PDA

View Full Version : Disable Gnome keyring manager



chocobanana
20th November 2006, 08:18 PM
Hi there

Does anyone knows how to disable Gnome keyring manager?

Whenever I try to connect to a wireless network with networkmanager it always asks for the keyring password and this is really annoying...

Thanks!

Iron_Mike
21st November 2006, 01:34 AM
Nope, but there is a way to automate it so it doesn't ask for the password......

http://forums.fedoraforum.org/forum/showthread.php?t=106892&highlight=keyring

ZeusZon
21st November 2006, 02:31 AM
This is what I did according to the instructions. But fails.

Superuser:
gedit /etc/pam.d/gdm

#%PAM-1.0
auth required pam_env.so
auth optional pam_keyring.so try_first_pass
auth optional pam_ssh.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_keyring.so
session optional pam_ssh.so

ensured a space at end
-------------------------------------------------
yum install pam_keyring

^FC6 version
---------------------------------------
Read that FC5 version works.
Uninstalled fc6 version

Downloaded FC5 version and installed:
http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.8-1.fc5.i386.rpm

Firewall and SElinux is off.

Still asks for password and account password and keyring password is the same.

Any ideas?

Iron_Mike
21st November 2006, 03:11 AM
Did you use the utility to set the default keyring password to the same as the user login?? Works fine here....on FC6

Run this if you need to change the default keyring password to the same as your log-in password.

/usr/libexec/pam-keyring-tool -c

ZeusZon
21st November 2006, 09:46 PM
Thanks for the terminal code.

I can't figure out how to use what you have suggested. Any pointers?



[neil@M30 ~]$ /usr/libexec/pam-keyring-tool -c
pam-keyring-tool: only one keyring action my be specified on the commandline
[neil@M30 ~]$ /usr/libexec/pam-keyring-tool -c password
pam-keyring-tool: only one keyring action my be specified on the commandline
[neil@M30 ~]$ /usr/libexec/pam-keyring-tool -?
Usage:
pam-keyring-tool [OPTION...]

Help Options:
-?, --help Show help options

Application Options:
-u, --unlock Unlock Keyring
-g, --get-default Get Default Keyring
-s, --use-stdin Use stdin for Password Prompt
--keyring=name Name of Keyring

[neil@M30 ~]$


Edit: They are the same already. But through I would try and reset.

Iron_Mike
21st November 2006, 10:20 PM
If you can't get it to work, you can download the gnome-keyring-manager package from the same sit and use the gui interface

admun
22nd November 2006, 12:37 AM
Hi,

I am able to get to work on FC6, here's the steps I did:

1) install keyring manager
2) delete all keys
3) change /etc/pam.d/gdm to the following

#%PAM-1.0
auth required pam_env.so
auth optional pam_keyring.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_keyring.so

4) reboot
5) login, besure to enter the same default key as your login's password

Hope this help.

cheers,

ZeusZon
22nd November 2006, 02:27 AM
Thanks for your replies.

I switched to just the wpa_supplicant service without networkmanager service since I wasn't getting anywhere with keyring.

Working ok without nag screen of networkmanager/keyring.

But out of interest I tried the gdm file text information that you supplied admun.

And it works! I'm too tired to compare Iron_mikes post link of: http://forums.fedoraforum.org/forum/showthread.php?t=106892&highlight=keyring

Maybe I have used the same code before? but it didn't work. Maybe a little parsing error with using copy+paste.

It's a shame gnome's auto-login doesn't work with this.

Need to head off.
Many thanks

admun
22nd November 2006, 06:44 AM
Thanks for your replies.

I switched to just the wpa_supplicant service without networkmanager service since I wasn't getting anywhere with keyring.

Working ok without nag screen of networkmanager/keyring.

But out of interest I tried the gdm file text information that you supplied admun.

And it works! I'm too tired to compare Iron_mikes post link of: http://forums.fedoraforum.org/forum/showthread.php?t=106892&highlight=keyring

Maybe I have used the same code before? but it didn't work. Maybe a little parsing error with using copy+paste.

It's a shame gnome's auto-login doesn't work with this.

Need to head off.
Many thanks

Good to know it works now. I think it's something to do with order of the lines.....

hondaman
5th December 2006, 01:48 AM
Just wanted to chime in and say thanks for the info. Fixed it for me on fc6. It wasnt working until I installed pam_keyring, logged in manually, rebooting, and it worked.

Thanks again.

:EDIT:

haha, I guess I spoke too soon. This works when you manually login. However, if you set to auto login, it doesnt work for me. I get the keyring password prompt.

