{ "content": [ { "type": "text", "text": "# pam_keyinit(8) (man)\n\n**Summary:** pamkeyinit - Kernel session keyring initialiser module\n\n**Synopsis:** pamkeyinit.so [debug] [force] [revoke]\n\n## Examples\n\n- `Add this line to your login entries to start each login session with its own session keyring:`\n- `session required pamkeyinit.so`\n- `This will prevent keys from one session leaking into another session for the same user.`\n\n## See Also\n\n- pam.conf(5)\n- pam.d(5)\n- pam(7)\n- keyctl(1)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (27 lines)\n- **OPTIONS** (1 lines) — 3 subsections\n - debug (2 lines)\n - force (2 lines)\n - revoke (3 lines)\n- **MODULE TYPES PROVIDED** (2 lines)\n- **RETURN VALUES** (22 lines)\n- **EXAMPLES** (7 lines)\n- **SEE ALSO** (2 lines)\n- **AUTHOR** (2 lines)\n- **NOTES** (6 lines)\n\n## Full Content\n\n### NAME\n\npamkeyinit - Kernel session keyring initialiser module\n\n### SYNOPSIS\n\npamkeyinit.so [debug] [force] [revoke]\n\n### DESCRIPTION\n\nThe pamkeyinit PAM module ensures that the invoking process has a session keyring other than\nthe user default session keyring.\n\nThe module checks to see if the process's session keyring is the user-session-keyring(7),\nand, if it is, creates a new session-keyring(7) with which to replace it. If a new session\nkeyring is created, it will install a link to the user-keyring(7) in the session keyring so\nthat keys common to the user will be automatically accessible through it. The session keyring\nof the invoking process will thenceforth be inherited by all its children unless they\noverride it.\n\nIn order to allow other PAM modules to attach tokens to the keyring, this module provides\nboth an auth (limited to pamsetcred(3) and a session component. The session keyring is\ncreated in the module called. Moreover this module should be included as early as possible in\na PAM configuration.\n\nThis module is intended primarily for use by login processes. Be aware that after the session\nkeyring has been replaced, the old session keyring and the keys it contains will no longer be\naccessible.\n\nThis module should not, generally, be invoked by programs like su, since it is usually\ndesirable for the key set to percolate through to the alternate context. The keys have their\nown permissions system to manage this.\n\nThe keyutils package is used to manipulate keys more directly. This can be obtained from:\n\nKeyutils[1]\n\n### OPTIONS\n\n#### debug\n\nLog debug information with syslog(3).\n\n#### force\n\nCauses the session keyring of the invoking process to be replaced unconditionally.\n\n#### revoke\n\nCauses the session keyring of the invoking process to be revoked when the invoking\nprocess exits if the session keyring was created for this process in the first place.\n\n### MODULE TYPES PROVIDED\n\nOnly the session module type is provided.\n\n### RETURN VALUES\n\nPAMSUCCESS\nThis module will usually return this value\n\nPAMAUTHERR\nAuthentication failure.\n\nPAMBUFERR\nMemory buffer error.\n\nPAMIGNORE\nThe return value should be ignored by PAM dispatch.\n\nPAMSERVICEERR\nCannot determine the user name.\n\nPAMSESSIONERR\nThis module will return this value if its arguments are invalid or if a system error such\nas ENOMEM occurs.\n\nPAMUSERUNKNOWN\nUser not known.\n\n### EXAMPLES\n\nAdd this line to your login entries to start each login session with its own session keyring:\n\nsession required pamkeyinit.so\n\n\nThis will prevent keys from one session leaking into another session for the same user.\n\n### SEE ALSO\n\npam.conf(5), pam.d(5), pam(7), keyctl(1)\n\n### AUTHOR\n\npamkeyinit was written by David Howells, .\n\n### NOTES\n\n1. Keyutils\nhttp://people.redhat.com/~dhowells/keyutils/\n\n\n\nLinux-PAM Manual 06/08/2020 PAMKEYINIT(8)\n\n" } ], "structuredContent": { "command": "pam_keyinit", "section": "8", "mode": "man", "summary": "pamkeyinit - Kernel session keyring initialiser module", "synopsis": "pamkeyinit.so [debug] [force] [revoke]", "flags": [], "examples": [ "Add this line to your login entries to start each login session with its own session keyring:", "session required pamkeyinit.so", "This will prevent keys from one session leaking into another session for the same user." ], "see_also": [ { "name": "pam.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.conf/5/json" }, { "name": "pam.d", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json" }, { "name": "pam", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/pam/7/json" }, { "name": "keyctl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/keyctl/1/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 27, "subsections": [] }, { "name": "OPTIONS", "lines": 1, "subsections": [ { "name": "debug", "lines": 2 }, { "name": "force", "lines": 2 }, { "name": "revoke", "lines": 3 } ] }, { "name": "MODULE TYPES PROVIDED", "lines": 2, "subsections": [] }, { "name": "RETURN VALUES", "lines": 22, "subsections": [] }, { "name": "EXAMPLES", "lines": 7, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHOR", "lines": 2, "subsections": [] }, { "name": "NOTES", "lines": 6, "subsections": [] } ] } }