View previous topic :: View next topic |
Author |
Message |
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Wed Oct 10, 2018 7:21 am Post subject: gnome-keyring not getting password from pam |
|
|
Hi,
I have emerged gnome-base/gnome-keyring-3.28.2 with USE="pam", but I'm still asked for the gnome-keyring password. I have set the same password for the keyring and for the user. Is that required anyway or is the keyring password just encrypted by the user-password? However it doesn't work. What steps are necessary?
Moreover I would like to reduce the count of passwords without loosing too much security. Having a LUKS password on boot and full encryption, I would prefer the password-less login to the Window Manager. But then it would not be possible to pass the password to the keyring anymore, is it? Having a completely unencrypted keyring, would that be a big security issue? I mean the shut down system is safe based on the encryption. But for the running system, the unencrypted keyring files would be accessible by each process, is that true? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Mon Dec 17, 2018 8:17 am Post subject: |
|
|
What is the right pam.d setting for the keyring? Currently I found this: Code: | # grep keyring /etc/pam.d/*
/etc/pam.d/passwd:-password optional pam_gnome_keyring.so use_authtok |
However Ubuntu [1] mentions a different pam.d configuration for /etc/pam.d/gdm or /etc/pam.d/lightdm: Code: | auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start |
[1] https://wiki.ubuntuusers.de/GNOME_Schl%C3%BCsselbund/#Keyring-Daemon-deaktivieren _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Mon Dec 17, 2018 8:46 am Post subject: |
|
|
I have adapted the configuration like this now, and it seems to work, at least after a logout and new login:
Code: | # grep keyring /etc/pam.d/*
/etc/pam.d/lightdm:auth optional pam_gnome_keyring.so
/etc/pam.d/lightdm:session optional pam_gnome_keyring.so auto_start
/etc/pam.d/passwd:password optional pam_gnome_keyring.so use_authtok
/etc/pam.d/xscreensaver:auth optional pam_gnome_keyring.so |
_________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Mon Jan 28, 2019 5:29 pm Post subject: |
|
|
Now on a different machine, I have exactly the same /etc/pam.d, but after WM login I'm still asked for the keyring password. How can I debug how the password is passed from PAM? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
YourNameInHere n00b
Joined: 28 Mar 2007 Posts: 8
|
Posted: Fri Feb 01, 2019 5:26 pm Post subject: |
|
|
Hi,
was also playing with gnome-keyring these days ...I think it is working now as i wanted.
I'm using slim as a login-manager:
Code: | # grep gnome_keyring /etc/pam.d/*
/etc/pam.d/login:#auth optional pam_gnome_keyring.so #keyring
/etc/pam.d/login:#session optional pam_gnome_keyring.so auto_start #keyring
/etc/pam.d/passwd:-password optional pam_gnome_keyring.so use_authtok
/etc/pam.d/slim:auth optional pam_gnome_keyring.so #keyring
/etc/pam.d/slim:session optional pam_gnome_keyring.so auto_start #keyring
/etc/pam.d/system-auth:#auth optional pam_gnome_keyring.so #keyring
/etc/pam.d/system-auth:#password optional pam_gnome_keyring.so #keyring
/etc/pam.d/system-auth:#session optional pam_gnome_keyring.so auto_start #keyring
/etc/pam.d/system-login:#auth optional pam_gnome_keyring.so #keyring
/etc/pam.d/system-login:#session optional pam_gnome_keyring.so auto_start #keyring
|
it is only activated in "slim" (passwd-file looks like it is a default value).
Also there was another problem for me:
After logging in there was a delay for ~20 secondes (stuck at the login-screen).
Turns out this is a known problem
Code: |
26.895784] random: crng init done
|
Solution: emerge haveged
See: https://forums.gentoo.org/viewtopic-t-1081710-start-0.html
YourNameInHere
EDIT: Did you also check the keyring with seahorse?
The keyring name must be "Login" and set as default. I was able to remove all keyrings and got a new working one after re-login. |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Tue Jul 21, 2020 8:43 am Post subject: |
|
|
Starting the whole investigation from scratch:
gnome-keyring is a crucial part of my Xfce Desktop, as a lot of applications are storing their credentials there like Evolution and NetworkManager. However I did not find any project or gnome group that is able to help in that area.
The only solutions I found is creating a new keyring from scratch. But loosing my keys is no option. I did not find a way to import keys from old keyrings. This is the reason why I copied another keyring from my old machine into ~/.local/share/keyrings.
This seems to work, I have now 2 named "Default keyring" and 1 named "Login". All 3 have the same password equal to my user password.
My current pam setup:
Code: | # grep keyring -R /etc/pam.d/
/etc/pam.d/lightdm:auth optional pam_gnome_keyring.so
/etc/pam.d/lightdm:session optional pam_gnome_keyring.so auto_start
/etc/pam.d/xscreensaver:auth optional pam_gnome_keyring.so
/etc/pam.d/passwd:-password optional pam_gnome_keyring.so use_authtok |
It feels like the "Login" keyring has the passwords for opening the other 2 "Default keyring". I can't find any information about this. After login into Xfce with lightdm has been done, I'm asked for a password for a keyring, which should not happen. I enter my user password again and see, that in seahorse the first "Default keyring" is unlocked, while the other one and the Login is still closed. This feels wrong and I guess, the "Login" keyring should have been opened by PAM. It feels like PAM has not forwarded any password via STDIN and the opened keyring was just requested by some application requiring a password from it. A lot of guessing.
The next issue is, that in this situation it is not possible to open any other keyring, no dialog appears. I need to kill the daemon by:
Code: | $ gnome-keyring-daemon --replace --daemonize --components=pkcs11,secrets,ssh,gpg |
After that it is possible to open all keyrings as expected, starting with the "Login" keyring with a password, then the other 2 "Default keyring" don't need a password and just open on request.
As I don't get help from any upstream gnome channel or group, maybe on Gentoo there are some Gnome maintainers knowing more about this architecture or that have contact to upstream devs.
How can I tell PAM opening a specific gnome-keyring at login?
How can I merge or import keyrings?
Parts are described here: https://wiki.gnome.org/Projects/GnomeKeyring/Pam but it does not explain how to deal with 2 Default keyrings and why the Default and not the login keyring is tried to be opened at login.
The Login keyring is the only default keyring. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Fri Aug 21, 2020 8:45 am Post subject: |
|
|
Still can't get it working and got no help from Gnome channels either. From Evolution developers I got the hint that there used to be some confusion in the past between 'default' and 'login' keyrings.
I deleted ~/.local/share/keyrings/* completely. I created a new empty 'login' keyring and tested if this one is opened by lightdm at login, but it is not. I added my old 'Default' keyring (which is not the default), unlocked that and checked the "auto unlock..." to have the password stored in the login ring. If I login with that setup, I get asked for a password for 'Default' because some Evolution background service is requesting that. Unlocking fails. I'm asked for the 'Login' ring password with the hint that it was not unlocked at login...
I need to restart the gnome-keyring-daemon to be able to unlock the rings. Then I need to kill and restart the Evolution services to make them able to access the rings. I need to do that every boot up which is annoying. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1752 Location: PB, Germany
|
Posted: Wed Dec 16, 2020 7:52 am Post subject: |
|
|
Some of the recent update seems to have silently solved this issue and gnome-keyring receives all passwords from pam, opening all required keyrings. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2893 Location: Edge of marsh USA
|
Posted: Thu Dec 17, 2020 8:30 pm Post subject: |
|
|
I recently liberated myself from gnome-keyring. The only hard dependency that pulled it in was gnome-disk-utility so I just decided to live without it. Someday I'm going to have a lean system. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
|