Is there a way to make it promptless? No logins, no password nag screens, just boots and connects to the wireless seamlessly?

admun
5th December 2006, 03:30 PM
Just wanted to chime in and say thanks for the info. Fixed it for me on fc6. It wasnt working until I installed pam_keyring, logged in manually, rebooting, and it worked.

Thanks again.

:EDIT:

haha, I guess I spoke too soon. This works when you manually login. However, if you set to auto login, it doesnt work for me. I get the keyring password prompt.

Is there a way to make it promptless? No logins, no password nag screens, just boots and connects to the wireless seamlessly?
I don't think so... I think what pam_keyring does is to remember your last used password and use it when its authenicate again... that's why you need to set the default passwd as your login password... so you need to login for pam_keyring to "remember" a password to use.

chocobanana
5th December 2006, 04:44 PM
how about if you have auto-login enabled, does it work?

admun
5th December 2006, 08:35 PM
how about if you have auto-login enabled, does it work?
Not sure... but my guess is it may not. Since no manual login happen previously, the pam_keyring is not trigger to save the "last" password (for later use)? I guess that it comes to maybe the autologin function didn't shared the password with pam_keyring???? I am no expert on this, pure guess here.

chocobanana
5th December 2006, 11:49 PM
Despite the way it works, the gnome keyring manager should be just like KDE's wallet - you choose to use it or not. It's that simple! No workarounds, no confused minds, no fuss at all!

linux4kix
6th December 2006, 04:48 AM
Sorry guys I have been a little lax on my forum browsing. I am the current maintainer of pam_keyring and here is what it does/doesn't do.

gnome_keyring_daemon stores secrets in an encrypted keyring file. When you create the file you must provide a passphrase which is used as the key for the encryption algorithm. Without that key you can't unencrypt the keyring file and gnome apps that have stored secrets can't get access to them.

pam_keyring works in the pam stack to take the password you provide to gdm and use that password to unlock the keyring specified, or the default keyring if no keyring is specified. Because this happens before the gnome-session is started a few things have to happen. Pam_keyring launches gnome-keyring-daemon with the same UID as the user authenticating in pam. It then sets up the GNOME_KEYRING_SOCKET environment variable for that user. Finally it runs pam-keyring-tool as the user trying to unlock the default keyring with the password used to login to gdm.

If all goes well a user is logged in and doesn't need to provide a password for gnome-keyring.

This doesn't work for autologin because a password is never supplied to the pam stack. Autologin works because gdm runs as root and can launch a session as another uid without needing a password. Since no password is provided to the pam stack pam_keyring has no password to provide to gnome-keyring-daemon to use to unencrypt the keyring.

Hope that clears some things up.

Jon

chocobanana
6th December 2006, 02:07 PM
Hi

Thanks for clearing up linux4kix. Since you're the maintainer for the gnome key-ringer manager, can I make a feature request? If yes, it is simply to make the gnome keyring password optional like in KDE. It's that simple. I really want to have auto-login but I don't like to have the keyring dialog popping up every time I start the computer to connect to a wireless network.

Is it possible to do it?
Thanks

admun
6th December 2006, 04:17 PM
Sorry guys I have been a little lax on my forum browsing. I am the current maintainer of pam_keyring and here is what it does/doesn't do.

gnome_keyring_daemon stores secrets in an encrypted keyring file. When you create the file you must provide a passphrase which is used as the key for the encryption algorithm. Without that key you can't unencrypt the keyring file and gnome apps that have stored secrets can't get access to them.

pam_keyring works in the pam stack to take the password you provide to gdm and use that password to unlock the keyring specified, or the default keyring if no keyring is specified. Because this happens before the gnome-session is started a few things have to happen. Pam_keyring launches gnome-keyring-daemon with the same UID as the user authenticating in pam. It then sets up the GNOME_KEYRING_SOCKET environment variable for that user. Finally it runs pam-keyring-tool as the user trying to unlock the default keyring with the password used to login to gdm.

If all goes well a user is logged in and doesn't need to provide a password for gnome-keyring.

This doesn't work for autologin because a password is never supplied to the pam stack. Autologin works because gdm runs as root and can launch a session as another uid without needing a password. Since no password is provided to the pam stack pam_keyring has no password to provide to gnome-keyring-daemon to use to unencrypt the keyring.

Hope that clears some things up.

Jon

Thank for info. Thanks for the good work.

linux4kix
6th December 2006, 08:23 PM
Hi

Thanks for clearing up linux4kix. Since you're the maintainer for the gnome key-ringer manager, can I make a feature request? If yes, it is simply to make the gnome keyring password optional like in KDE. It's that simple. I really want to have auto-login but I don't like to have the keyring dialog popping up every time I start the computer to connect to a wireless network.

