Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

gnome-keyring not getting password from pam
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Wed Oct 10, 2018 7:21 am    Post subject: gnome-keyring not getting password from pam Reply with quote
Hi,

I have emerged gnome-base/gnome-keyring-3.28.2 with USE="pam", but I'm still asked for the gnome-keyring password. I have set the same password for the keyring and for the user. Is that required anyway or is the keyring password just encrypted by the user-password? However it doesn't work. What steps are necessary?

Moreover I would like to reduce the count of passwords without loosing too much security. Having a LUKS password on boot and full encryption, I would prefer the password-less login to the Window Manager. But then it would not be possible to pass the password to the keyring anymore, is it? Having a completely unencrypted keyring, would that be a big security issue? I mean the shut down system is safe based on the encryption. But for the running system, the unencrypted keyring files would be accessible by each process, is that true?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Mon Dec 17, 2018 8:17 am    Post subject: Reply with quote
What is the right pam.d setting for the keyring? Currently I found this:
Code:
# grep keyring /etc/pam.d/*
/etc/pam.d/passwd:-password   optional   pam_gnome_keyring.so use_authtok

However Ubuntu [1] mentions a different pam.d configuration for /etc/pam.d/gdm or /etc/pam.d/lightdm:
Code:
auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start

[1] https://wiki.ubuntuusers.de/GNOME_Schl%C3%BCsselbund/#Keyring-Daemon-deaktivieren
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Mon Dec 17, 2018 8:46 am    Post subject: Reply with quote
I have adapted the configuration like this now, and it seems to work, at least after a logout and new login:
Code:
# grep keyring /etc/pam.d/*
/etc/pam.d/lightdm:auth    optional        pam_gnome_keyring.so
/etc/pam.d/lightdm:session optional        pam_gnome_keyring.so    auto_start
/etc/pam.d/passwd:password   optional   pam_gnome_keyring.so use_authtok
/etc/pam.d/xscreensaver:auth    optional        pam_gnome_keyring.so

_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Mon Jan 28, 2019 5:29 pm    Post subject: Reply with quote
Now on a different machine, I have exactly the same /etc/pam.d, but after WM login I'm still asked for the keyring password. How can I debug how the password is passed from PAM?
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
YourNameInHere
n00b
n00b


Joined: 28 Mar 2007
Posts: 8
PostPosted: Fri Feb 01, 2019 5:26 pm    Post subject: Reply with quote
Hi,

was also playing with gnome-keyring these days ...I think it is working now as i wanted.
I'm using slim as a login-manager:

Code:
# grep gnome_keyring /etc/pam.d/*
/etc/pam.d/login:#auth       optional     pam_gnome_keyring.so #keyring
/etc/pam.d/login:#session    optional     pam_gnome_keyring.so auto_start #keyring
/etc/pam.d/passwd:-password   optional   pam_gnome_keyring.so use_authtok
/etc/pam.d/slim:auth     optional   pam_gnome_keyring.so #keyring
/etc/pam.d/slim:session optional   pam_gnome_keyring.so auto_start #keyring
/etc/pam.d/system-auth:#auth       optional    pam_gnome_keyring.so #keyring
/etc/pam.d/system-auth:#password    optional    pam_gnome_keyring.so #keyring
/etc/pam.d/system-auth:#session    optional   pam_gnome_keyring.so auto_start #keyring
/etc/pam.d/system-login:#auth      optional  pam_gnome_keyring.so #keyring
/etc/pam.d/system-login:#session   optional  pam_gnome_keyring.so auto_start #keyring


it is only activated in "slim" (passwd-file looks like it is a default value).

Also there was another problem for me:
After logging in there was a delay for ~20 secondes (stuck at the login-screen).

