After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 514862 - pam gnome-keyring shouldn't ever ask for a password
pam gnome-keyring shouldn't ever ask for a password
Status: RESOLVED FIXED
Product: gnome-keyring
Classification: Core
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2008-02-06 21:33 UTC by Ray Strode [halfline]
Modified: 2008-03-20 06:28 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
patch i built into rawhide. (989 bytes, patch)
2008-02-06 21:34 UTC, Ray Strode [halfline]
committed Details | Review
Revert fix to allows "password less" keyring unlocking (1.23 KB, patch)
2008-03-16 13:41 UTC, Pierre Poissinger
rejected Details | Review
pam config items (697 bytes, application/x-compressed-tar)
2008-03-16 13:44 UTC, Pierre Poissinger
  Details
Extract of "update" pam config (2.38 KB, text/plain)
2008-03-16 15:28 UTC, Pierre Poissinger
  Details
pam_gnome_keyring with added "allow_ask_password" param (1.71 KB, patch)
2008-03-17 19:55 UTC, Pierre Poissinger
rejected Details | Review

Description Ray Strode [halfline] 2008-02-06 21:33:17 UTC
Currently pam_gnome_keyring asks for a password if there isn't already a saved auth token from a module earlier in the stack.

This breaks accounts that have been configured with passwd -d.

I think it should probably just quietly exit if it doesn't have a password to try.
Comment 1 Ray Strode [halfline] 2008-02-06 21:34:31 UTC
Created attachment 104590 [details] [review]
patch i built into rawhide.
Comment 2 Stef Walter 2008-02-10 17:36:04 UTC
Thanks. Applied your patch to trunk.
Comment 3 Pierre Poissinger 2008-03-16 13:40:22 UTC
Hum... seems this break my "no password again to unlock keyring" functionality on gentoo with 2.22.0 for network manager 0.6.6 (nm-applet) :-(

I now always got following:
Mar 16 14:02:13 vulture gdm[3531]: gkr-pam: no password is available for use

and i have to enter keyring password to unlock where same config was fine with 2.20.x

I probably fsck my pam cfg, but will like to know how to make it work again without patching 2.22.0 to revert this back to a more user friendly way to work...
Comment 4 Pierre Poissinger 2008-03-16 13:41:38 UTC
Created attachment 107383 [details] [review]
Revert fix to allows "password less" keyring unlocking

mostly fyi, the patch that fix keyring unlocking on my gentoo
Comment 5 Pierre Poissinger 2008-03-16 13:44:53 UTC
Created attachment 107384 [details]
pam config items

FYI: My current probably wrong PAM config items with pam_gnome_keyring - Was working just fine with 2.20.x , borked with 2.22.x unless "Revert fix" patch applied
Comment 6 Stef Walter 2008-03-16 14:30:57 UTC
Make pam_gnome_keyring.so the last in each category. In particular it should be the last 'auth' line. This allows the other PAM modules to prompt for and verify the password and then pam_gnome_keyring will use the password that they have vetted. 
Comment 7 Pierre Poissinger 2008-03-16 15:28:25 UTC
Created attachment 107390 [details]
Extract of "update" pam config

Hmm...
Must have something wrong after changing the order... 
it looks like the pam_gnome_keyring is not even called anymore (no more gkr-pam comming in /var/log/message), and I get back to "please enter password to unlock keyring"...
Comment 8 Stef Walter 2008-03-16 16:10:16 UTC
When you mark a module as 'sufficient' it skips all the remaining modules if it successfully authenticates the user. 
Comment 9 Rémi Cardona 2008-03-16 16:39:06 UTC
So what's the proper pam configuration? As I wrote a tiny howto for keyring's PAM feature, I'd like to update it to reflect the correct way. I'm sure our users would appreciate it :)

As an interim solution, I'll revert the fix using Pierre's patch in Gentoo.

