > > I would like to keep the upstream keyring behavior with release version 235. > Would be nice to have this sorted before. > > [0] > https://github.com/systemd/systemd/commit/b1edf4456eabc5951d76b96bc7df2db3feebe669 > -- > main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" > "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) > putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
