Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Desktop (http://www.linux-archive.org/fedora-desktop/)
-   -   automatic unlocking of keyring (http://www.linux-archive.org/fedora-desktop/9283-automatic-unlocking-keyring.html)

Matthias Clasen 11-30-2007 03:38 PM

automatic unlocking of keyring
 
As some may remember, we turned automatic unlocking of
keyrings at login time off at a late time in the F8 schedule,
since it was not working properly with our pam configuration.

pam has meanwhile gained a new feature that will hopefully
allow this to work reliably (substack). I have built
gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9
in rawhide with this turned on.

Please try it and tell me if it works for you.


Matthias

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

David Nielsen 11-30-2007 04:10 PM

automatic unlocking of keyring
 
fre, 30 11 2007 kl. 11:38 -0500, skrev Matthias Clasen:
> As some may remember, we turned automatic unlocking of
> keyrings at login time off at a late time in the F8 schedule,
> since it was not working properly with our pam configuration.
>
> pam has meanwhile gained a new feature that will hopefully
> allow this to work reliably (substack). I have built
> gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9
> in rawhide with this turned on.
>
> Please try it and tell me if it works for you.

Works for me on my Rawhide x86_64 box. Excellent I was getting tired of
unlocking that thing manually to get connected to the wifi on lock in.

- David
--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

Jon Nettleton 11-30-2007 07:32 PM

automatic unlocking of keyring
 
On Fri, 2007-11-30 at 18:10 +0100, David Nielsen wrote:
> fre, 30 11 2007 kl. 11:38 -0500, skrev Matthias Clasen:
> > As some may remember, we turned automatic unlocking of
> > keyrings at login time off at a late time in the F8 schedule,
> > since it was not working properly with our pam configuration.
> >
> > pam has meanwhile gained a new feature that will hopefully
> > allow this to work reliably (substack). I have built
> > gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9
> > in rawhide with this turned on.
> >
> > Please try it and tell me if it works for you.
>
> Works for me on my Rawhide x86_64 box. Excellent I was getting tired of
> unlocking that thing manually to get connected to the wifi on lock in.
>

This is great news. If things look good I vote for pushing this to our
F8 users. I will test it on F8 and report back.

Jon

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

Matthias Clasen 11-30-2007 07:56 PM

automatic unlocking of keyring
 
On Fri, 2007-11-30 at 15:32 -0500, Jon Nettleton wrote:
> On Fri, 2007-11-30 at 18:10 +0100, David NielI dsen wrote:
> > fre, 30 11 2007 kl. 11:38 -0500, skrev Matthias Clasen:
> > > As some may remember, we turned automatic unlocking of
> > > keyrings at login time off at a late time in the F8 schedule,
> > > since it was not working properly with our pam configuration.
> > >
> > > pam has meanwhile gained a new feature that will hopefully
> > > allow this to work reliably (substack). I have built
> > > gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9
> > > in rawhide with this turned on.
> > >
> > > Please try it and tell me if it works for you.
> >
> > Works for me on my Rawhide x86_64 box. Excellent I was getting tired of
> > unlocking that thing manually to get connected to the wifi on lock in.
> >
>
> This is great news. If things look good I vote for pushing this to our
> F8 users. I will test it on F8 and report back.

It'll have to wait for substack support in the F8 pam, though.
I don't know what Tomas' plans are for that. Tomas ?

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

David Zeuthen 11-30-2007 08:25 PM

automatic unlocking of keyring
 
On Fri, 2007-11-30 at 11:38 -0500, Matthias Clasen wrote:
> As some may remember, we turned automatic unlocking of
> keyrings at login time off at a late time in the F8 schedule,
> since it was not working properly with our pam configuration.
>
> pam has meanwhile gained a new feature that will hopefully
> allow this to work reliably (substack). I have built
> gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9
> in rawhide with this turned on.
>
> Please try it and tell me if it works for you.

