GNOME Bugzilla – Bug 312877
GDM login should open the keyring
Last modified: 2007-07-21 02:44:43 UTC
Would it be possible to make it so that when you log in via GDM you also open the keyring? In case your user password is the same as your keyring password it seems redundant to have to type it twice.
this might actually belong to gdm or gnome-session- Alex, Fer, any thoughts?
Someone was even working on a pam module to do this.
Here it is: http://www.flyn.org/projects/pam_keyring/
Just to be thorough and make sure all parties that might be interested are notified, I will post to this bug as well. I am about to take over ownership of the pam_keyring module. I have made a lot of changes to it, trying to bring it more in line with gnome and pam standards. In order for the whole process to work I have also submitted RFE's and patches under bugs 333901 and 333653. With all these patches and my version of pam_keyring you can have any single keyring unlocked on login, if that keyring's password matches your login password. I have tentative patches to allow multiple keyrings to be unlocked on login, however feel we should start small and functional then work our way up. I haven't officially posted the site, but if people are interested in testing my version of pam_keyring with all the patches drop me a line. I also have a fedora core 4 and rawhide repository with all the updates to make it work.
With the release of Gnome 2.14 and Fedora Core 5, I have posted my site. I have asked the pam users group to review my code, but have not received any feedback yet. I have been using this software for the past couple of months and have had no issues. Try it out, take a look and post feedback here. http://www.hekanetworks.com/pam_keyring/
Have you thought about providing pam_sm_chauthtok functionality for the pam module? That way, the password in the keyring can be updated when the user changes their password via PAM (i.e., when they run passwd(8) and so on).
I have that functionality working in my personal repository. I have just been too busy to get it fully tested and all the bugs worked out before I released it. Hopefully by the end of August I will have released pam_keyring 0.0.9, which will definitely have this functionality.
*** Bug 326925 has been marked as a duplicate of this bug. ***
I tested doing the following: --- /etc/pam.d/gdm~ 2007-02-26 12:33:47.000000000 +0000 +++ /etc/pam.d/gdm 2007-03-17 16:53:00.000000000 +0000 @@ -6,3 +6,5 @@ session required pam_limits.so @include common-session @include common-password +# added for libpam-keyring +@include common-pamkeyring --- /etc/pam.d/gnome-screensaver~ 2007-02-27 21:45:56.000000000 +0000 +++ /etc/pam.d/gnome-screensaver 2007-03-17 16:53:32.000000000 +0000 @@ -1 +1,3 @@ @include common-auth +# added for libpam-keyring +@include common-pamkeyring however that doesn't happen NM wanting the pass-phrase coming from suspend, as NM requests access to the WEP key before the screen-saver password can be entered. John: you mentioned you had password updating code done in your local tree. Is there any chance you could attach/upload it, even if it's in a bad state to save duplicating effort. Many Thanks, -Paul
Note to self: If NetworkManager were to check for the screensaver being active and hold off on popping up dialogues whilst that is so, then it would have the passphrase for the key by the time the screensaver was authenicated.
Paul, I am on vacation finally and the first thing on my todo is to get the next release of pam_keyring out the door. It has been a long time coming and it seems like more people are interested in the functionality. I will post a link as soon as the new version is available. Jon
Committed code which does this. See bug #447763 Needs testing, which I'll be working on over the next few days.