Unlock the Gnome keyring upon login

Note: This might not work in Ubuntu 10, and may cause problems. Use at your own risk!

If you are a Ubuntu and a network manager user, you have probably seen the following dialog, and you are probably sick of it too.

keyring.png

Yes, it will pop-up when you have logged in and even when you resume from sleep in Feisty Fawn. How about getting rid of this dialog forever? If you are running Ubuntu Feisty Fawn, you are in luck. Do this:

sudo apt-get install libpam-keyring

The next step is to actually make use of this PAM plug-in. Edit /etc/pam.d/gdm and add the following in the bottom:

@include common-pamkeyring

Log out and back in, and the Gnome keyring will be opened by your login!

Edit: Changed the includes from the following:

auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

64 thoughts on “Unlock the Gnome keyring upon login”

  1. Hi,

    I really agree that wireless in Feisty rocks hard!

    One comment: The example dialouge box on your page that asks about password for “default keyring”. I was wondering if a different wording might be better. I am not really sure that I understand what a keyring is, and I am even less sure that someone new to Linux would. Do you think there could be a more user friendly wording?

    Keep up the good work :)

  2. [quote comment="18834"]Hi,

    I really agree that wireless in Feisty rocks hard!

    One comment: The example dialouge box on your page that asks about password for “default keyring”. I was wondering if a different wording might be better. I am not really sure that I understand what a keyring is, and I am even less sure that someone new to Linux would. Do you think there could be a more user friendly wording?

    Keep up the good work :)[/quote]
    Well yes, that specific dialog is not from the network manager since that doesn’t show up anymore. I just used another one laying around, but you are right, I should have been more clear.

    Regarding the keyring, it is basically an encrypted storage for your password. You can view it in the Keyring manager found in the Control center.

    Thanks!

  3. [quote comment="19192"]It’s better to follow the README.Debian instructions and instead append the following to the end of /etc/pam.d/gdm:

    @include common-pamkeyring[/quote]
    Good call, I’ll try it out. Thanks!

  4. Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.

  5. [quote comment="21666"]Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.[/quote]
    I have never used autologin, but try adding this to /etc/pam.d/gdm-autologin instead:
    @include common-pamkeyring

  6. [quote comment="22065"]Doesn’t this mean you are using the same plaintext password for both your login as well as keyring? Otherwise how would this work?[/quote]
    Well, yes. The password isn’t stored anywhere on the system though. pam-keyring just passes on the authentication to the Gnome Keyring daemon. Read more at the website of libpam-keyring

    I guess you could argue that it would not be a good security practice to use the same password, but that is one security trade-off I am willing to do for the sake of usability. You could always lock the keyring manually if you don’t have a habit of locking your computer when you are not there.

  7. Hi there-
    I tried this out, and was quite excited. I installed and edited the gdm file, and logged out, preparing for a satisfying log-in. Only to find that I could no longer log in.

    After installing libpam_keyring I cant log in to gnome at all, but I can go to command line and work from there.

    Do you have any suggestions?

  8. [quote comment="27063"]After installing libpam_keyring I cant log in to gnome at all, but I can go to command line and work from there.

    Do you have any suggestions?[/quote]
    Well, I’m guessing you replaced the entries in the /etc/pam.d/gdm file with @include common-pamkeyring, but you must only append it to the already existing lines.

  9. I’ve tried that, and I still have to enter the keyring password every time I boot up. But I’m also using kdm to log in (instead of gdm) because I use KDE about 75% of the time. Could that be the problem, and if it is, how can I fix the keyring password problem for my situation?

  10. [quote comment="29231"]I’ve tried that, and I still have to enter the keyring password every time I boot up. But I’m also using kdm to log in (instead of gdm) because I use KDE about 75% of the time. Could that be the problem, and if it is, how can I fix the keyring password problem for my situation?[/quote]
    Yes, kdm is the problem. Add it to the /etc/pam.d/kdm file instead.

    Note that this will only work using the Gnome keyring, and not the one in Kde.

  11. [quote comment="29877"]Thanks Johnny and commenters! This was really winding me up. It does seem mad to be prompted for a password just after entering your login/password.[/quote]
    Great that you found it useful. The Ubuntu people should probably have done this by default, or at least given users the option when using the keyring for the first time.

  12. Hi,
    I’m new to linux so please hear me out.

    I have three question about the above information.

