[RFE] "su": Provide a way to preserve keys with "--login"

[kapilhp]

The context of this report is an issue with crouton (where I appear to be having a conversation with myself!).

I looked at the manpage of "pam_keyinit" and it said:

This module should not, generally, be invoked by programs like su, since it is usually desirable for the key set to percolate through to the alternate context. The keys have their own permissions system to manage this.

Now the change that made "su --login" revoke keys via the PAM configuration file /etc/pam.d/su-l was in response to a bug report 198632 at RedHat's Bugzilla with the title "Make login processes initialise session keyring".

The author of the above quoted man page and this bug report is the same person! So presumably, something changed in the perception of how "su" should/could be used, or, the above remark was for bare "su" without the "--login".

In any case, just as in the "[RFE] su: Allow environment variable whitelisting for --login" #221, I would like to request an enhancement to "su" that allows keys to be retained with "--login".

Thanks,

Kapil.

Edit: For completeness, I should mention that I have requested that this behaviour of "su --login" be documented somewhere in Debian Bug Number 905710.

[karelzak]

Well, su(1) does not work with the keys directly. It's all about PAM configuration and upstream does not provide and maintain these PAM config files. This is distribution specific policy.

The su(1) (upstream code) differentiate between "su" and "su-l" session. That's all. All you need is to modify your PAM setting. There is no another way how to inform PAM that you want to preserve your keys.

So, I don't see what action is expected from upstream in this case :-)

[kapilhp]

Thanks for the reply.

Debian maintainer also clarified the provenance of the /etc/pam.d/su-l file.

So perhaps this report should be closed, unless you think keeping it open will help others who face the same problem!