View previous topic :: View next topic |
Author |
Message |
pazz Apprentice
Joined: 01 Dec 2002 Posts: 283
|
Posted: Fri Jan 18, 2008 8:54 pm Post subject: gnome keyring and pam again |
|
|
Hi!
I know there are quite some posts about this, and i feel like i read them all! Please give me some hint about the following problem:
my /etc/pam.d/gdm looks loke this:
Code: |
#%PAM-1.0
auth optional pam_env.so
auth required pam_nologin.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
#password optional pam_gnome_keyring.so
auth optional pam_gnome_keyring.so try_first_pass
session optional pam_gnome_keyring.so auto_start |
but i still get a popup asking me for the default keyring passwd.
if i put the auth ..pam_gnome_keyring.so line before the "auth include system-auth",
gdm prompts for a passwd twice and the keyring is unlocked.
my /etc/pam.d/system-auth looks like this:
Code: | markI ~ # vim /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
auth sufficient pam_ssh.so |
I'd like to get only one passwd prompt and still unlock the keyring.
even better would be a possibility to use gdm's autologin feature and still unlock the keyring, like it could be done with the old "pam-keyring-tool"
by echoing a plaintext..
if there is absolutely no way to get around the dialog i'd simply quit using mail-notification for that's the only app i use that wants a keyring
and is not able to work without one :/
thanks a lot,
pazz |
|
Back to top |
|
|
sdunne n00b
Joined: 02 Sep 2003 Posts: 72 Location: London, UK
|
Posted: Thu Jan 31, 2008 7:54 pm Post subject: |
|
|
I'm having this problem too. I'm just trying to get SSO working with the one password logging my user in, unlocking that users keyring and unlocking his ssh cert.
Everything was fine using pam_keyring. Since Gnome 2.20 I've tweaked my /etc/pam.d files as per http://live.gnome.org/GnomeKeyring/Pam but had no joy in getting everything working again. Logon and ssh cert unlock still works, but both evolution and gnome-keyring-manager now ask for a password to unlock the default keyring when started
Time to go digging in bugzilla unless someone on here with a working setup can help.
e2a:
I found nothing obvious in bugzilla, either gentoo or gnome, so hopefully someone who has this working can help. Also any general pam debugging suggestions would be nice _________________ Stephen Dunne |
|
Back to top |
|
|
gsra99 Tux's lil' helper
Joined: 06 Jan 2008 Posts: 104
|
Posted: Tue Feb 05, 2008 9:52 pm Post subject: Possibly solved? |
|
|
I have managed to get pam & gnome keyring working by using the info on the gnome keyring webpage mentioned in this post plus using the info on the Remi Cardona page about gnome keyring and pam. Here is what my /etc/pam.d/system-auth file (note the changes I made from the default are highlighted in bold text):
#%PAM-1.0
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password optional pam_gnome_keyring.so
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session optional pam_gnome_keyring.so auto_start
session required pam_unix.so
Here is my /etc/pam.d/gdm file (again changes highlighted in bold text). Note the position of the statements are important if you want it to work:
#%PAM-1.0
auth optional pam_env.so
auth optional pam_gnome_keyring.so
auth include system-auth
auth required pam_nologin.so
session optional pam_gnome_keyring.so auto_start
account include system-auth
password include system-auth
session include system-auth
Here is my /etc/pam.d/passwd file (again changes highlighted in bold text):
#%PAM-1.0
password optional pam_gnome_keyring.so
auth include system-auth
account include system-auth
password include system-auth
Here is my /etc/pam.d/gnome-screensaver file (again changes highlighted in bold text). Don't know if this works however as I have not tested it:
#%PAM-1.0
# Fedora Core
auth optional pam_gnome_keyring.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
# SuSE/Novell
#auth include common-auth
#account include common-account
#password include common-password
#session include common-session |
|
Back to top |
|
|
sdunne n00b
Joined: 02 Sep 2003 Posts: 72 Location: London, UK
|
Posted: Wed Feb 06, 2008 10:40 am Post subject: |
|
|
Nice one, I think I love you
I'll test locally based on your posted setup and report back.
Again, thanks _________________ Stephen Dunne |
|
Back to top |
|
|
n3Cre0 Tux's lil' helper
Joined: 16 Jan 2007 Posts: 129
|
Posted: Fri Feb 08, 2008 11:07 am Post subject: |
|
|
Wow thanks! That worked!
Man, you cannot believe how long I looked for a post with that kind of information...
/me wants a better search @forums.gentoo.org _________________ OS: Linux 2.6.26 i686 Gentoo v2.0.0 Sound: HDA Intel
CPU: Intel(R) Pentium(R) M processor 1.73GHz (GenuineIntel)
Disk: 95.23GB Video: ATI Radeon Mobility X700 XL with Catalyst 8.08 RAM: 1011MB |
|
Back to top |
|
|
sdunne n00b
Joined: 02 Sep 2003 Posts: 72 Location: London, UK
|
Posted: Fri Feb 08, 2008 4:27 pm Post subject: |
|
|
By jove Carruthers, I think he's cracked it Nice one gsra99!!
I haven't tested fully on my desktop, but configuring based on gsra99's config above allowed gnome-keyring-manager seamless access to the default keyring without having to re-enter its password. And pam_ssh still works into the bargain.
W00tage all round! _________________ Stephen Dunne |
|
Back to top |
|
|
pazz Apprentice
Joined: 01 Dec 2002 Posts: 283
|
Posted: Sun Feb 10, 2008 6:29 pm Post subject: |
|
|
thanks a lot gsra99 it worked out for me too.