Turns out this is a known problem :(
Code:

26.895784] random: crng init done


Solution: emerge haveged
See: https://forums.gentoo.org/viewtopic-t-1081710-start-0.html

YourNameInHere

EDIT: Did you also check the keyring with seahorse?
The keyring name must be "Login" and set as default. I was able to remove all keyrings and got a new working one after re-login.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Tue Jul 21, 2020 8:43 am    Post subject: Reply with quote
Starting the whole investigation from scratch:

gnome-keyring is a crucial part of my Xfce Desktop, as a lot of applications are storing their credentials there like Evolution and NetworkManager. However I did not find any project or gnome group that is able to help in that area.
The only solutions I found is creating a new keyring from scratch. But loosing my keys is no option. I did not find a way to import keys from old keyrings. This is the reason why I copied another keyring from my old machine into ~/.local/share/keyrings.
This seems to work, I have now 2 named "Default keyring" and 1 named "Login". All 3 have the same password equal to my user password.

My current pam setup:
Code:
# grep keyring -R /etc/pam.d/
/etc/pam.d/lightdm:auth   optional   pam_gnome_keyring.so
/etc/pam.d/lightdm:session   optional   pam_gnome_keyring.so auto_start
/etc/pam.d/xscreensaver:auth    optional        pam_gnome_keyring.so
/etc/pam.d/passwd:-password   optional   pam_gnome_keyring.so use_authtok


It feels like the "Login" keyring has the passwords for opening the other 2 "Default keyring". I can't find any information about this. After login into Xfce with lightdm has been done, I'm asked for a password for a keyring, which should not happen. I enter my user password again and see, that in seahorse the first "Default keyring" is unlocked, while the other one and the Login is still closed. This feels wrong and I guess, the "Login" keyring should have been opened by PAM. It feels like PAM has not forwarded any password via STDIN and the opened keyring was just requested by some application requiring a password from it. A lot of guessing.
The next issue is, that in this situation it is not possible to open any other keyring, no dialog appears. I need to kill the daemon by:
Code:
$ gnome-keyring-daemon --replace --daemonize --components=pkcs11,secrets,ssh,gpg

After that it is possible to open all keyrings as expected, starting with the "Login" keyring with a password, then the other 2 "Default keyring" don't need a password and just open on request.

As I don't get help from any upstream gnome channel or group, maybe on Gentoo there are some Gnome maintainers knowing more about this architecture or that have contact to upstream devs.

How can I tell PAM opening a specific gnome-keyring at login?
How can I merge or import keyrings?

Parts are described here: https://wiki.gnome.org/Projects/GnomeKeyring/Pam but it does not explain how to deal with 2 Default keyrings and why the Default and not the login keyring is tried to be opened at login.
The Login keyring is the only default keyring.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Fri Aug 21, 2020 8:45 am    Post subject: Reply with quote
Still can't get it working and got no help from Gnome channels either. From Evolution developers I got the hint that there used to be some confusion in the past between 'default' and 'login' keyrings.

I deleted ~/.local/share/keyrings/* completely. I created a new empty 'login' keyring and tested if this one is opened by lightdm at login, but it is not. I added my old 'Default' keyring (which is not the default), unlocked that and checked the "auto unlock..." to have the password stored in the login ring. If I login with that setup, I get asked for a password for 'Default' because some Evolution background service is requesting that. Unlocking fails. I'm asked for the 'Login' ring password with the hint that it was not unlocked at login...
I need to restart the gnome-keyring-daemon to be able to unlock the rings. Then I need to kill and restart the Evolution services to make them able to access the rings. I need to do that every boot up which is annoying.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1610
Location: PB, Germany
PostPosted: Wed Dec 16, 2020 7:52 am    Post subject: Reply with quote
Some of the recent update seems to have silently solved this issue and gnome-keyring receives all passwords from pam, opening all required keyrings.
_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G|amd64:HP EliteBook 8560w,i7-2620M,16G|amd64-prefix:OpenSuse|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Lila-Theme
Back to top
View user's profile Send private message
figueroa
Veteran
Veteran


Joined: 14 Aug 2005
Posts: 1051
Location: The Matrix? USA
PostPosted: Thu Dec 17, 2020 8:30 pm    Post subject: Reply with quote
I recently liberated myself from gnome-keyring. The only hard dependency that pulled it in was gnome-disk-utility so I just decided to live without it. Someday I'm going to have a lean system.
_________________
Andy Figueroa
andy@andyfigueroa.net Working with Unix since 1983.
Automate and Test Your Backups
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2021 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy