Unlock the Gnome keyring upon login
Note: This might not work in Ubuntu 10, and may cause problems. Use at your own risk!
If you are a Ubuntu and a network manager user, you have probably seen the following dialog, and you are probably sick of it too.
Yes, it will pop-up when you have logged in and even when you resume from sleep in Feisty Fawn. How about getting rid of this dialog forever? If you are running Ubuntu Feisty Fawn, you are in luck. Do this:
sudo apt-get install libpam-keyring
The next step is to actually make use of this PAM plug-in. Edit /etc/pam.d/gdm and add the following in the bottom:
@include common-pamkeyring
Log out and back in, and the Gnome keyring will be opened by your login!
Edit: Changed the includes from the following:
auth optional pam_keyring.so try_first_pass session optional pam_keyring.so
46 Comments
Post a comment
Trackbacks & Pingbacks
- Top Unix News » Unlock the Gnome keyring upon login
- Cambiar la contraseña del depósito de claves de gnome en Ubuntu « Un maño entre gaúchos
- Cambiar la contraseña del depósito de claves de gnome en Ubuntu at Un maño entre gaúchos
- Linux tip: How to unlock the Gnome keyring at login (and get “almost-hibernation”) « Dotsternberg's Blog
- Linux tip: How to unlock the Gnome keyring at login (and get “almost-hibernation”) « Josephrjns's Blog
- Cambiar la contraseña del depósito de claves de gnome en Ubuntu | TobaUntu
Oh the pain, the pain! Why can’t this be in Edgy?
Time to go backport hunting.
[quote comment="18828"]Oh the pain, the pain! Why can’t this be in Edgy?
Time to go backport hunting.[/quote]
Just two months left until the Feisty release, so if you don’t want to run beta software just hang in there.
Hi,
I really agree that wireless in Feisty rocks hard!
One comment: The example dialouge box on your page that asks about password for “default keyring”. I was wondering if a different wording might be better. I am not really sure that I understand what a keyring is, and I am even less sure that someone new to Linux would. Do you think there could be a more user friendly wording?
Keep up the good work
[quote comment="18834"]Hi,
I really agree that wireless in Feisty rocks hard!
One comment: The example dialouge box on your page that asks about password for “default keyring”. I was wondering if a different wording might be better. I am not really sure that I understand what a keyring is, and I am even less sure that someone new to Linux would. Do you think there could be a more user friendly wording?
Keep up the good work
[/quote]
Well yes, that specific dialog is not from the network manager since that doesn’t show up anymore. I just used another one laying around, but you are right, I should have been more clear.
Regarding the keyring, it is basically an encrypted storage for your password. You can view it in the Keyring manager found in the Control center.
Thanks!
I think it should be the default in Feisty. So I reported a bug :
https://bugs.launchpad.net/ubuntu/ source/gnome-keyring/ bug/87070
It’s better to follow the README.Debian instructions and instead append the following to the end of /etc/pam.d/gdm:
@include common-pamkeyring
[quote comment="19192"]It’s better to follow the README.Debian instructions and instead append the following to the end of /etc/pam.d/gdm:
@include common-pamkeyring[/quote]
Good call, I’ll try it out. Thanks!
Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.
[quote comment="21666"]Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.[/quote]
I have never used autologin, but try adding this to /etc/pam.d/gdm-autologin instead:
@include common-pamkeyring
Doesn’t this mean you are using the same plaintext password for both your login as well as keyring? Otherwise how would this work?
[quote comment="22065"]Doesn’t this mean you are using the same plaintext password for both your login as well as keyring? Otherwise how would this work?[/quote]
Well, yes. The password isn’t stored anywhere on the system though. pam-keyring just passes on the authentication to the Gnome Keyring daemon. Read more at the website of libpam-keyring
I guess you could argue that it would not be a good security practice to use the same password, but that is one security trade-off I am willing to do for the sake of usability. You could always lock the keyring manually if you don’t have a habit of locking your computer when you are not there.
Hi there-
I tried this out, and was quite excited. I installed and edited the gdm file, and logged out, preparing for a satisfying log-in. Only to find that I could no longer log in.
After installing libpam_keyring I cant log in to gnome at all, but I can go to command line and work from there.
Do you have any suggestions?
[quote comment="27063"]After installing libpam_keyring I cant log in to gnome at all, but I can go to command line and work from there.
Do you have any suggestions?[/quote]
Well, I’m guessing you replaced the entries in the /etc/pam.d/gdm file with @include common-pamkeyring, but you must only append it to the already existing lines.
I’ve tried that, and I still have to enter the keyring password every time I boot up. But I’m also using kdm to log in (instead of gdm) because I use KDE about 75% of the time. Could that be the problem, and if it is, how can I fix the keyring password problem for my situation?
[quote comment="29231"]I’ve tried that, and I still have to enter the keyring password every time I boot up. But I’m also using kdm to log in (instead of gdm) because I use KDE about 75% of the time. Could that be the problem, and if it is, how can I fix the keyring password problem for my situation?[/quote]
Yes, kdm is the problem. Add it to the /etc/pam.d/kdm file instead.
Note that this will only work using the Gnome keyring, and not the one in Kde.
Thanks Johnny and commenters! This was really winding me up. It does seem mad to be prompted for a password just after entering your login/password.
[quote comment="29877"]Thanks Johnny and commenters! This was really winding me up. It does seem mad to be prompted for a password just after entering your login/password.[/quote]
Great that you found it useful. The Ubuntu people should probably have done this by default, or at least given users the option when using the keyring for the first time.
Hi,
I’m new to linux so please hear me out.
I have three question about the above information.
