After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 501204 - gnome-keyring, PAM, and thinkfinger (fingerprint reader)
gnome-keyring, PAM, and thinkfinger (fingerprint reader)
Status: RESOLVED INCOMPLETE
Product: gnome-keyring
Classification: Core
Component: general
git master
Other All
: Normal normal
: ---
Assigned To: GNOME keyring maintainer(s)
GNOME keyring maintainer(s)
: 579843 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2007-12-03 09:57 UTC by Kevin R. Page
Modified: 2012-03-15 09:07 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Kevin R. Page 2007-12-03 09:57:47 UTC
Please describe the problem:
As far as I can tell, gnome-keyring doesn't use PAM to authenticate: gnome-keyring-pam passes a users password _from_ PAM to gnome-keyring.

If a user has alternative PAM authentication installed that doesn't use a text password (e.g. a fingerprint reader such as thinkfinger) then the value passed to gnome-keyring-pam is not the text password (set to be the same as the login gnome-keyring password).

When PAM is setup to use thinkfinger, a user can swipe their fingerprint OR enter their password. Fingerprint readers are most prevalent on laptops which, ironically, are more likely to use gnome-keyring-pam due to higher use of wireless and NetworkManager. Obviously setting up the fingerprint reader to avoid typing a password is nullified if it has to be typed anyway for gnome-keyring.


Further details:
I think I've got this straight and tested that it doesn't work by design, though I may have been caught up in https://bugzilla.redhat.com/show_bug.cgi?id=376691 and https://bugzilla.redhat.com/show_bug.cgi?id=312531 such that it's only an installation problem.

Steps to reproduce:


Actual results:


Expected results:


Does this happen every time?


Other information:
Comment 1 Stef Walter 2007-12-05 17:20:39 UTC
No gnome-keyring doesn't use PAM to authenticate. It uses PAM to get a password with which to encrypt/decrypt its keyrings. Many fingerprint readers are able to store a password which they pass to PAM and gnome-keyring will use.

So unless a password exists then gnome-keyring cannot make use of PAM. Does that answer your question?

Work is going on to remove annoyances (and security) for those who want a truly passwordless login, but that may not solve your problem: See bug #386866

I'm closing this bug, but please do reopen it if you have suggestions on how your problem might be fixed. I'm certainly not an expect in fingerprint readers or the intricacies of PAM.
Comment 2 Kevin R. Page 2007-12-05 19:07:27 UTC
I'm certainly not a PAM or fingerprint reader expert either ;)

AFAIK, the fingerprint reader doesn't use a password in the sense of a password string: thinkfinger compares a stored "image" file in hardware and returns a pass or fail:
http://www.reactivated.net/fprint/wiki/Upekts

As such, it's just an authentication mechanism exposed to PAM.

Now, correct me if I'm wrong, but gnome-keyring-pam expects the password to be a string - which it then pulls out of PAM and uses to unlock gnome-keyring. In other words, it doesn't work with any authentication mechanism that's not string/password based?

Which would mean efforts to enable fingerprint use instead of typed passwords are made kind of pointless as more and more gnome apps use gnome-keyring (which will still require a typed password):
http://fedoraproject.org/wiki/Releases/FeatureFingerprint
https://wiki.ubuntu.com/FingerprintAuthentication

I guess one solution would be to enable gnome-keyring to authenticate using PAM? Bug #386866 seems like more of a workaround (disable password for gnome-keyring!) than a fix.

Presuming I've got the mechanisms above correct, this is a feature request.

What I tested:
I installed gnome-keyring-pam on a Fedora 8 box and got it working; I've used pam_keyring on previous machines. I then added pam_thinkfinger, and could successfully log into Gnome; but as soon as NM used gnome-keyring I had to type the password in (which was set to my login password - GDM gives you the option to type a password OR swipe finger).
Comment 3 Stef Walter 2007-12-05 19:31:32 UTC
Well you've got one thing confused, and that's understandable:

gnome-keyring does not authenticate the user. It wants a secret from the user with which to encrypt/decrypt the default keyring. It can use the user's PAM password as this secret.

PAM authentication mechanisms that don't have a password or secret will not work with gnome-keyring. They will also not work with things like encrypted home directories.

This is unfortunate, and I don't know of any way to solve it.

If the PAM fingerprinting mechanism can provide a secret of some sort (perhaps a unique and consintent hash describing the fingerprint) then gnome-keyring can use that secret to encrypt/decrypt its keyrings. 

Comment 4 Kevin R. Page 2007-12-05 19:56:39 UTC
I realise gnome-keyring doesn't authenticate a user and that this is handled by PAM; thanks for confirming how things (don't!) work ;)

It's clearer now that the PAM based authentication doesn't persist after login (obvious now I think of it). I don't know whether there's any persistence in the d-bus API proposed at:
http://fedoraproject.org/wiki/Releases/FeatureFingerprint
I've cc'd the owners of that page.

Or, as you say, the fingerprint mechanism could provide a secret hash or similar - but remember a user can authenticate using a password _or_ finger swipe, so gnome-keyring would need to accept multiple passwords (this would work with e.g. a LUKS enrypted mount, which can have several passphrases).
Comment 5 Vincent Untz 2009-01-21 15:47:38 UTC
openSUSE bug about this: https://bugzilla.novell.com/show_bug.cgi?id=438099

(In reply to comment #3)
> If the PAM fingerprinting mechanism can provide a secret of some sort (perhaps
> a unique and consintent hash describing the fingerprint) then gnome-keyring can
> use that secret to encrypt/decrypt its keyrings. 

Let's assume the pam fingerprint stuff can provide a secret. Would it be possible to have the keyring unlocked by either this secret or the user password? Because that's what we'd want, I guess...

Comment 6 Stef Walter 2009-01-30 22:16:19 UTC
Yes certainly. I've seen (but not touched, heh) PAM finger print modules that once the correct fingerprint is provided set PAM_AUTHTOK (ie: the password or secret) in the PAM context. This allows later modules to use that secret to do things.

For example pam_mount can use it to mount encrypted disk, or in this case gnome-keyring's pam module can use it to unlock the keyring. 
Comment 7 Vincent Untz 2009-01-30 22:55:46 UTC
(In reply to comment #6)
> Yes certainly. I've seen (but not touched, heh) PAM finger print modules that
> once the correct fingerprint is provided set PAM_AUTHTOK (ie: the password or
> secret) in the PAM context. This allows later modules to use that secret to do
> things.

Sorry, I used "or" when I meant "and" :-) Would it be possible to have the keyring being unlockable by two different secrets? (ie, the user could unlock it with his password, or he could choose to use his fingerprint from time to time)
Comment 8 Stef Walter 2009-01-31 00:31:43 UTC
Interesting idea and use case. 

Not currently possible, each keyring only has one unlock password. But it would be an interesting goal to have multiple unlock secrets. 

Do you have such a device? Is this a real scenario, that we can test and develop for or more of a far reaching idea?
Comment 9 Vincent Untz 2009-01-31 00:37:49 UTC
I have a fingerprint reader on my laptop -- never used it because you still have to enter the password anyway.

I think Timo (another openSUSE guy) would be interested in helping with this (at least for the testing part). So real scenario :-)
Comment 10 Stef Walter 2009-06-26 16:21:42 UTC
*** Bug 579843 has been marked as a duplicate of this bug. ***
Comment 11 Stef Walter 2012-03-15 09:07:22 UTC
We don't have a good solution for this. 

If there's a good plan on how to solve this, lets discuss it on gnome-keyring-list. I'm trying to make gnome-keyring's bugzilla for actual work/bugs rather than plans and ideas.