gnome keyring and pam again

[pazz]

Hi!
I know there are quite some posts about this, and i feel like i read them all! Please give me some hint about the following problem:

my /etc/pam.d/gdm looks loke this:

[sdunne]

I'm having this problem too. I'm just trying to get SSO working with the one password logging my user in, unlocking that users keyring and unlocking his ssh cert.

Everything was fine using pam_keyring. Since Gnome 2.20 I've tweaked my /etc/pam.d files as per http://live.gnome.org/GnomeKeyring/Pam but had no joy in getting everything working again. Logon and ssh cert unlock still works, but both evolution and gnome-keyring-manager now ask for a password to unlock the default keyring when started

Time to go digging in bugzilla unless someone on here with a working setup can help.

e2a:
I found nothing obvious in bugzilla, either gentoo or gnome, so hopefully someone who has this working can help. Also any general pam debugging suggestions would be nice
_________________
Stephen Dunne

[gsra99]

I have managed to get pam & gnome keyring working by using the info on the gnome keyring webpage mentioned in this post plus using the info on the Remi Cardona page about gnome keyring and pam. Here is what my /etc/pam.d/system-auth file (note the changes I made from the default are highlighted in bold text):

#%PAM-1.0

auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password optional pam_gnome_keyring.so
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so

session required pam_limits.so
session optional pam_gnome_keyring.so auto_start
session required pam_unix.so

Here is my /etc/pam.d/gdm file (again changes highlighted in bold text). Note the position of the statements are important if you want it to work:

#%PAM-1.0
auth optional pam_env.so
auth optional pam_gnome_keyring.so
auth include system-auth
auth required pam_nologin.so
session optional pam_gnome_keyring.so auto_start
account include system-auth
password include system-auth
session include system-auth

Here is my /etc/pam.d/passwd file (again changes highlighted in bold text):

#%PAM-1.0
password optional pam_gnome_keyring.so
auth include system-auth
account include system-auth
password include system-auth

Here is my /etc/pam.d/gnome-screensaver file (again changes highlighted in bold text). Don't know if this works however as I have not tested it:

#%PAM-1.0

# Fedora Core
auth optional pam_gnome_keyring.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth

# SuSE/Novell
#auth include common-auth
#account include common-account
#password include common-password
#session include common-session

[sdunne]

Nice one, I think I love you

I'll test locally based on your posted setup and report back.

Again, thanks
_________________
Stephen Dunne

[n3Cre0]

Wow thanks! That worked!

Man, you cannot believe how long I looked for a post with that kind of information...

/me wants a better search @forums.gentoo.org
_________________
OS: Linux 2.6.26 i686 Gentoo v2.0.0 Sound: HDA Intel
CPU: Intel(R) Pentium(R) M processor 1.73GHz (GenuineIntel)
Disk: 95.23GB Video: ATI Radeon Mobility X700 XL with Catalyst 8.08 RAM: 1011MB

[sdunne]

By jove Carruthers, I think he's cracked it Nice one gsra99!!

I haven't tested fully on my desktop, but configuring based on gsra99's config above allowed gnome-keyring-manager seamless access to the default keyring without having to re-enter its password. And pam_ssh still works into the bargain.

W00tage all round!
_________________
Stephen Dunne

[pazz]

thanks a lot gsra99 it worked out for me too.

But still: does anybody know how to do autologin without any passwdpromt?
thanks for your responses!
pazz

[sdunne]

And it works with evolution on my desktop too

Thanks, it's great to see user forums that work.
_________________
Stephen Dunne

[gsra99]

Pazz,
All I know is that you need to modify the /etc/pam.d/gdm-autologin script.

[wizard69]

THX a lot it works for me been trying to get this to work for ages.
_________________
Gentoo Blog

[sallyxi]

difficult issue

[remi2402]

Hi folks,

Why do you guys always keep this sort of info deeply tucked away in the forums! Come see us on IRC, file bugs, send us emails!

Honestly I'm no PAM expert, but I did get pam_keyring to work on several machines, and I wrote the small Howto based on those observations.

If you have issues, come talk to us We don't bite.

Thanks

[EvaSDK]

btw, don't use this infos with gnome 2.22, it won't work. There will be a migration guide promise.

[gsra99]

Is it possible to get a web link to the wiki page? I did search in the wiki for a howto, but found none.

[n3Cre0]

[wizard69]

emerge pambase and seahorse with use flag gnome-keyring run dispatch.conf and you should have the auto unlocking working again. You should be able to unmerge gnome-keyring after this because gnome 2.21 uses seahorse.
_________________
Gentoo Blog

[benny1967]

I heavily edited this post because I found a solution some hours later:


I never paid much attention to this keyring issue until after my last emerge world a few days ago Evolution suddenly started to ask for the keyring password. This was definitely too much.

So I was happy there seemed to be a simple solution and I followed the 2.22 Ugrade Guide... with no effect whatsoever.

After some additional cleanup, googling, ... I found a bug that somehow made me believe GDM needs to be re-built, too, with the gnome-keyring USE-flag. Looking at my GDM, I found it was not built with that and obviously survived all of emerge -uD world and revdep-rebuilds and emerge -N world ... this way.

Doing emerge -vND world told me there's even more packages that can be built with the gnome-keyring flag, but weren't. So I rebuilt them all and - voilà - it all worked.

So what's misleading in the upgrade guide is the statement that emerging sys-auth/pambase with gnome-keyring is enough. You'd better re-emerge everything that can have gnome-keyring, at least GDM.