When you say
Edit /etc/pam.d/gdm and add the following in the bottom:
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so
1. Edit using the text editor? I tried that but I can’t save because I don’t have permissions on that file.
2. In the second part, after ‘pass’ do you hit the enter key or a space to continue typing?
3. Are there any special little characters that I need to enter in that second part? Prefix or something?
Thanks again.
Miguel
[quote comment="30768"]1. Edit using the text editor? I tried that but I can’t save because I don’t have permissions on that file.
2. In the second part, after ‘pass’ do you hit the enter key or a space to continue typing?
3. Are there any special little characters that I need to enter in that second part? Prefix or something?[/quote]
Do as Scott pointed out and write this instead:
@include common-pamkeyring
To edit the file in the Gnome text editor, open a terminal and write gksudo gedit /etc/pam.d/gdm and it should open up the file as the root user. Just add the above line to the bottom, save and you should be all set.
Good luck.
[quote comment="21669"][quote comment="21666"]Only it does not work when one uses autologin – which means that the users who would want this the most (i.e. those who are too lazy to even log in – for example, me) cannot use it. I contacted the developer so I hope this gets fixed.[/quote]
I have never used autologin, but try adding this to /etc/pam.d/gdm-autologin instead:
@include common-pamkeyring[/quote]
That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks!
[quote comment="43706"]That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks![/quote]
Great! Thanks for sharing the information.
[quote comment="43716"][quote comment="43706"]That worked – putting “@include common-pamkeyring” in /etc/pam.d/gdm-autologin did give my no-password user wireless access without having to enter a password to unlock the keyring. Thanks![/quote]
Great! Thanks for sharing the information.[/quote]
Whoops – I wrote too soon. The “unlock keyring” prompt for an autologin user seems to be bypassed only after some user has already unlocked the keyring.
Here is how I tested it:
Immediately after booting my laptop, logging in as the autologin user triggered the “unlock keyring” prompt, even after adding “@include common-pamkeyring” to /etc/pam.d/gdm-autologin. I entered the keyring password and was connected to the wireless network. I then logged off, logged in again as the autologin user, and did NOT get the “unlock keyring” prompt. Likewise, if I booted the laptop, logged in as a passworded user (who automatically unlocked the keyring because “@include common-pamkeyring” in in /etc/pam.d/gdm), logged off, and logged in as the autologin user, I did NOT get the “unlock keyring” prompt.
Seems a bit odd that the system remembers whether the keyring was unlocked after the user who unlocked it has logged off – but maybe that’s why they call it “common” (like “shared”?). Anyway, I wish I could just add users to a group to indicate who should get automatic access to my wireless network.
[quote comment="43717"]Whoops – I wrote too soon. The “unlock keyring” prompt for an autologin user seems to be bypassed only after some user has already unlocked the keyring.[/quote]
Yes, perhaps it’s best to not use auto-login? A simple password could perhaps be an alternative.
Is the keyring for the auto-login user without a password? Otherwise it will not work.
I am setting up 10 machines with ubuntu at an office and they don’t want to have to type any passwords when starting the computer. I am using auto-login and I have tried the fix on this page to get past the keyring manager but it doesn’t work for auto-login.
all the passwords are just set to “password”. is there some way that I can put the actual password directly into the configuration file so that the keyring always knows it. security is not an issue and the password will never change
[quote comment="47760"]I am setting up 10 machines with ubuntu at an office and they don’t want to have to type any passwords when starting the computer. I am using auto-login and I have tried the fix on this page to get past the keyring manager but it doesn’t work for auto-login.
all the passwords are just set to “password”. is there some way that I can put the actual password directly into the configuration file so that the keyring always knows it. security is not an issue and the password will never change[/quote]
Not sure to be honest, but perhaps adding “@include common-pamkeyring” to /etc/pam.d/gdm-autologin and reset the keyrings could help.
Gutsy comes with this automatically, but I am not sure if it works with passwordless logins.
Any word on this for guesy (7.10)?
Hi, I’ve tried that in Hardy.
The package to install is libpam-gnome-keyring.
However, it still requires the password to unlock keyring.
I do login with by means of fingerprint reader.
Please help…
Thanks!
Works great in Fedora 8 too, just install the module using this command:
yum install pam_keyring
and edit the config file as above.
Thanks!
this works!!! i have intrepid and I really needed this and couldn't find it anywhere
the advice in https://help.ubuntu.com/community/NetworkManager gave me infinite authentication error dialogs
I'm glad it worked out for you!
I'm glad it worked out for you!
Just forget about unlocking automatically default keyring if you are using fingerprint authorization on login.
Automatic unlocking relays on capturing password you typed in.
https://bugs.launchpad.net/gnome-keyring/+bug/276384
Too bad! Hopefully it will be fixed in an upcoming release. (if it’s at all possible)
Does not work.
Did all above steps, here is my GDM:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_gnome_keyring.so auto_start
@include common-password
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so
@include common-pamkeyring
Reboot (autologin), get the same annoying window again. Too annoying, booting Windows.
On Ubuntu 9.10 this failed for me. Added @include common-pamkeyring to bottom of both /etc/pam.d/gdm-autologin and /etc/pam.d/gdm
Resulted in me unable to login to my user upon reboot. Was able to use install live mode to recover by undoing modifications.
This guide is over three years old, so something was bound to change eventually. I’ll have a look the next time I’m at an Ubuntu machine.
I strongly suggest you put something at the top of this article to point out to Ubuntu 9/10 users that doing this will break your system – it’s causing a lot of grief for people!
Thanks for the tip.
I’ll do that.
Refer to http://www.mydellmini.com/forum/ubuntu-netbook-remix/7586-unlock-keyring-prompt.html
Great! I’ll paste the tips here for reference: