GNOME Bugzilla – Bug 649572
multiple requests to unlock one keychain result in multiple prompts
Last modified: 2011-05-30 17:37:37 UTC
After auto-login, I am presented with many prompts to unlock my keyring (the prompt called by gkm_wrap_prompt_do_credential). I suspect that there is one prompt per request for access to the keyring - the reason I get 7 prompts is because 7 different programs are simultaneously trying to access passwords. Further evidence for this hypothesis is that if I enter my password correctly on the first prompt, the keyring is unlocked and I can press "Cancel" (or hit escape) on all further prompts, and all programs work as expected. If I do not enter my password on the first prompt and hit "Cancel" on all 4 prompts, then the keyring is not unlocked and eventually I get prompted again. Expected behavior: I should be prompted for my password only once. Suggested solution: Only allow one prompt at a time per keyring - either only allow one instance of auth_C_CreateObject to run at once, or queue requests for user-prompts and check whether each request is still valid before showing it to the user. Note: I don't really understand the source code, but might this issue also apply to other functions in gkm-wrap-layer.c, e.g. in auth_C_login? I have marked the severity as "normal" since it seems to affect a lot of people (see the related bugs on launchpad) Version: 2.92.92.is.2.32-1-0ubuntu2 This bug has also been reported in launchpad: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/744929
*** Bug 649991 has been marked as a duplicate of this bug. ***
The unlock prompts should be serialized, they were designed that way. Must have been some recent change which broke this. Will look into it.
this was happening for me in f14 and still happens in f15, so it was broken at least as far back as 2.32.1 and is still broken in 3.0.1. If that helps.
Created attachment 188378 [details] [review] Patch which fixes the problem This patch represents the serialize-unlock branch, which can be found here: http://cgit.collabora.com/git/user/stefw/gnome-keyring.git/log/?h=serialize-unlock Felix, Adam, could you test this patch? I hope to include this in gnome-keyring 3.0.3 and release that sometime in the next few days. Thanks for your help!
First try looks great: rebooted, got one unlock prompt, everything seems unlocked (wireless network goes up, Evolution mail is opening). Thanks! Any chance you can look at https://bugzilla.gnome.org/show_bug.cgi?id=527361 soon too? The 'enter passphrase' dialog does not correctly steal focus in Shell (for me anyway), and it should probably actually *lock* focus the way similar dialogs are now able to in GNOME 3 / Shell.
Merged into gnome-3-0 branch (will merge into master later). Adam, as far as bug #527361, the prompting of gnome-keyring will need to be reworked to fit into the gnome-shell. I can't jump into that right now, but hopefully it will be fixed soon.
Just noticed that if I leave the system sitting with the prompt up for several minutes, it still asks twice: i'm assuming something times out and the first entry doesn't do the trick. That may be a separate issue, though.
Strange. Smells like a dbus timeout, although the prompts are specifically written not to do dbus timeouts. Hmmmm. Anything special printed in /var/log/auth.log when that happens?
i'll check it in a minute. I just noticed that on the system where I saw this, the session is now prompting me for the ssh passphrase each time I ssh anywhere, so obviously the unlock didn't entirely work either. i'll reboot and do a few more detailed tests on this in a bit.
okay, so here's some more detailed results. control test: boot up and enter the password immediately gnome-keyring requests it. Result: it doesn't ask again, the screen doesn't lock (see later...), and the first time I ssh to another machine, a graphical dialog pops up asking for the passphrase; the next time I ssh to another machine, it works without me needing to enter the passphrase again. buggy case test: boot up at 13:38 and leave the system sitting there. at 14:32, enter the password. result: it immediately asks for the password again. as soon as I enter it, the screen fades out and locks. after unlocking the screen, if I ssh to another machine, I get a prompt at the console for the passphrase (not a GUI prompt), and every subsequent ssh operation prompts at the console again. I don't have a /var/log/auth.log . I do have a /var/log/secure which has nothing relevant. I see these in /var/log/messages at around the time I did the unlock (14:32): May 27 14:32:30 vaioz gnome-keyring-daemon[1604]: gkd_secret_service_get_objects: assertion `GKD_SECRET_IS_SERVICE (self)' failed May 27 14:32:30 vaioz gnome-keyring-daemon[1604]: gkd_secret_objects_lookup_collection: assertion `GKD_SECRET_IS_OBJECTS (self)' failed May 27 14:32:31 vaioz gnome-keyring-daemon[2389]: couldn't connect to control socket at: /tmp/keyring-cXRgfr/control: Connection refused May 27 14:32:31 vaioz gnome-keyring-prompt: Gtk: Failed to load module "pk-gtk-module" May 27 14:32:31 vaioz gnome-keyring-prompt: could not grab keyboard: not viewable May 27 14:32:31 vaioz gnome-keyring-prompt: could not grab keyboard: not viewable should I file another bug for this, now?
Thanks for the patch. Unfortunately it didn't seem to work for me, but it's quite possibly my fault since I don't really know what I'm doing. I'm on Ubuntu 11.04, and I applied the patch to lp:ubuntu/natty/gnome-keyring, the latest revision (tagged with 2.92.92.is.2.32.1-0ubuntu2). In order to get the patch to apply, I had to manually edit the patch, replacing gck with gp11. It then seemed to compile and install OK (following the instructions in the INSTALL file). But after a reboot I'm still asked twice to unlock the one keychain. Did I stuff something up, or am I suffering from another issue?
(In reply to comment #10) > should I file another bug for this, now? Yes please. We'll probably need to do some back and forth to figure out how those assertions are happening. (In reply to comment #11) > Thanks for the patch. Unfortunately it didn't seem to work for me, but it's > quite possibly my fault since I don't really know what I'm doing. I'm on > Ubuntu 11.04, and I applied the patch to lp:ubuntu/natty/gnome-keyring, the > latest revision (tagged with 2.92.92.is.2.32.1-0ubuntu2). Could you get in touch with the Ubuntu guys then? They've chosen to use an older version of gnome-keyring + some patches, so they would probably be keen to help you backport this particular patch.
New bug filed as https://bugzilla.gnome.org/show_bug.cgi?id=651486 .