Kernel session keyring initialiser module


' 'u [debug] [force] [revoke]


The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring .

The session component of the module checks to see if the process (Aqs session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it .

If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it .

The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it .

This module is intended primarily for use by login processes . Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible .

This module should not, generally, be invoked by programs like su ,since it is usually desirable for the key set to percolate through to the alternate context . The keys have their own permissions system to manage this .

This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring .

The keyutils package is used to manipulate keys more directly . This can be obtained from:

Keyutils [1]


debug Log debug information with syslog (3).

force Causes the session keyring of the invoking process to be replaced unconditionally .

revoke Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place .


Only the session module type is provided .


PAM_SUCCESS This module will usually return this value

PAM_AUTH_ERR Authentication failure .

PAM_BUF_ERR Memory buffer error .

PAM_IGNORE The return value should be ignored by PAM dispatch .

PAM_SERVICE_ERR Cannot determine the user name .

PAM_SESSION_ERR This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs .

PAM_USER_UNKNOWN User not known .


Add this line to your login entries to start each login session with its own session keyring:

.RS 4
session required pam_keyinit .so

This will prevent keys from one session leaking into another session for the same user .


" 1." 4 Keyutils


pam.conf(5), pam.d(5), pam(8) keyctl(1)


pam_keyinit was written by David Howells, <dhowells@redhat .com> .

Copied to clipboard
free 100$ digital ocean credit