    When you say

    Edit /etc/pam.d/gdm and add the following in the bottom:

    auth optional pam_keyring.so try_first_pass
    session optional pam_keyring.so

    1. Edit using the text editor? I tried that but I can’t save because I don’t have permissions on that file.

    2. In the second part, after ‘pass’ do you hit the enter key or a space to continue typing?

    3. Are there any special little characters that I need to enter in that second part? Prefix or something?

    Thanks again.

    Miguel

  13. [quote comment="30768"]1. Edit using the text editor? I tried that but I can’t save because I don’t have permissions on that file.

    2. In the second part, after ‘pass’ do you hit the enter key or a space to continue typing?

    3. Are there any special little characters that I need to enter in that second part? Prefix or something?[/quote]
    Do as Scott pointed out and write this instead:

    @include common-pamkeyring

    To edit the file in the Gnome text editor, open a terminal and write gksudo gedit /etc/pam.d/gdm and it should open up the file as the root user. Just add the above line to the bottom, save and you should be all set.

    Good luck.

  14. [quote comment="21669"][quote comment="21666"]Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.[/quote]
    I have never used autologin, but try adding this to /etc/pam.d/gdm-autologin instead:
    @include common-pamkeyring[/quote]
    That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks!

  15. [quote comment="43706"]That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks![/quote]
    Great! Thanks for sharing the information.

  16. [quote comment="43716"][quote comment="43706"]That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks![/quote]
    Great! Thanks for sharing the information.[/quote]
    Whoops – I wrote too soon. The “unlock keyring” prompt for an autologin user seems to be bypassed only after some user has already unlocked the keyring.

    Here is how I tested it:
    Immediately after booting my laptop, logging in as the autologin user triggered the “unlock keyring” prompt, even after adding “@include common-pamkeyring” to /etc/pam.d/gdm-autologin. I entered the keyring password and was connected to the wireless network. I then logged off, logged in again as the autologin user, and did NOT get the “unlock keyring” prompt. Likewise, if I booted the laptop, logged in as a passworded user (who automatically unlocked the keyring because “@include common-pamkeyring” in in /etc/pam.d/gdm), logged off, and logged in as the autologin user, I did NOT get the “unlock keyring” prompt.

    Seems a bit odd that the system remembers whether the keyring was unlocked after the user who unlocked it has logged off – but maybe that’s why they call it “common” (like “shared”?). Anyway, I wish I could just add users to a group to indicate who should get automatic access to my wireless network.

  17. [quote comment="43717"]Whoops – I wrote too soon. The “unlock keyring” prompt for an autologin user seems to be bypassed only after some user has already unlocked the keyring.[/quote]
    Yes, perhaps it’s best to not use auto-login? A simple password could perhaps be an alternative.

    Is the keyring for the auto-login user without a password? Otherwise it will not work.

  18. I am setting up 10 machines with ubuntu at an office and they don’t want to have to type any passwords when starting the computer. I am using auto-login and I have tried the fix on this page to get past the keyring manager but it doesn’t work for auto-login.

    all the passwords are just set to “password”. is there some way that I can put the actual password directly into the configuration file so that the keyring always knows it. security is not an issue and the password will never change

  19. [quote comment="47760"]I am setting up 10 machines with ubuntu at an office and they don’t want to have to type any passwords when starting the computer. I am using auto-login and I have tried the fix on this page to get past the keyring manager but it doesn’t work for auto-login.

    all the passwords are just set to “password”. is there some way that I can put the actual password directly into the configuration file so that the keyring always knows it. security is not an issue and the password will never change[/quote]
    Not sure to be honest, but perhaps adding “@include common-pamkeyring” to /etc/pam.d/gdm-autologin and reset the keyrings could help.

    Gutsy comes with this automatically, but I am not sure if it works with passwordless logins.

  20. Hi, I’ve tried that in Hardy.
    The package to install is libpam-gnome-keyring.
    However, it still requires the password to unlock keyring.
    I do login with by means of fingerprint reader.
    Please help…
    Thanks!

  21. Works great in Fedora 8 too, just install the module using this command:
    yum install pam_keyring
    and edit the config file as above.

    Thanks!

  22. Does not work.
    Did all above steps, here is my GDM:
    #%PAM-1.0
    auth requisite pam_nologin.so
    auth required pam_env.so readenv=1
    auth required pam_env.so readenv=1 envfile=/etc/default/locale
    @include common-auth
    auth optional pam_gnome_keyring.so
    @include common-account
    session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
    session required pam_limits.so
    @include common-session
    session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
    session optional pam_gnome_keyring.so auto_start
    @include common-password
    auth optional pam_keyring.so try_first_pass
    session optional pam_keyring.so
    @include common-pamkeyring

    Reboot (autologin), get the same annoying window again. Too annoying, booting Windows.

