GNOME Bugzilla – Bug 514862
pam gnome-keyring shouldn't ever ask for a password
Last modified: 2008-03-20 06:28:30 UTC
Currently pam_gnome_keyring asks for a password if there isn't already a saved auth token from a module earlier in the stack. This breaks accounts that have been configured with passwd -d. I think it should probably just quietly exit if it doesn't have a password to try.
Created attachment 104590 [details] [review] patch i built into rawhide.
Thanks. Applied your patch to trunk.
Hum... seems this break my "no password again to unlock keyring" functionality on gentoo with 2.22.0 for network manager 0.6.6 (nm-applet) :-( I now always got following: Mar 16 14:02:13 vulture gdm[3531]: gkr-pam: no password is available for use and i have to enter keyring password to unlock where same config was fine with 2.20.x I probably fsck my pam cfg, but will like to know how to make it work again without patching 2.22.0 to revert this back to a more user friendly way to work...
Created attachment 107383 [details] [review] Revert fix to allows "password less" keyring unlocking mostly fyi, the patch that fix keyring unlocking on my gentoo
Created attachment 107384 [details] pam config items FYI: My current probably wrong PAM config items with pam_gnome_keyring - Was working just fine with 2.20.x , borked with 2.22.x unless "Revert fix" patch applied
Make pam_gnome_keyring.so the last in each category. In particular it should be the last 'auth' line. This allows the other PAM modules to prompt for and verify the password and then pam_gnome_keyring will use the password that they have vetted.
Created attachment 107390 [details] Extract of "update" pam config Hmm... Must have something wrong after changing the order... it looks like the pam_gnome_keyring is not even called anymore (no more gkr-pam comming in /var/log/message), and I get back to "please enter password to unlock keyring"...
When you mark a module as 'sufficient' it skips all the remaining modules if it successfully authenticates the user.
So what's the proper pam configuration? As I wrote a tiny howto for keyring's PAM feature, I'd like to update it to reflect the correct way. I'm sure our users would appreciate it :) As an interim solution, I'll revert the fix using Pierre's patch in Gentoo.
Ok, now I am lost :-) I played around and in the end, I ended with the following finding: On my system everything fall back to system-auth, and no matter what I put in gdm/passwd, system-auth will drive the result... So, in the end, I only have the following system-auth, all my other file are "gentoo default": --------[ auth required pam_env.so #keyring auth optional pam_gnome_keyring.so # auth sufficient pam_unix.so try_first_pass likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 #keyring password optional pam_gnome_keyring.so # password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow password required pam_deny.so session required pam_limits.so session required pam_env.so session required pam_unix.so # keyring session optional pam_gnome_keyring.so auto_start # ]----------- With only these changes and a "patched" keyring, all is fine... A side effect is on the first request of keyring, the dialog has a additional checkbox to "automaticaly" unlock keyring at login... and this is the last time I ever have to enter again password (unless I manually reset the thing)... I am sure I miss a lot of thing in PAM, but I don't see what to use except 'sufficient' for the auth... tried a few things that just made PAM angry (aka: no more logins :-)) so now I reverted them to somekind of "usable" config...
Created attachment 107473 [details] [review] pam_gnome_keyring with added "allow_ask_password" param Ok, since I cannot find a way to configure my stack other than with pam_gnome_keyring BEFORE actual auth, I updated the patch: a) per default, don't request passwd (aka: new 2.22 behavior) b) If "allow_ask_password" parm is passed to pam_gnome_keyring, then the password will be asked (aka: old 2.20 behavior)
pam_gnome_keyring should never prompt for the password as it has no real way of authenticating it. Only components that can authenticate the user should prompt for the password. This was wrong in the 2.20 behavior, and broke login on all sorts of configurations. The 2.22 behavior is correct for a non-authenticating PAM module. Here my configuration: Ubuntu gets it right: stef@stef:~$ cat /etc/pam.d/gdm #%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_gnome_keyring.so @include common-account session required pam_limits.so @include common-session session optional pam_gnome_keyring.so auto_start @include common-password stef@stef:~$ cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_unix.so nullok_secure
Thx for the examples... I cooked a "special" version of GDM and this finally works as "designed"...
ok, I think I know what's happening. In gentoo's case, the current approach in stable pam config doesn't allow putting something after the common-auth/system-auth _but_ here it looks like what gnome-keyring does is just takes the password and tries to unlock the keyring with it and it can only have it if another pam module read/asked it first (correct me if I'm wrong) In the usual case it's pam_unix, but it might be pam_ldap or pam_${whatever_ask_passwords_by_itself}. Now I/we gnome herd need to fix that with diego on gentoo.
Yes, that's correct. To reiterate, pam_gnome_keyring takes the password and tries to unlock the keyring with it. Another module must have already prompted for the password and username.
(In reply to comment #15) Thx for your time and the info, looks like Gentoo will get it working "out-of-the-box" pretty soon :-) Btw, so many bright people involve in my "I don't like to enter my password twice" issue... I feel like a VIP now ;-)
Yes, software that integrates various parts of the system, always takes a lot of work and contributions from various people. Thanks for helping out :)