Today, I’m starting a new theme for this blog. Instead of ranting or trolling like a good chunk of bloggers out there, I’ll be writing about the cool new stuff upstream Gnome developers have coded during the past 6 months (probably more, since I’ll try to go back to older features as well) and that we offer in Gentoo, but are hidden.
As many know, Gentoo is about choice, and the default choice is to “opt-in”. So if you install Gnome on Gentoo, you get a bare-bone Gnome experience, sometimes in stark contrast to what other distros do. So in order to level the playing field, I’ll be writing about how to enable some of those cool features. 🙂
Today’s special : gnome-keyring’s pam module.
Gnome-keyring now provides its own pam module, so you don’t need to emerge pam_keyring. Just enable the pam
use flag (it should be on by default) and you’ll be ready to start configuring it
All in all it’s not that complicated. Here’s my /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_deny.so
account required pam_unix.so
# This can be used only if you enabled the cracklib USE flag
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password optional pam_gnome_keyring.so
# This can be used only if you enabled the cracklib USE flag
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
# This can be used only if you enabled the !cracklib USE flag
# password sufficient pam_unix.so try_first_pass nullok md5 shadow
password required pam_deny.so
session required pam_limits.so
session optional pam_gnome_keyring.so auto_start
session required pam_unix.so
There are a few things to keep in mind though :
- Always keep an open root shell when doing pam modifications. Better safe than sorry.
- Don’t try it on pam 0.78, it should work but it needs more tweaking and I’m not entirely sure about it. Flameeyes is pushing for pam 0.99 to hit stable on most arches anyway. Things should move quickly.
- Your keyring password must be the same as your pam password. If they are not the same, you need to delete your keyring inside
~/.gnome2/keyrings
.
- Once the passwords are the same, gnome-keyring will keep the two passwords in sync provided you use
passwd
to modify your password. If root does it for you, it won’t work.
- Using this configuration file as-is will launch gnome-keyring for every pam service that includes
system-auth
. If you run other services on your machine, I’d recommend putting the same pam commands inside gdm
and gnome-screensaver
. Just make sure to put them before the include
statements in those two files.
I’d like to thank Flameeyes for his help, Tester and wltjr for testing things out with me yesterday when I was hitting a roadblock trying to figure out how it all works 🙂 So thanks to the three of you.
Other than that, enjoy 😉
Update : check out the blog comment from welp, there’s some good additional info 🙂