Visit Our UNIX and Linux User Community


PAM -- module key_init.so


 
Thread Tools Search this Thread
Operating Systems Linux Red Hat PAM -- module key_init.so
# 1  
Old 09-27-2009
Power PAM -- module key_init.so

Hello,

I'm now analysing the working of PAM.
PAM works with config-files, that you can find under the directory /etc/pam.d.
One of those config.-files is the file: login.conf.

------------------------------------------------------------------------------------------------------
# login.conf
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_ck_connector.so
---------------------------------------------------------------------------------------------------------

This config file makes use of the module keyinit.
I searched on the net for information about this module.

This is what I found:
---------------------------------------------------------------------------------------------------------
6.13. pam_keyinit - display the keyinit file

pam_keyinit.so [ debug ] [ force ] [ revoke ]

6.13.1. DESCRIPTION

The pam_keyinit PAM module ensures that the invoking process has a session
keyring other than the user default session keyring.

The session component of the module checks to see if the process's session
keyring is the user default, and, if it is, creates a new anonymous session
keyring with which to replace it.

If a new session keyring is created, it will install a link to the user common
keyring in the session keyring so that keys common to the user will be
automatically accessible through it.

The session keyring of the invoking process will thenceforth be inherited by
all its children unless they override it.

This module is intended primarily for use by login processes. Be aware that
after the session keyring has been replaced, the old session keyring and the
keys it contains will no longer be accessible.

This module should not, generally, be invoked by programs like su, since it is
usually desirable for the key set to percolate through to the alternate
context. The keys have their own permissions system to manage this.

This module should be included as early as possible in a PAM configuration, so
that other PAM modules can attach tokens to the keyring.

The keyutils package is used to manipulate keys more directly. This can be
obtained from:

Keyutils

6.13.2. OPTIONS

debug

Log debug information with syslog(3).

force

Causes the session keyring of the invoking process to be replaced
unconditionally.

revoke

Causes the session keyring of the invoking process to be revoked when the
invoking process exits if the session keyring was created for this process
in the first place.

6.13.3. MODULE TYPES PROVIDED

Only the session module type is provided.

6.13.4. RETURN VALUES

PAM_SUCCESS

This module will usually return this value

PAM_AUTH_ERR

Authentication failure.

PAM_BUF_ERR

Memory buffer error.

PAM_IGNORE

The return value should be ignored by PAM dispatch.

PAM_SERVICE_ERR

Cannot determine the user name.

PAM_SESSION_ERR

This module will return this value if its arguments are invalid or if a
system error such as ENOMEM occurs.

PAM_USER_UNKNOWN

User not known.

6.13.5. EXAMPLES

Add this line to your login entries to start each login session with its own
session keyring:

session required pam_keyinit.so


This will prevent keys from one session leaking into another session for the
same user.

--------------------------------------------------------------------------------------------------------

But because I don't know what a keyring is (?? database with passwords??), is this information not sufficient to understand the working of the module key_init.

I hope that somebody can give me more information about this module.

Kind regards!

Previous Thread | Next Thread
Test Your Knowledge in Computers #483
Difficulty: Easy
IDEs do not provide automated compile/build features and other tools that make the software development process easier and faster.
True or False?

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Read-only env variable in PAM module

Hi guys, does anybody know how to set/create read-only environment variable inside PAM module? I've written my own pam authentication module and I'd need to pass some information to user application started by user after user has been logged to the system and user should not be allowed to change... (0 Replies)
Discussion started by: gonzales01
0 Replies

2. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

3. Red Hat

PAM module pam_passwdqc module

Hello friends Today i have changed my passwd policy for strong password Everything is working correctly but when i changed my password , it did not ask me my old password my /etc/pam.d/system-auth file is (only passwdqc.so module line) password required pam_passwdqc.so retry=3... (0 Replies)
Discussion started by: rink
0 Replies

4. Solaris

Pam Module sending a cannot get password enry after certain period in /var/adm/messag

Pam Module sending a cannot get password enry after certain period in /var/adm/message. pam_login_limit(auth): Cannot get Password entry for user 'dbsnmp' What is dbsnmp? Also if account is locked does pam module checks for this locked account at regular interval and keeps on posting... (2 Replies)
Discussion started by: student2009
2 Replies

5. Solaris

PAM settings.

Hi Experts, Appended is the pam.conf file in my Sol 5.10 client which uses AD for authentication(Followed scott Lowe's blog on AD-Solaris integration): bash-3.00# cat /etc/pam.conf ##ident "@(#)pam.conf 1.31 07/12/07 SMI" # Copyright 2007 Sun Microsystems, Inc. All rights reserved.... (9 Replies)
Discussion started by: Hari_Ganesh
9 Replies

6. Linux

How to convert Linux Kernel built-in module into a loadable module

Hi all, I am working on USB data monitoring on Fedora Core 9. Kernel 2.6.25 has a built-in module (the one that isn't loadable, but compiles and links statically with the kernel during compilation) to snoop USB data. It is in <kernel_source_code>/drivers/usb/mon/. I need to know if I can... (0 Replies)
Discussion started by: anitemp
0 Replies

7. Solaris

Soalris 10 PAM Radius authentication Module

Hello Group, I'm facing Problem with the configuration of "***pam_radius_auth.so.1***" module to be integrated with Freeradius and Funk Steel Belted Radius. Both this radius servers are able to make "Access-Accept" packet. But the SSH or Telnet client is not able to login to the system with the... (0 Replies)
Discussion started by: ImpeccableCode
0 Replies

8. Solaris

pam module quesion

quick question about PAM module. Here may pam.conf file. How do I verify that pam modules work correctly? Does it mean when it run cron job, it checks the pam module for authentication? Thanks in advance. # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit... (0 Replies)
Discussion started by: mokkan
0 Replies

9. Solaris

Custom pam module

Does anyone know how to create a custom pam module for modifying the login authentication procedure? (1 Reply)
Discussion started by: mhm4
1 Replies

10. AIX

PAM and aix

Does any one know how to get aix 5.3 pam working .. Is there any pathc to make it work (0 Replies)
Discussion started by: ayeshaseerin
0 Replies

Featured Tech Videos