Add call to pam_keyinit for login pam service

This module is linux-any only, so copy what openssh has already done and remove the call at build time for other architectures. The call to this module is needed to have proper per-session kernel keyring. Closes: #734671
2017-01-18 18:46:30 +01:00
parent 3b66774757
commit 70c472f91d
2 changed files with 9 additions and 0 deletions
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -105,6 +105,9 @@ session    optional   pam_motd.so
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard

+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
 # Standard Un*x account and session
@include common-account
@include common-session
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,9 @@ binary-install/login::
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
 	# /bin/login is provided by the hurd package.
 	rm -f debian/login/bin/login
+endif
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
 endif
 	dh_installpam -p login
 	dh_installpam -p login --name=su
@@ -90,3 +93,6 @@ binary-predeb/passwd::
 	chgrp shadow debian/passwd/usr/bin/expiry
 	chmod g+s debian/passwd/usr/bin/chage
 	chmod g+s debian/passwd/usr/bin/expiry
+
+clean::
+	sed -i 's/# Linux only # //' debian/login.pam