caedes' Notes

2010-05-05

Unlock gnome-keyring on Login with SLiM and PAM

Filed under: Linux — caedes @ 02:41
Tags: , , , , ,

My favorite desktop environment is XFCE, because it’s fast, doesn’t need much memory¹ and still is convenient (automounting of CDs and memory sticks, easy unmounting by clicking, a real desktop, etc).
I also use SLiM as a display manager because it is slim and looks much better than xdm.

On my Laptop I also use GNOME’s NetworkManager because I haven’t yet found a better and less bloat alternative for handling wireless networks and VPNs.
NetworkManager is able to store your passwords (WPA-keys etc) in the GNOME Keyring so you don’t need to enter them each time your laptop connects to a wireless network. But you still have to enter the password to unlock the keyring.. unless you let PAM handle that on login.

I’ll describe how to make PAM unlock your GNOME-Keyring, when you log in with SLiM, so applications like the NetworkManager can access the keyring. I’ll focus on how to do that with Debian “squeeze” (the current testing), but it should be directly applicable for Ubuntu (at least “Lucid”, for older versions you’ll have to build your own slim package with PAM support – or maybe use the one from debian) and quite similar in any other Linux distribution.

What should be installed?

  • slim SLiM, with PAM-support (if you compile yourself: make USE_PAM=1)
  • gnome-keyring the GNOME keyring daemon
  • libpam-gnome-keyring PAM module to unlock the GNOME keyring upon login (if you compile it yourself: should be contained in gnome-keyring sources)
  • probably some software using the GNOME keyring, like network-manager-gnome

If you haven’t used slim before, you may configure it by editing /etc/slim.conf, at least for debian it contains helpful comments. Most interesting is the sessions option to set the sessions you want to use (I only use startxfce4).

Configuration

You need to edit /etc/pam.d/slim. If that file doesn’t exist (I hope it will be added to debians SLiM package soon), just paste it from the debian bugreport #476248.
However, to unlock the keyring you need to add the following two lines to the end of the file:

auth    optional        pam_gnome_keyring.so
session    optional        pam_gnome_keyring.so  auto_start

That should be all. Just log out, log back in and the keyring should be unlocked, so applications can access it without entering further passwords.
If it does not work and you’ve used GNOME keyring before, you may have to delete ~/.gnome2/keyrings/ to make it work correctly.

Cheers && have fun,

– Daniel

¹ Right now with Firefox/Iceweasel, a filemanager (Thunar), a terminal emulator, several panel plugins and the GNOME NetworkManager about 175MB

Advertisements

17 Comments »

  1. Hi, I was searching exactly for this, but it doesn’t work.
    I have all packages installed. I’ve copied /etc/pam.d/slim from debian bugreport, added two lines and saved it.
    Log out and in – it asked for password for my keyring.
    Deleted ~/.gnome2/keyrings/, loget out and in, it asked for password for my WiFi and than for new passwaord for keyring. Loget out and in, asked for password for my keyring.

    Any ideas?

    Comment by Miro Hrončok — 2010-08-09 @ 15:07 | Reply

    • Hi,
      what Linux Distribution are you using?

      Comment by caedes — 2010-08-09 @ 23:26 | Reply

  2. Debian testing mixed with sid and experimental. SLiM 1.3.1.

    Comment by Miro Hrončok — 2010-08-10 @ 11:50 | Reply

    • Does your /etc/pam.d/slim look like this: http://nopaste.info/4b177b9c70.html ?
      Are libpam-gnome-keyring and gnome-keyring installed?
      When you were asked for the keyring-password, did you enter your login-password? The login-PW and the keyring-PW need to be identical for this to work (but, as far as I remember, I wasn’t even asked for a new keyring PW after login).

      Comment by caedes — 2010-08-11 @ 02:39 | Reply

      • /etc/pam.d/slim – Exactly.
        Packages – Both.
        Passwords – Identical.

        Don’t know what to do.

        Comment by Miro Hrončok — 2010-08-11 @ 10:33 | Reply

        • Hmmm strange.
          Are there any entries containing “slim” in /var/log/auth.log ? Like:
          Aug 11 13:09:47 laptop slim: pam_unix(slim:session): session opened for user caedes by (uid=0)
          Aug 11 13:09:47 laptop slim: pam_ck_connector(slim:session): nox11 mode, ignoring PAM_TTY :0.0

          Comment by caedes — 2010-08-11 @ 18:24 | Reply

          • churcheee:/home/churchyard# grep slim /var/log/auth.log
            Aug 10 15:32:07 churcheee slim: pam_unix(slim:session): session closed for user churchyard
            Aug 10 15:35:13 churcheee slim: pam_unix(slim:session): session opened for user churchyard by (uid=0)
            Aug 10 15:35:13 churcheee slim: pam_ck_connector(slim:session): nox11 mode, ignoring PAM_TTY :0.0

            Comment by Miro Hrončok — 2010-08-11 @ 20:15

          • Looks ok to me.. strange.

            Comment by caedes — 2010-08-11 @ 20:37

          • After libpam-gnome-keyring was updated to debians 2.30.3-3 (probably from 2.30.3-1) I had the same problem.
            I could fix it by telling telling xfce’s session-management to load the gnome runtime environment on startup (this is a bad translation from german.. I don’t know the exact english title of that option. However you should find this somewhere in xfce’s options).

            If this sudden breakage had anything to do with some timeout, it may be fixed in version 2.30.3-4 (2.30.3-3 introduced a timeout of 10s, 2.30.3-4 set it to 120s).

            Comment by caedes — 2010-11-19 @ 04:44

          • You mean this?

            Comment by Miro Hrončok — 2010-11-19 @ 15:18

          • Yes :)
            If it still doesn’t work then, you could try deleting ~/.gnome2/keyrings/ – I’m not sure, but I think I did that, but maybe it wasn’t necessary (I just tried different things when unlocking stopped working after the update)

            Comment by caedes — 2010-11-19 @ 17:11

          • Well, I have this checked all the time before. But now, when deleted (renamed) ~/.gnome2/keyrings/, it worked. Also, I’ve copied default.keyring from my old ~/.gnome2/keyrings/ folder to the new one as login.keyring => I haven’t lost any of my passwords. If you ever come to Prague, you’ll have a beer from me, just let me know :)

            PS Can I post the solution on my Czech blog? I would link this page of course.

            Comment by Miro Hrončok — 2010-11-19 @ 17:55

          • I’m glad it worked :)
            Of course you can post the solution to your blog.

            If I ever visit Prague I’ll let you know, thanks ;)

            Comment by caedes — 2010-11-19 @ 18:11

          • Gksu still asks for new password for the default keyring. So I’m back with my old ~/.gnome2/keyrings/, checked “allways unlock the keyring when logging in” and it works well.

            Comment by Miro Hrončok — 2010-11-19 @ 19:05

  3. Hey, thanks very much for this! Worked great!

    Comment by Mapscone — 2011-02-15 @ 14:33 | Reply

  4. Great job. Worked out perfectly!

    Comment by Willie Matthews — 2011-09-21 @ 10:09 | Reply

  5. I would recommend you try WiCD. It comes with GUI and CLI programs to allow you to manage your network connections. You must remove Network-Manager for it to work, but once you get it working I think you’ll understand why it’s recommended :D

    Comment by Daryl Tucker — 2012-02-05 @ 20:58 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: