We want that elogind --user gets its own keyring as usual, even if the
barebones PAM snippet we ship upstream is used. If we don't do this we get the
basic keyring elogind --system sets up for us.
# Used by systemd --user instances.
account required pam_unix.so
# Used by systemd --user instances.
account required pam_unix.so
-session required pam_selinux.so close
-session required pam_selinux.so nottys open
+session required pam_selinux.so close
+session required pam_selinux.so nottys open
-session required pam_loginuid.so
+session required pam_loginuid.so
+session optional pam_keyinit.so force revoke
session optional pam_elogind.so
session optional pam_elogind.so