  23. On Ubuntu 9.10 this failed for me. Added @include common-pamkeyring to bottom of both /etc/pam.d/gdm-autologin and /etc/pam.d/gdm

    Resulted in me unable to login to my user upon reboot. Was able to use install live mode to recover by undoing modifications.

      1. I strongly suggest you put something at the top of this article to point out to Ubuntu 9/10 users that doing this will break your system – it’s causing a lot of grief for people!

    1. Great! I’ll paste the tips here for reference:

      1. Right click on the NM icon in your panel and select Edit Connections and open the Wireless tab
      2. Select the connection you want to work with and click the Edit button
      3. Check the boxes “Connect Automatically” and “Available to all users”
  24. Yes, the file common-pamkeyring doesn’t exist anymore since Ubuntu 9.10 or 9.04. After trying all things I’ve found on the web, I could finally solve the initial issue by just deleting the following file: ~/.gnome2/keyrings/login.keyring.

    1. double confirmed! after checking the “automatically connect” and “available to everyone” boxes in edit networks, the wireless works off the bat w/o a login. no problems so far – thanks!!! ~~~

    2. All passwords seems to be lost for that specific keyring. Not that surprising! After setting up my Ubuntu One account again the annoying “login” popped up again. Please help.

  25. I appreciate that this may not be the right way to go about it but I have managed to get this to work for me.

    I currently have Ubuntu running on an old computer which I use as a file-server, ftp -server, http intranet server and fuppes media server. I was set to auto login and run fuppes on startup so that all I had to do was switch on and everything worked. I would use VNC to control the server and did not need a keyboard or screen attached to the server.

    I recently upgraded to 10.04 Lucid and found I had the annoying problem that it would not connect to the network without putting in my password again to unlock the key-ring which meant that I could not use VNC to control the server. I tried different methods including setting the keyring password to nul (blank) and playing with “sudo apt-get install libpam-keyring” but without any success. So in desperation, I stopped the keyring apps from starting in the first place.

    System|Preferences|Startup Applications:

    unticked the following:
    Bluetooth Manager – Don’t need it, not running anything bluetooth.
    Certificate and Key Storage.
    Secret Storage Service..
    Ubuntu One – Don’t need it
    Visual Assistance – Don’t need it.

    Now, it runs and connects without issue or password request. Just tested ftp and that works fine too. Http working fine. Shared directories are fine. Now I just need to get my fuppes to run on startup and I’ll be happy.

    If you need to use “Certificate and Key Storage” and “Secret Storage Service” then this probably won’t help you but I think it would indicate that there is a problem either with these services or the way they communicate with other services. I confess to being a complete Ubuntu noob but I hope this points people in the right direction.

    1. I sadly don’t use Ubuntu on my primary computer these days, so it’s hard for me to keep up with these kind of things. I can do a virtual installation and poke around for a bit when I have the time.

  26. ?????????? ??????? ??? ????????? ???????????????? ??? ???? ? ?????? ????????????????? ??? ???????? ? ?????????????????? ????? ? ???? ?????? ???????????? ??????? ?????????????? ?????????? ???? ???????????????? ????? ???? ? ???????????????????? ????? ????????????? ? ?????? ??????????????? ????? ???????? ?? 10 ?? ?? ?????????? ?? ?????? ?????? ???????????????????? ?? ????? ???????????????????? ??????? ??? ????????? ??????????? ? ????? ? ??????? ????????? ??? ?????????????????? ?? ?????????????? ????? ????????????? ?? ???????? ?????????????? ???????? ???? ????????? ?????????????? ??? ????????? ????????

  27. Mindset vs. Instruction The opening thing that we need to the hang of back turning dreams into reality is that we last will and testament requirement two
    noticeable attributes. We necessary to suffer with both the right-wing Proficiency and a positive Mindset. Diverse people consign to oblivion everywhere Mindset and
    consequently are more likely to be found lacking in their attempts to get what they hankering, when they want. As you can over the feign of achieving
    anything is mostly having the preferred mindset. In fact it is not far from ? Mindset and ? Knowledge. Having the right Grasp is pretty
    straightforward, it is wisdom the skills and strategies required to sell in the tasks you desire mount fit yourself.
    The Mindset however is something the many people attempt with . To have in the offing a uphold Mindset means that you are highly Motivated and be subjected to the Determination and Inclination Power required to put out the sacrifices you will-power need to make.

Leave a Reply