GNOME Bugzilla – Bug 639378
gnome-keyring-daemon should be able to unlock or create login.keyring for remote login using passwordless ssh public key authentication
Last modified: 2021-06-18 10:40:56 UTC
hello all, esp. Stef http://git.gnome.org/browse/gnome-keyring/tree/daemon/gkd-main.c?h=gnome-2-32#n685 unless i am misreading the code, this makes gkd skip login.keyring processing when i log into my linux server from a remote machine over ssh public key authentication. i would like to first understand why it is so and then find out whether this is a patchable problem. scenario is for fresh user accounts that would have no local passwords, would only be able to remotely log in over ssh using public key authentication, and they don't need X for anything. gkd should create ~/.gnome2/keyrings/login.keyring automatically for each user on their first (or whatever subsequent, in the case of deletion) ssh pubkeyauth login. login.keyring would have to be protected preferrably using the forwarded private key (or some other applicable method). currently it seems the only way to get gkd to unlock or create login.keyring is to type a passphrase at the console or X login manager. correct? is it possible to feed gkd something that is based off the forwarded private key that could be used to achieve this? am i completely missing something in the architecture? thank you for your attention.
The login.keyring support is used my gnome-keyring's PAM integration. In particular the gnome-keyring PAM module sends the user's login password to gnome-keyring-daemon via STDIN. Maybe this helps explain things better: http://live.gnome.org/GnomeKeyring/Pam Currently it's not possible for gnome-keyring-daemon to use a private key to unlock the login.keyring. There has been some discussion about this, related to the possibility of using smart cards to unlock login.keyring. But no code has materialized so far...
yes i have read through all the GnomeKeyring wiki pages. judging from the fact you didn't immediately say "no", i assume then this is doable and needs code. could i get some references/urls to these discussions you mention? i'd like to read up on them and figure out if i'm capable of doing this.
There's a lot of code between 'here' and 'there'. Not the least of which is redesigning the keyring format so that it supports more than one encryption method. Currently only passwords are supported. This is something I've been thinking about recently, but haven't yet had time to implement. I imagine this would take a month or two of solid work. If you're willing to put in the effort, I can spec out what would be involved.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/ Thank you for your understanding and your help.