GNOME Bugzilla – Bug 506356
unlocking keyring via gdm does not work with autologin
Last modified: 2019-02-22 11:45:58 UTC
reported already for ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam-keyring/+bug/137247 From the original report: libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature. As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it). This locks the loading process, which is very annoying. Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. Note: of course this can be worked-around by simply disabling the plugin in /etc/pam.d/gdm-autologin (and it doesn't put itself there), but it's still buggy behavior. It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional, lower-security feature.
Thanks for your bug report. I'd like to ask for additional information: 1. libpam_keyring is not a component of gnome-keyring, but the similar libpam_gnome_keyring may have this same problem. Please attach the output of the following command in order to determine which is being used: grep -R keyring /etc/pam.d 2. Please post the contents of your gdm-autologin. gdm-autologin should not include this gnome-keyring plugin, it doesn't make sense for it to. 3. Please post a screenshot of the prompt you see with the password not hidden. It is likely this is a bug in gdm and not in gnome-keyring.
It very well maybe something's elses fault, I personally find relations among these paskages very confusing, sorry if I filled it to a bad place. 1. /etc/pam.d/gdm:auth optional pam_gnome_keyring.so /etc/pam.d/gdm:session optional pam_gnome_keyring.so auto_start 2.either #%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale auth required pam_permit.so @include common-account session required pam_limits.so @include common-session @include common-password and it autologins just fine but wants to unlock the keyring after i log on or I tried auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale auth required pam_permit.so @include common-account session required pam_limits.so @include common-session @include common-password @include common-pamkeyring (only the last line is added) when it does not autologin but presents me standard GDM login screen, but when I login, I do not need to unlock the keyring. 3. I forwarded this bug from launchpad and I cited someone else, I cannot reproduse this, I will ask on launchpad, but unless someone responds, I think you can disregard this, the original bugreport is for months old.
The only way to have gnome-keyring automatically unlock the keyrings in an autologin situation is to use a blank password for your keyring, which will then store the keyring in an unencrypted format. However this support is only available in gnome-keyring 2.21.5 and later. I hope I'm understanding things correctly. If not, please feel free to reopen this bug.
I am not sure if either of us is understanding things correctly, actually:-). 1)Support for blank passwords is good since it allows people (like me) who hate entering passwords to use the keyring. 2)However, having passwords in plain is not very secure, right? As the original reporter suggested - would it not be possible for GDM (that enables users to autologin without having blank passwords or passwords in plain text) to unlock the keyring somehow? Since it is run under root it can do many things, can't it? This would of course then be a bug of GDM. In other words, I do not quite understand why it is possible to login without typing in a password but it is not possible to do the same with the keyring. 3)If it really is not possible, this might be a bug of GDM because when I put @include common-pamkeyring into gdm-autologin, it presents me with a login window. I think it should log me in and ask for the keyring password. Anyway, if this is to be closed, I think it should be WONTFIX, since there is a relevant use case for it.
> 2)However, having passwords in plain is not very secure, right? > As the original reporter suggested - would it not be possible for > GDM (that enables users to autologin without having blank passwords > or passwords in plain text) to unlock the keyring somehow? Since it > is run under root it can do many things, can't it? Heh, yes root can do many things, but it cannot decrypt a properly encrypted file to which it does not know the password. If the keyring is saved to the disk encrypted then nobody, not even root, can decrypt it without the password. That's the point of the encryption. But again, there are certainly many many folks smarter than I, and if one of them figures out a way that such a backdoor can be designed securely, I'd love to hear about it. > 3)If it really is not possible, this might be a bug of GDM because > when I put @include common-pamkeyring into gdm-autologin, it > presents me with a login window. I think it should log me in and > ask for the keyring password. The gnome keyring PAM module is designed to unlock the keyring for the user in the presence of a password. A password is a prerequisite for it to function. It should not be configured for PAM applications (such as gdm-autologin) that do not provide a password to the PAM modules. If a distro or system builder includes this PAM module in the configuration file for such an application (such as gdm-autologin) then a bug should be filed with them.