Nice work. Almost there:

 1. Logging in via fingerprint auth; doesn't work.. but that's expected

2. Logging in via password; unlocking keyring works fine

3. Change password

4. Logging in via password; doesn't unlock keyring

5. Change back to old password

 6. Logging in via password; unlocking keyring works fine

So I think you're missing the bit where the keyring password is updated.

HTH,
David


--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

Matthias Clasen 11-30-2007 08:43 PM

automatic unlocking of keyring
 
On Fri, 2007-11-30 at 16:25 -0500, David Zeuthen wrote:
> On Fri, 2007-11-30 at 11:38 -0500, Matthias Clasen wrote:
> > As some may remember, we turned automatic unlocking of
> > keyrings at login time off at a late time in the F8 schedule,
> > since it was not working properly with our pam configuration.
> >
> > pam has meanwhile gained a new feature that will hopefully
> > allow this to work reliably (substack). I have built
> > gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9
> > in rawhide with this turned on.
> >
> > Please try it and tell me if it works for you.
>
> Nice work. Almost there:
>
>  1. Logging in via fingerprint auth; doesn't work.. but that's expected

That'll work once you engrave your password on your fingertip, I guess.

> 2. Logging in via password; unlocking keyring works fine
>
> 3. Change password
>
> 4. Logging in via password; doesn't unlock keyring

This would work if we added gnome-keyring support to /etc/pam.d/passwd.
The bug against authconfig to do that is still open:

https://bugzilla.redhat.com/show_bug.cgi?id=250147






--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

Bastien Nocera 11-30-2007 11:33 PM

automatic unlocking of keyring
 
On Fri, 2007-11-30 at 16:43 -0500, Matthias Clasen wrote:
> On Fri, 2007-11-30 at 16:25 -0500, David Zeuthen wrote:
<snip>
> >  1. Logging in via fingerprint auth; doesn't work.. but that's expected
>
> That'll work once you engrave your password on your fingertip, I guess.

Or have the password updated in the fingerprint blob...

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

Jon Nettleton 11-30-2007 11:51 PM

automatic unlocking of keyring
 
On Sat, 2007-12-01 at 00:33 +0000, Bastien Nocera wrote:
> On Fri, 2007-11-30 at 16:43 -0500, Matthias Clasen wrote:
> > On Fri, 2007-11-30 at 16:25 -0500, David Zeuthen wrote:
> <snip>
> > >  1. Logging in via fingerprint auth; doesn't work.. but that's expected
> >
> > That'll work once you engrave your password on your fingertip, I guess.
>
> Or have the password updated in the fingerprint blob...
>
That is how it was addressed when I first took over pam_keyring.
Pam_bio_api (relying on unix permissions for secrecy) had an embedded
pass-phrase in the BIR. This allowed their pam-module to authenticate
on finger-print scan then populate the AUTHTOKEN of the pam stack with
the passphrase and pass it along to other pam modules. Could be
implemented better, but has the correct idea.

Jon

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

Thomas M Steenholdt 12-16-2007 12:26 AM

automatic unlocking of keyring
 
Matthias Clasen wrote:

As some may remember, we turned automatic unlocking of
keyrings at login time off at a late time in the F8 schedule,
since it was not working properly with our pam configuration.

pam has meanwhile gained a new feature that will hopefully
allow this to work reliably (substack). I have built
gdm-2.21.2-0.2007.11.20.4.fc9 and gnome-keyring-2.20.2-2.fc9

in rawhide with this turned on.

Please try it and tell me if it works for you.


Matthias



This is actually working for me on F8 using:

gdm-2.20.2-2.fc8 and gnome-keyring-2.20.2-1.fc8

The only thing I think I changed was to move pam_gnome_keyring.so above
the system-auth line in /etc/pam.d/gdm.


If this is not supposed to work, what am I missing? I definitely unlocks
the keyring for nm_applet, evolution and various server connections.


/Thomas


--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list


All times are GMT. The time now is 03:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.