But still: does anybody know how to do autologin without any passwdpromt?
thanks for your responses!
pazz |
|
Back to top |
|
|
sdunne n00b
Joined: 02 Sep 2003 Posts: 72 Location: London, UK
|
Posted: Mon Feb 11, 2008 8:50 pm Post subject: |
|
|
And it works with evolution on my desktop too
Thanks, it's great to see user forums that work. _________________ Stephen Dunne |
|
Back to top |
|
|
gsra99 Tux's lil' helper
Joined: 06 Jan 2008 Posts: 104
|
Posted: Wed Feb 13, 2008 8:41 pm Post subject: |
|
|
Pazz,
All I know is that you need to modify the /etc/pam.d/gdm-autologin script. |
|
Back to top |
|
|
wizard69 Apprentice
Joined: 22 Sep 2003 Posts: 178 Location: Berlin
|
Posted: Wed Feb 13, 2008 8:46 pm Post subject: |
|
|
THX a lot it works for me been trying to get this to work for ages. _________________ Gentoo Blog |
|
Back to top |
|
|
sallyxi n00b
Joined: 14 Feb 2008 Posts: 1
|
Posted: Thu Feb 14, 2008 4:49 am Post subject: Re: gnome keyring and pam again |
|
|
difficult issue |
|
Back to top |
|
|
remi2402 Retired Dev
Joined: 28 Jun 2003 Posts: 111 Location: Paris, France
|
Posted: Wed Mar 26, 2008 1:32 pm Post subject: |
|
|
Hi folks,
Why do you guys always keep this sort of info deeply tucked away in the forums! Come see us on IRC, file bugs, send us emails!
Honestly I'm no PAM expert, but I did get pam_keyring to work on several machines, and I wrote the small Howto based on those observations.
If you have issues, come talk to us We don't bite.
Thanks |
|
Back to top |
|
|
EvaSDK Retired Dev
Joined: 12 Jul 2003 Posts: 171 Location: France, Paris
|
Posted: Wed Mar 26, 2008 1:35 pm Post subject: |
|
|
btw, don't use this infos with gnome 2.22, it won't work. There will be a migration guide promise. |
|
Back to top |
|
|
gsra99 Tux's lil' helper
Joined: 06 Jan 2008 Posts: 104
|
Posted: Wed Mar 26, 2008 5:56 pm Post subject: |
|
|
Is it possible to get a web link to the wiki page? I did search in the wiki for a howto, but found none. |
|
Back to top |
|
|
n3Cre0 Tux's lil' helper
Joined: 16 Jan 2007 Posts: 129
|
Posted: Sat Apr 12, 2008 1:07 pm Post subject: |
|
|
EvaSDK wrote: | btw, don't use this infos with gnome 2.22, it won't work. There will be a migration guide promise. |
I was just going to ask here if someone got it to work with gnome-2.22
I got it once working once with version 2.22.0-r1, but next day there was the 2.22.0-r2 version and from then on it stopped working
Quote: | [I] gnome-base/gnome-keyring
Available versions: 0.8.1 2.20.3 (~)2.22.0-r2 (~)2.22.1 {debug doc hal pam test}
Installed versions: 2.22.1(22:26:19 04/08/0(hal pam -debug -doc -test)
Homepage: http://www.gnome.org/
Description: Password and keyring managing daemon
|
Could you post the migration guide here if it's finished?
Thanks!
EDIT: Is it this?
http://www.gentoo.org/proj/en/desktop/gnome/howtos/gnome-2.22-upgrade.xml
EDIT#2: Followed it, installed pambase (which was already installed btw): same thing _________________ OS: Linux 2.6.26 i686 Gentoo v2.0.0 Sound: HDA Intel
CPU: Intel(R) Pentium(R) M processor 1.73GHz (GenuineIntel)
Disk: 95.23GB Video: ATI Radeon Mobility X700 XL with Catalyst 8.08 RAM: 1011MB |
|
Back to top |
|
|
wizard69 Apprentice
Joined: 22 Sep 2003 Posts: 178 Location: Berlin
|
Posted: Fri May 09, 2008 11:25 am Post subject: |
|
|
emerge pambase and seahorse with use flag gnome-keyring run dispatch.conf and you should have the auto unlocking working again. You should be able to unmerge gnome-keyring after this because gnome 2.21 uses seahorse. _________________ Gentoo Blog |
|
Back to top |
|
|
benny1967 Apprentice
Joined: 25 Apr 2004 Posts: 224
|
Posted: Wed Sep 10, 2008 6:02 pm Post subject: |
|
|
I heavily edited this post because I found a solution some hours later:
I never paid much attention to this keyring issue until after my last emerge world a few days ago Evolution suddenly started to ask for the keyring password. This was definitely too much.
So I was happy there seemed to be a simple solution and I followed the 2.22 Ugrade Guide... with no effect whatsoever.
After some additional cleanup, googling, ... I found a bug that somehow made me believe GDM needs to be re-built, too, with the gnome-keyring USE-flag. Looking at my GDM, I found it was not built with that and obviously survived all of emerge -uD world and revdep-rebuilds and emerge -N world ... this way.
Doing emerge -vND world told me there's even more packages that can be built with the gnome-keyring flag, but weren't. So I rebuilt them all and - voilà - it all worked.
So what's misleading in the upgrade guide is the statement that emerging sys-auth/pambase with gnome-keyring is enough. You'd better re-emerge everything that can have gnome-keyring, at least GDM. |
|
Back to top |
|
|
|