PAM_KEYRING: Automatic Keyring Authentication

Posted by gmendoza on June 21, 2007 under Tech Tips | 24 Comments to Read

WARNING! THIS POST HAS BEEN MARKED AS OUTDATED!

While there may be useful information still contained within the article, there may be other more relevant articles out on the Internet. Please pay close attention to version numbers of software that this article refers to. If you're not careful, you could break your system if you do not understand what you are doing. If you would like to see this article updated, please contact the site administrator using the Contact page. Thanks!

UPDATE (11-03-2008): These instructions are no longer applicable to Ubuntu version 8.10 and higher. The latest versions of Ubuntu allow you to use a blank password for your keyring, which will allow user accounts automatically logged in by GDM to access the keyring.

If you are not using the the GDM auto login feature, simply make sure your keyring password is the same as your login password, this way it is automatically unlocked for you. The keyring passwords are now easy to change from “Applications… Accessories… Passwords and Encryption Keys… Edit menu… Preferences… Password Keyrings.” Highlight the “login” entry, and use the “Change Unlock Password” button.

The original instructions below ONLY apply to versions previous to Ubuntu 8.04.

ORIGINAL POST:
If you would like to avoid having to type in a password to access your gnome keyring, then you are in luck. To quote from the authors web site, “PAM_KEYRING is a pam module that launches the gnome-keyring-daemon and then unlocks a keyring using your login password.”

In Ubuntu 7.04, this comes in handy when using Network Manager to connect to your wireless network. Typically users are prompted for the “master” password to their keyring manager immediately after logging on to gnome, and this can become tedious. Installing and configuring PAM_KEYRING is a snap.

1. Install libpam-keyring from universe repositories.

$ sudo apt-get install libpam-keyring

2. Add the pamkeyring module to /etc/pam.d/gdm

$ echo "@include common-pamkeyring" | sudo tee -a /etc/pam.d/gdm

UPDATED: (10/25/2007)
With the release of Ubuntu 7.10 Gutsy, libpam-keyring is no longer needed, as this feature has been built by default in with the package “libpam-gnome-keyring”.

UPDATED: (04/21/2008) – For GDM Auto-Login Users

Sorry for not updating this post sooner. I helped someone else with this offline a while back. Here’s an excerpt from my email. It works well with Ubuntu 7.10 Gutsy, and “should” work with Hardy, unless there’s been some major changes with the libpam-gnome-keyring package that I don’t know about.

The auto login feature of GDM relies on the GDM processes ability to run Gnome as your user account, but it does not have to know the password, as it’s using an “su” command to accomplish the magic.

There lies the problem. The keyring uses the password supplied by the user to unlock itself, and being that no password is supplied to pam, it cannot unlock the keyring.

From a useful bug report, one fellow outlined how he has always done it previously using a login script. He used a tool called “pam-keyring-tool” included with the libpam-keyring package. The new libpam-gnome-keyring package does not include this binary, so in order for this to work, you need compile it from source.

I’ve successfully got it working using the following procedures:

Step 1: Download latest pam_keyring source code. I like to place all source code in /usr/src/:

cd /usr/src/
sudo wget http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.9.tar.gz

Step 2: Unpack source code

sudo tar zxfv pam_keyring-0.0.9.tar.gz

Step 3: Install prerequisites

sudo apt-get install build-essential libglib1.2-dev libglib2.0-dev
sudo apt-get install libtool libgnome-keyring-dev libpam0g-dev

Step 4: Compile and Install

cd /usr/src/pam_keyring-0.0.9
sudo ./configure --prefix=/usr
sudo make
sudo cp src/pam-keyring-tool /usr/bin/

Note: I’m not doing a “make install” because I only want this binary to be installed and nothing else)

Step 5: Test binary

/usr/bin/pam-keyring-tool --help

If you get a nice usage menu, you’ll see what the tool options are, and your compilation is complete.

Step 6: Create login script called “unlock-keyring.sh”.