Is it possible to do it?
Thanks

I am actually the pam_keyring maintainer, however I do work on gnome-keyring as well. I don't think that gnome will ever release a version of gnome-keyring that supports passwordless keyrings. Why store something in an encrypted keyring if it isn't going to be secured with a password?

For the features you want, you will have to wait for NetworkManager 0.7 to come out with global profiles.

pasmol
18th January 2007, 12:04 AM
Can you provide any solution to autoprovide keyring passphrase? I managed to configure fingerprint reader to authenticate, so I would rather not use any passwords or passphrases after login. I do not care if the password would be stored in a plain text in my profile.

Piotr

mitchell2345
25th January 2007, 11:08 PM
so if we are using auto-login there is not why to remove the password prompt? I dont like that at all. All i want to do is open my laptop and connect!

DeathWishR
28th June 2007, 03:04 AM
I think we (everyone stuck in this thread) are dealing with computers where we have ZERO INTEREST in protecting the wireless passwords associated with NetworkManager. Is there any way to have network manager store the passwords outside the keyring or in a clear-text document somewhere? I agree that this is a terrible solution--but I'm dealing with a user who wants her laptop to boot-login-run without any password entry. She's also in an environment where protecting the wireless password is entirely silly (go aircrack ;]).

felipe1982
1st November 2007, 02:04 AM
I agree. I don't care about protecting my WEP/WPA key. i don't want it to be stored encrypted. i don't care. As the other dude said "I just want to turn on my laptop and connect."

Thanks all for the great work, time, and software.

jim
1st November 2007, 02:13 AM
Enable pam_keyring

Here is how from http://www.jplawrence.us/mywiki/PamKeyring

yum -y install pam_keyring

su -

gedit /etc/pam.d/gdm

add the following lines

auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

For completeness, here is mine from my fc7 laptop (Note the order of each line)

#%PAM-1.0
auth required pam_env.so
auth optional pam_keyring.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_keyring.so

Now reboot the system. When you login again you should not be prompted to unlock the keyring.

Duli
1st November 2007, 02:23 AM
Enable pam_keyring

Here is how from http://www.jplawrence.us/mywiki/PamKeyring

yum -y install pam_keyring

su -

gedit /etc/pam.d/gdm

add the following lines

auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

For completeness, here is mine from my fc7 laptop (Note the order of each line)

#%PAM-1.0
auth required pam_env.so
auth optional pam_keyring.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
session optional pam_keyring.so

Now reboot the system. When you login again you should not be prompted to unlock the keyring.

That works just fine. But there's a catch: it doesn't work if the user has no password. I have set up a Fedora 7 laptop for my mom. To let others play around with it, I've setup a "guest" account by adding a user with no password (passwd -d guest). For this guy (guest), the technique you've described won't work, because he has no password...

I can't understand why one should be forced, against his will, to have a password in his box...

Cheers
Duli

jim
1st November 2007, 02:33 AM
That works just fine. But there's a catch: it doesn't work if the user has no password. I have set up a Fedora 7 laptop for my mom. To let others play around with it, I've setup a "guest" account by adding a user with no password (passwd -d guest). For this guy (guest), the technique you've described won't work, because he has no password...

I can't understand why one should be forced, against his will, to have a password in his box...

Cheers
Duli
No password is for windows users. The very nature of linux is secure

Duli
1st November 2007, 03:26 AM
No password is for windows users. The very nature of linux is secure

I don't mean to be rude. But with all due respect, if I may, this is the kind of behavior I was complaining about. I agree Linux is secure and that's very nice. But by saying that you start to act as windows like software, when it prevents the user from the freedom of choice. The choice to have or not a password. There are situations that do not involve a server environment, like my mom's notebook for instance. She doesn't need a password. She doesn't have critical info in his computer etc.

Your answer simply isn't enough. You can't justify strains like this with the generic excuse of "linux is secure".

I thought linux was about freedom as well.

And I don't see any freedom when it forces the user to have a password against his will. All the user wants is to access his home wireless which, by the way, is already secured with the router password. So why does Fedora (or gnome) need another password to let him access it? And I am not accounting the initial login password. Shouldn't the login password be enough to let him access his own wireless? Is it really necessary to have the user edit configuration files in order to free him from typing his password every single time he turns on his computer?

That doesn't sound like freedom to me.

Cheers

pablomat
19th March 2009, 09:26 AM
If you are using auto-login you can try removing your actual keyring password:

rm -rf ~/.gnome2/keyrings/*

After that, logout and login again , when asked for a new keyring password leave the forms in blank, click create, and you're done.

I've tested this on fedora 11 alpha with kde and it works. Cheers.

Wayne
19th March 2009, 09:30 AM
Umm, last post in this thread was 2007-11-01. I'd consider it well and truly dead :)

Please check dates before posting. Thanks. Thread closed.

Wayne