21Feb/0733
Unlock the Gnome keyring upon login
If you are a Ubuntu and a network manager user, you have probably seen the following dialog, and you are probably sick of it too.
Yes, it will pop-up when you have logged in and even when you resume from sleep in Feisty Fawn. How about getting rid of this dialog forever? If you are running Ubuntu Feisty Fawn, you are in luck. Do this:
sudo apt-get install libpam-keyring
The next step is to actually make use of this PAM plug-in. Edit /etc/pam.d/gdm and add the following in the bottom:
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so
Log out and back in, and the Gnome keyring will be opened by your login!
Tags
apple
backup
book
debian
email
game
google
gtd
guide
hosting
htpc
im
india
iphone
lens
linux
mac
mail
media
music
nikon
photo
photowalk
plugin
politics
portable
Project365
published
reading
review
security
server
social
software
spam
stockholm
theme
twitter
ubuntu
vfr
web
website
windows
wordpress
writing
Categories
Misc
Lifestream
-
@cassiopeja You need to start drinking coffee. ;) [johnnychadda]
-
@cassiopeja You can always sleep after the lecture. :) [johnnychadda]
-
-
Shared 20 photos.
-
Finally got the new Facebook design. :-) [johnnychadda]
-
RT @cassiopeja: That is made of awesome: http://www.newgrounds.com/portal/view/525347 [johnnychadda]
-
-
RT @JesperBylund: Chris at #geekmeetsthlm best advice to avoid crashes: "don't use flash" I can hear jobs opening champagne... [johnnychadda]
-
Superbowl took its toll. We'll see if I can stay awake to attend #GeekMeet in a while. [johnnychadda]
-
@dth tr3tt1 [johnnychadda]
February 22nd, 2007 - 01:34
Oh the pain, the pain! Why can’t this be in Edgy?
Time to go backport hunting.
February 22nd, 2007 - 01:57
Just two months left until the Feisty release, so if you don’t want to run beta software just hang in there.
February 22nd, 2007 - 02:31
Hi,
I really agree that wireless in Feisty rocks hard!
One comment: The example dialouge box on your page that asks about password for “default keyring”. I was wondering if a different wording might be better. I am not really sure that I understand what a keyring is, and I am even less sure that someone new to Linux would. Do you think there could be a more user friendly wording?
Keep up the good work
February 22nd, 2007 - 02:38
Well yes, that specific dialog is not from the network manager since that doesn’t show up anymore. I just used another one laying around, but you are right, I should have been more clear.
Regarding the keyring, it is basically an encrypted storage for your password. You can view it in the Keyring manager found in the Control center.
Thanks!
February 22nd, 2007 - 17:03
I think it should be the default in Feisty. So I reported a bug :
https://bugs.launchpad.net/ubuntu/ source/gnome-keyring/ bug/87070
February 24th, 2007 - 08:15
It’s better to follow the README.Debian instructions and instead append the following to the end of /etc/pam.d/gdm:
@include common-pamkeyring
February 24th, 2007 - 09:08
Good call, I’ll try it out. Thanks!
March 5th, 2007 - 11:57
Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.
March 5th, 2007 - 12:07
I have never used autologin, but try adding this to /etc/pam.d/gdm-autologin instead:
@include common-pamkeyring
March 6th, 2007 - 19:27
Doesn’t this mean you are using the same plaintext password for both your login as well as keyring? Otherwise how would this work?
March 6th, 2007 - 19:49
Well, yes. The password isn’t stored anywhere on the system though. pam-keyring just passes on the authentication to the Gnome Keyring daemon. Read more at the website of libpam-keyring
I guess you could argue that it would not be a good security practice to use the same password, but that is one security trade-off I am willing to do for the sake of usability. You could always lock the keyring manually if you don’t have a habit of locking your computer when you are not there.
March 27th, 2007 - 12:56
Hi there-
I tried this out, and was quite excited. I installed and edited the gdm file, and logged out, preparing for a satisfying log-in. Only to find that I could no longer log in.
After installing libpam_keyring I cant log in to gnome at all, but I can go to command line and work from there.
Do you have any suggestions?
March 30th, 2007 - 08:07
Well, I’m guessing you replaced the entries in the /etc/pam.d/gdm file with @include common-pamkeyring, but you must only append it to the already existing lines.
April 13th, 2007 - 01:27
I’ve tried that, and I still have to enter the keyring password every time I boot up. But I’m also using kdm to log in (instead of gdm) because I use KDE about 75% of the time. Could that be the problem, and if it is, how can I fix the keyring password problem for my situation?
