As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Matthias
fre, 30 11 2007 kl. 11:38 -0500, skrev Matthias Clasen:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Works for me on my Rawhide x86_64 box. Excellent I was getting tired of unlocking that thing manually to get connected to the wifi on lock in.
- David
On Fri, 2007-11-30 at 18:10 +0100, David Nielsen wrote:
fre, 30 11 2007 kl. 11:38 -0500, skrev Matthias Clasen:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Works for me on my Rawhide x86_64 box. Excellent I was getting tired of unlocking that thing manually to get connected to the wifi on lock in.
This is great news. If things look good I vote for pushing this to our F8 users. I will test it on F8 and report back.
Jon
On Fri, 2007-11-30 at 15:32 -0500, Jon Nettleton wrote:
On Fri, 2007-11-30 at 18:10 +0100, David NielI dsen wrote:
fre, 30 11 2007 kl. 11:38 -0500, skrev Matthias Clasen:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Works for me on my Rawhide x86_64 box. Excellent I was getting tired of unlocking that thing manually to get connected to the wifi on lock in.
This is great news. If things look good I vote for pushing this to our F8 users. I will test it on F8 and report back.
It'll have to wait for substack support in the F8 pam, though. I don't know what Tomas' plans are for that. Tomas ?
On Fri, 2007-11-30 at 11:38 -0500, Matthias Clasen wrote:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Nice work. Almost there:
1. Logging in via fingerprint auth; doesn't work.. but that's expected
2. Logging in via password; unlocking keyring works fine
3. Change password
4. Logging in via password; doesn't unlock keyring
5. Change back to old password
6. Logging in via password; unlocking keyring works fine
So I think you're missing the bit where the keyring password is updated.
HTH, David
On Fri, 2007-11-30 at 16:25 -0500, David Zeuthen wrote:
On Fri, 2007-11-30 at 11:38 -0500, Matthias Clasen wrote:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Nice work. Almost there:
1. Logging in via fingerprint auth; doesn't work.. but that's expected
That'll work once you engrave your password on your fingertip, I guess.
Logging in via password; unlocking keyring works fine
Change password
Logging in via password; doesn't unlock keyring
This would work if we added gnome-keyring support to /etc/pam.d/passwd. The bug against authconfig to do that is still open:
On Fri, 2007-11-30 at 16:43 -0500, Matthias Clasen wrote:
On Fri, 2007-11-30 at 16:25 -0500, David Zeuthen wrote:
<snip>
1. Logging in via fingerprint auth; doesn't work.. but that's expected
That'll work once you engrave your password on your fingertip, I guess.
Or have the password updated in the fingerprint blob...
On Sat, 2007-12-01 at 00:33 +0000, Bastien Nocera wrote:
On Fri, 2007-11-30 at 16:43 -0500, Matthias Clasen wrote:
On Fri, 2007-11-30 at 16:25 -0500, David Zeuthen wrote:
<snip> > > 1. Logging in via fingerprint auth; doesn't work.. but that's expected > > That'll work once you engrave your password on your fingertip, I guess.
Or have the password updated in the fingerprint blob...
That is how it was addressed when I first took over pam_keyring. Pam_bio_api (relying on unix permissions for secrecy) had an embedded pass-phrase in the BIR. This allowed their pam-module to authenticate on finger-print scan then populate the AUTHTOKEN of the pam stack with the passphrase and pass it along to other pam modules. Could be implemented better, but has the correct idea.
Jon
Matthias Clasen wrote:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Matthias
This is actually working for me on F8 using:
gdm-2.20.2-2.fc8 and gnome-keyring-2.20.2-1.fc8
The only thing I think I changed was to move pam_gnome_keyring.so above the system-auth line in /etc/pam.d/gdm.
If this is not supposed to work, what am I missing? I definitely unlocks the keyring for nm_applet, evolution and various server connections.
/Thomas
On Sat, 2007-12-15 at 22:26 -0300, Thomas M Steenholdt wrote:
Matthias Clasen wrote:
As some may remember, we turned automatic unlocking of keyrings at login time off at a late time in the F8 schedule, since it was not working properly with our pam configuration.
pam has meanwhile gained a new feature that will hopefully allow this to work reliably (substack). I have built gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9 in rawhide with this turned on.
Please try it and tell me if it works for you.
Matthias
This is actually working for me on F8 using:
gdm-2.20.2-2.fc8 and gnome-keyring-2.20.2-1.fc8
The only thing I think I changed was to move pam_gnome_keyring.so above the system-auth line in /etc/pam.d/gdm.
If this is not supposed to work, what am I missing? I definitely unlocks the keyring for nm_applet, evolution and various server connections.
That "works", but is not ideal, as it means the keyring pam daemon will ask for the password instead of using the cached result from the system-auth result. This is clearly a problem if you mistype you password...
The solution is to fix the system-auth so that it runs and then runs the pam modules after it. This is fixed in rawhide with the pam-stacks supports i believe.
Alexander Larsson wrote:
That "works", but is not ideal, as it means the keyring pam daemon will ask for the password instead of using the cached result from the system-auth result. This is clearly a problem if you mistype you password...
The solution is to fix the system-auth so that it runs and then runs the pam modules after it. This is fixed in rawhide with the pam-stacks supports i believe.
Hi
I'm only asked to enter the password once (on login by gdm). Even if I typed the password incorrectly, that wouldn't mean problems, since I wouldn't be logged in in the first place, so how could it be causing problems. Once I enter my password correctly, it caches the correct password and uses that to unlock the keyring.
Although I agree that fixing system-auth is the right thing to do anyways (because it makes local mods so much easier), this actually appear to be working fine just the same.
Perhaps I misunderstand you, please enlighten me if you feel that I do.
Thanks.
/Thomas
On Mon, 2007-12-17 at 17:03 -0300, Thomas M Steenholdt wrote:
Alexander Larsson wrote:
That "works", but is not ideal, as it means the keyring pam daemon will ask for the password instead of using the cached result from the system-auth result. This is clearly a problem if you mistype you password...
The solution is to fix the system-auth so that it runs and then runs the pam modules after it. This is fixed in rawhide with the pam-stacks supports i believe.
Hi
I'm only asked to enter the password once (on login by gdm). Even if I typed the password incorrectly, that wouldn't mean problems, since I wouldn't be logged in in the first place, so how could it be causing problems. Once I enter my password correctly, it caches the correct password and uses that to unlock the keyring.
The problem is not that you need to enter the password multiple times, that password is saved and reused for later pam modules. In fact this is how pam-keyring is meant to work, system-auth asks for the password, its saved and then pam-keyring reads this and uses it to try to unlock the keyring.
However, if pam-keyring is run first then it is the one asking for the password instead of system-auth, and system-auth is the part using the saved password. This is a problem, because pam-keyring can't do things like verifying the password you entered is correct, or ask again if it is not. I'm not sure what the exact result will be in this case, but its not ideal.
desktop@lists.stg.fedoraproject.org