From 70c472f91db89add2e26e23de261b19d62b27440 Mon Sep 17 00:00:00 2001
From: Balint Reczey <balint@balintreczey.hu>
Date: Wed, 18 Jan 2017 18:46:30 +0100
Subject: [PATCH] Add call to pam_keyinit for login pam service

This module is linux-any only, so copy what openssh has already done and
remove the call at build time for other architectures.

The call to this module is needed to have proper per-session kernel
keyring.

Closes: #734671
---
 debian/login.pam | 3 +++
 debian/rules     | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/debian/login.pam b/debian/login.pam
index dccad1f2..e4a4af26 100644
--- a/debian/login.pam
+++ b/debian/login.pam
@@ -105,6 +105,9 @@ session    optional   pam_motd.so
 # See comments in /etc/login.defs
 session    optional   pam_mail.so standard
 
+# Create a new session keyring.
+session    optional   pam_keyinit.so force revoke
+
 # Standard Un*x account and session
 @include common-account
 @include common-session
diff --git a/debian/rules b/debian/rules
index 59f37d50..3a979378 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,9 @@ binary-install/login::
 ifeq ($(DEB_HOST_ARCH_OS),hurd)
 	# /bin/login is provided by the hurd package.
 	rm -f debian/login/bin/login
+endif
+ifneq ($(DEB_HOST_ARCH_OS),linux)
+	sed -i 's/session    optional   pam_keyinit.so/# Linux only # session    optional   pam_keyinit.so/' debian/login.pam
 endif
 	dh_installpam -p login
 	dh_installpam -p login --name=su
@@ -90,3 +93,6 @@ binary-predeb/passwd::
 	chgrp shadow debian/passwd/usr/bin/expiry
 	chmod g+s debian/passwd/usr/bin/chage
 	chmod g+s debian/passwd/usr/bin/expiry
+
+clean::
+	sed -i 's/# Linux only # //' debian/login.pam