April 13th, 2007 - 15:24
Yes, kdm is the problem. Add it to the /etc/pam.d/kdm file instead.
Note that this will only work using the Gnome keyring, and not the one in Kde.
April 18th, 2007 - 22:40
Thanks Johnny and commenters! This was really winding me up. It does seem mad to be prompted for a password just after entering your login/password.
April 19th, 2007 - 08:51
Great that you found it useful. The Ubuntu people should probably have done this by default, or at least given users the option when using the keyring for the first time.
April 27th, 2007 - 02:22
Hi,
I’m new to linux so please hear me out.
I have three question about the above information.
When you say
Edit /etc/pam.d/gdm and add the following in the bottom:
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so
1. Edit using the text editor? I tried that but I can’t save because I don’t have permissions on that file.
2. In the second part, after ‘pass’ do you hit the enter key or a space to continue typing?
3. Are there any special little characters that I need to enter in that second part? Prefix or something?
Thanks again.
Miguel
April 27th, 2007 - 10:32
Do as Scott pointed out and write this instead:
@include common-pamkeyring
To edit the file in the Gnome text editor, open a terminal and write gksudo gedit /etc/pam.d/gdm and it should open up the file as the root user. Just add the above line to the bottom, save and you should be all set.
Good luck.
September 2nd, 2007 - 14:48
That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks!
September 2nd, 2007 - 17:06
Great! Thanks for sharing the information.
September 2nd, 2007 - 19:24
Whoops – I wrote too soon. The “unlock keyring” prompt for an autologin user seems to be bypassed only after some user has already unlocked the keyring.
Here is how I tested it:
Immediately after booting my laptop, logging in as the autologin user triggered the “unlock keyring” prompt, even after adding “@include common-pamkeyring” to /etc/pam.d/gdm-autologin. I entered the keyring password and was connected to the wireless network. I then logged off, logged in again as the autologin user, and did NOT get the “unlock keyring” prompt. Likewise, if I booted the laptop, logged in as a passworded user (who automatically unlocked the keyring because “@include common-pamkeyring” in in /etc/pam.d/gdm), logged off, and logged in as the autologin user, I did NOT get the “unlock keyring” prompt.
Seems a bit odd that the system remembers whether the keyring was unlocked after the user who unlocked it has logged off – but maybe that’s why they call it “common” (like “shared”?). Anyway, I wish I could just add users to a group to indicate who should get automatic access to my wireless network.
September 3rd, 2007 - 11:35
Yes, perhaps it’s best to not use auto-login? A simple password could perhaps be an alternative.
Is the keyring for the auto-login user without a password? Otherwise it will not work.
November 6th, 2007 - 11:38
I am setting up 10 machines with ubuntu at an office and they don’t want to have to type any passwords when starting the computer. I am using auto-login and I have tried the fix on this page to get past the keyring manager but it doesn’t work for auto-login.
all the passwords are just set to “password”. is there some way that I can put the actual password directly into the configuration file so that the keyring always knows it. security is not an issue and the password will never change
November 11th, 2007 - 16:16
Not sure to be honest, but perhaps adding “@include common-pamkeyring” to /etc/pam.d/gdm-autologin and reset the keyrings could help.
Gutsy comes with this automatically, but I am not sure if it works with passwordless logins.
March 29th, 2008 - 07:27
Any word on this for guesy (7.10)?
July 9th, 2008 - 17:02
Hi, I’ve tried that in Hardy.
The package to install is libpam-gnome-keyring.
However, it still requires the password to unlock keyring.
I do login with by means of fingerprint reader.
Please help…
Thanks!
October 28th, 2008 - 16:51
Works great in Fedora 8 too, just install the module using this command:
yum install pam_keyring
and edit the config file as above.
Thanks!
May 14th, 2009 - 14:00
this works!!! i have intrepid and I really needed this and couldn't find it anywhere
the advice in https://help.ubuntu.com/community/NetworkManager gave me infinite authentication error dialogs
May 15th, 2009 - 02:43
I'm glad it worked out for you!
October 2nd, 2009 - 13:20
Just forget about unlocking automatically default keyring if you are using fingerprint authorization on login.
Automatic unlocking relays on capturing password you typed in.
https://bugs.launchpad.net/gnome-keyring/+bug/276384
October 2nd, 2009 - 14:48
Too bad! Hopefully it will be fixed in an upcoming release. (if it’s at all possible)
January 11th, 2010 - 02:54
Does not work.
Did all above steps, here is my GDM:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so
@include common-pamkeyring
Reboot (autologin), get the same annoying window again. Too annoying, booting Windows.