Gnome’s cool features : gnome-keyring & pam

Today, I’m starting a new theme for this blog. Instead of ranting or trolling like a good chunk of bloggers out there, I’ll be writing about the cool new stuff upstream Gnome developers have coded during the past 6 months (probably more, since I’ll try to go back to older features as well) and that we offer in Gentoo, but are hidden.

As many know, Gentoo is about choice, and the default choice is to “opt-in”. So if you install Gnome on Gentoo, you get a bare-bone Gnome experience, sometimes in stark contrast to what other distros do. So in order to level the playing field, I’ll be writing about how to enable some of those cool features. :)

Today’s special : gnome-keyring’s pam module.

Gnome-keyring now provides its own pam module, so you don’t need to emerge pam_keyring. Just enable the pam use flag (it should be on by default) and you’ll be ready to start configuring it

All in all it’s not that complicated. Here’s my /etc/pam.d/system-auth

#%PAM-1.0

auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so

account required pam_unix.so

# This can be used only if you enabled the cracklib USE flag
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password optional pam_gnome_keyring.so
# This can be used only if you enabled the cracklib USE flag
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
# This can be used only if you enabled the !cracklib USE flag
# password sufficient pam_unix.so try_first_pass nullok md5 shadow
password required pam_deny.so

session required pam_limits.so
session optional pam_gnome_keyring.so auto_start
session required pam_unix.so

There are a few things to keep in mind though :

  1. Always keep an open root shell when doing pam modifications. Better safe than sorry.
  2. Don’t try it on pam 0.78, it should work but it needs more tweaking and I’m not entirely sure about it. Flameeyes is pushing for pam 0.99 to hit stable on most arches anyway. Things should move quickly.
  3. Your keyring password must be the same as your pam password. If they are not the same, you need to delete your keyring inside ~/.gnome2/keyrings.
  4. Once the passwords are the same, gnome-keyring will keep the two passwords in sync provided you use passwd to modify your password. If root does it for you, it won’t work.
  5. Using this configuration file as-is will launch gnome-keyring for every pam service that includes system-auth. If you run other services on your machine, I’d recommend putting the same pam commands inside gdm and gnome-screensaver. Just make sure to put them before the include statements in those two files.

I’d like to thank Flameeyes for his help, Tester and wltjr for testing things out with me yesterday when I was hitting a roadblock trying to figure out how it all works :) So thanks to the three of you.

Other than that, enjoy ;)

Update : check out the blog comment from welp, there’s some good additional info :)

4 thoughts on “Gnome’s cool features : gnome-keyring & pam

  1. welp

    pam_ssh is also really quite cool if you use ssh keys for authentication. Setup your keys to use the same passphrase/password as your login, and setup the pam_ssh stuff in the same way as for pam_gnome_keyring, and you’ll be sorted. You can also set it up in such a way that gdm or whatever will bring up a separate prompt during login if your ssh passphrase is different to your login password/passphrase. (In fact, rather than deleting all your keyrings, you can do the same with pam_gnome_keyring). It is also possible to change the gnome keyring’s master password: System -> Preferences -> Encryption Preferences -> GNOME Keyring.

  2. Gilles Dartiguelongue

    seahorse-agent + keychain is also a good combo for this since the keyring would be able to keep your ssh passphrases for you and it would be all integrated in your session (and would still work with a remote shell as pam_ssh can do).

    I promised I would write a proper gentoo doc asap to dang but if you feel crazy, you could check the seahorse-agent documentation on upstream’s wiki.

  3. R CARDONA

    I’m not using seahorse and I’m not planning on using it anytime soon. I’ll leave the writing of that particular article to you ;)

  4. sybille

    Hi,
    Just a note to say thank you for this post. It’s very useful information.

    I really like your plan to go into detail about some different optional features for Gentoo’s Gnome users in future posts, too.

    Also, thanks so much for getting Gnome 2.20 out so quickly, it’s been great!

Comments are closed.