The pam_keyring(8) manpage advises against adding pam_keyinit ,---- | This module should not, generally, be invoked by programs like su, | since it is usually desirable for the key set to percolate through to | the alternate context. The keys have their own permissions system to | manage this. `----
However, there's no mentioning of the issue described here. For what it's worth, RHEL/CentOS 7 ships an /etc/pam.d/sudo which contains a line. ,---- | session optional pam_keyinit.so revoke `---- and they also seem to have different intended behavior for interactive usage – there's a separate /etc/pam.d/sudo-i which contains ,---- | session optional pam_keyinit.so force revoke `---- Cheers, -Hilko
