Hello,

I'm now analysing the working of PAM.
PAM works with config-files, that you can find under the directory /etc/pam.d.
One of those config.-files is the file: login.conf.

------------------------------------------------------------------------------------------------------
# login.conf
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_ck_connector.so
---------------------------------------------------------------------------------------------------------

This config file makes use of the module keyinit.
I searched on the net for information about this module.

This is what I found:
---------------------------------------------------------------------------------------------------------
6.13. pam_keyinit - display the keyinit file

pam_keyinit.so [ debug ] [ force ] [ revoke ]

6.13.1. DESCRIPTION

The pam_keyinit PAM module ensures that the invoking process has a session
keyring other than the user default session keyring.

The session component of the module checks to see if the process's session
keyring is the user default, and, if it is, creates a new anonymous session
keyring with which to replace it.

If a new session keyring is created, it will install a link to the user common
keyring in the session keyring so that keys common to the user will be
automatically accessible through it.

The session keyring of the invoking process will thenceforth be inherited by
all its children unless they override it.

This module is intended primarily for use by login processes. Be aware that
after the session keyring has been replaced, the old session keyring and the
keys it contains will no longer be accessible.

This module should not, generally, be invoked by programs like su, since it is
usually desirable for the key set to percolate through to the alternate
context. The keys have their own permissions system to manage this.

This module should be included as early as possible in a PAM configuration, so
that other PAM modules can attach tokens to the keyring.

The keyutils package is used to manipulate keys more directly. This can be
obtained from:

Keyutils

6.13.2. OPTIONS

debug

Log debug information with syslog(3).

force

Causes the session keyring of the invoking process to be replaced
unconditionally.

revoke

Causes the session keyring of the invoking process to be revoked when the
invoking process exits if the session keyring was created for this process
in the first place.

6.13.3. MODULE TYPES PROVIDED

Only the session module type is provided.

6.13.4. RETURN VALUES

PAM_SUCCESS

This module will usually return this value

PAM_AUTH_ERR

Authentication failure.

PAM_BUF_ERR

Memory buffer error.

PAM_IGNORE

The return value should be ignored by PAM dispatch.

PAM_SERVICE_ERR

Cannot determine the user name.

PAM_SESSION_ERR

This module will return this value if its arguments are invalid or if a
system error such as ENOMEM occurs.

PAM_USER_UNKNOWN

User not known.

6.13.5. EXAMPLES

Add this line to your login entries to start each login session with its own
session keyring:

session required pam_keyinit.so


This will prevent keys from one session leaking into another session for the
same user.

--------------------------------------------------------------------------------------------------------

But because I don't know what a keyring is (?? database with passwords??), is this information not sufficient to understand the working of the module key_init.

I hope that somebody can give me more information about this module.

Kind regards!