Comment 10 Pierre Poissinger 2008-03-16 17:04:48 UTC
Ok, now I am lost :-)

I played around and in the end, I ended with the following finding:
On my system everything fall back to system-auth, and no matter what I put in gdm/passwd, system-auth will drive the result... 

So, in the end, I only have the following system-auth, all my other file are "gentoo default":
--------[
auth		required	pam_env.so 
#keyring
auth		optional	pam_gnome_keyring.so
#
auth		sufficient	pam_unix.so try_first_pass likeauth nullok 
auth		required	pam_deny.so
 
account		required	pam_unix.so 
 
password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 
#keyring
password	optional	pam_gnome_keyring.so
#
password	sufficient	pam_unix.so try_first_pass use_authtok nullok md5 shadow 
password	required	pam_deny.so

session		required	pam_limits.so 
session		required	pam_env.so 
session		required	pam_unix.so 
# keyring
session		optional	pam_gnome_keyring.so auto_start
#
]-----------

With only these changes and a "patched" keyring, all is fine... 
A side effect is on the first request of keyring, the dialog has a additional checkbox to "automaticaly" unlock keyring at login... and this is the last time I ever have to enter again password (unless I manually reset the thing)... 

I am sure I miss a lot of thing in PAM, but I don't see what to use except 'sufficient' for the auth... tried a few things that just made PAM angry (aka: no more logins :-)) so now I reverted them to somekind of "usable" config...
Comment 11 Pierre Poissinger 2008-03-17 19:55:38 UTC
Created attachment 107473 [details] [review]
pam_gnome_keyring with added "allow_ask_password" param

Ok, since I cannot find a way to configure my stack other than with pam_gnome_keyring BEFORE actual auth, I updated the patch:

a) per default, don't request passwd (aka: new 2.22 behavior)
b) If "allow_ask_password" parm is passed to pam_gnome_keyring, then the password will be asked (aka: old 2.20 behavior)
Comment 12 Stef Walter 2008-03-17 20:27:23 UTC
pam_gnome_keyring should never prompt for the password as it has no real way of authenticating it. Only components that can authenticate the user should prompt for the password. 

This was wrong in the 2.20 behavior, and broke login on all sorts of configurations. The 2.22 behavior is correct for a non-authenticating PAM module.

Here my configuration: Ubuntu gets it right:

stef@stef:~$ cat /etc/pam.d/gdm
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session required        pam_limits.so
@include common-session
session optional        pam_gnome_keyring.so  auto_start
@include common-password

stef@stef:~$ cat /etc/pam.d/common-auth 
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_unix.so nullok_secure
Comment 13 Pierre Poissinger 2008-03-17 21:05:16 UTC
Thx for the examples...
I cooked a "special" version of GDM and this finally works as "designed"...

 

Comment 14 Gilles Dartiguelongue 2008-03-17 21:07:11 UTC
ok, I think I know what's happening. In gentoo's case, the current approach in stable pam config doesn't allow putting something after the common-auth/system-auth _but_ here it looks like what gnome-keyring does is just takes the password and tries to unlock the keyring with it and it can only have it if another pam module read/asked it first (correct me if I'm wrong)

In the usual case it's pam_unix, but it might be pam_ldap or pam_${whatever_ask_passwords_by_itself}. Now I/we gnome herd need to fix that with diego on gentoo.
Comment 15 Stef Walter 2008-03-17 23:02:13 UTC
Yes, that's correct. To reiterate, pam_gnome_keyring takes the password and tries to unlock the keyring with it. Another module must have already prompted for the password and username.
Comment 16 Pierre Poissinger 2008-03-19 00:12:08 UTC
(In reply to comment #15)
Thx for your time and the info, looks like Gentoo will get it working "out-of-the-box" pretty soon :-)

Btw, so many bright people involve in my "I don't like to enter my password twice" issue... I feel like a VIP now ;-)

Comment 17 Stef Walter 2008-03-20 06:28:30 UTC
Yes, software that integrates various parts of the system, always takes a lot of work and contributions from various people. Thanks for helping out :)