Since the file will contain your password in clear text, you’ll want to keep it in your home folder, readable only by your user. Yes… I know this is lame.

mkdir ~/scripts
sudo chmod 750 ~/scripts
touch ~/scripts/unlock-keyring.sh
sudo chmod 750 ~/scripts/unlock-keyring.sh
sudo gedit ~/scripts/unlock-keyring.sh

Add the following to the script:


#!/bin/bash
echo "PASSWORD_HERE" | /usr/bin/pam-keyring-tool -u -s

Step 7: Add the script to your gnome session startup scripts

System -> Preferences -> Sessions

Under Startup Programs, add a new entry that will appear first in the list. e.g. “1-unlock-keyring”

The command will be:
“/home/USERNAME_HERE/scripts/unlock-keyring.sh”

Step 8: Ensure your /etc/pam.d/gdm-autologin is set to it’s defaults. This was the default Gutsy 7.10 version for reference.

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
@include common-account
session required pam_limits.so
@include common-session
@include common-password

Step 9: Restart GDM or simply reboot.

I really hope this helps you guys out.

Related posts:

  1. Revelation Password Manager for Gnome
  2. GnuPG Context Menu Options for Gnome Nautilus
  3. Ubuntu Linux + Dell Wireless 5700 CDMA/EVDO Card
  4. Nautilus File Selection
  5. Word War Vi in Ubuntu
  6. fwknop: Single Packet Authorization in Ubuntu

Tags: , , ,

Comments

  • richard said,

    Note: this is not compatible with session auto log in

  • gmendoza said,

    Richard… thanks for your input. As brought out in our off line conversation, libpam-keyring can also be used with the GDM auto-login feature.

    This is accomplished by adding the same entry in “/etc/pam.d/gdm-autologin” file:

    $ echo “@include common-pamkeyring” | sudo tee -a /etc/pam.d/gdm-autologin

    I have added this procedure as optional step number three in the post above.

  • Andrew said,

    I tried this fix and now when I reboot I get the gdm screen and a “Login Error” popup that will not allow me to login. I am on a live disk trying to unbork my laptop now. How do I undo this “fix”?

  • Andrew said,

    I fixed it. From the live CD I deleted the last added line from the gdm-autologin file that dealt with the keyring. I will live with having to type in the damn password until someone else fixes it for real.

  • gmendoza said,

    I sent you an email off line, but figured I’d also follow up here. The libpam-keyring instructions do work, however, as mentioned in the post, there are a couple requirements.

    1. The version of Ubuntu should be 7.04, as 7.10 Gutsy already has a package built in to handle this.

    2. The keyring password has to be the same as the users password.

    Your issue may be related to a typo in the /etc/pam.d/gdm-autologin configuration file, unless you’re using a higher version of Ubuntu, in which case, it would be conflicting with other statements in the file.

  • Ed Stephens said,

    I am also unable to unlock the keyring using autologin. Have followed all the instructions for modifying etc/pam.d/pam-autologin, but still get asked to manually enter the keyring password on login in order to allow access to the nm-applet. Even more annoying is when I do enter the password, the nm-applet doesn’t seem to notice and continues to display the revolving ‘waiting for wireless network key…’ animation in the toolbar – in order to connect I then have to click the nm-applet icon and reselect the wireless network (after which it does connect).

    I was initially using Ubuntu 7.04, but have since upgraded to 7.10 but still get exactly the same problem.

    I’m really tearing my hair out on this one, and can’t believe that what appears to be such a fundamental problem with ubuntu hasn’t be resolved.

  • Dom said,

    If it works I can’t make it work. Although I didn’t run into anything irreversible.

  • steve said,

    Have looked all over but can’t get this working with;
    – fresh gutsy install. one account with original password, setup for autologon.
    – adding line to gdm-autologin
    This then causes autologon to fail.
    Some seem to have success, but I have had no such luck. Seems like something so obvious as well…

  • gmendoza said,

    Sorry for not updating this sooner folks. Check out the latest update in the body of the post for full instructions on how to get the auto-login working.

  • steve said,

    The updated instructions work – thanks!

  • Remembering wireless password in ubuntu 8.04 (hardy heron) « garagumu said,

    [...] http://www.savvyadmin.com/2007/06/21/pam_keyring-automatic-keyring-authentication/ [...]

  • ronald said,

    Thanks a lot for the pam-keyring-tool guide. It works on ubuntu 8.04 (hardy heron) with gdm auto-login enabled.

  • Shaun said,

    Hey, this worked great on Xubuntu 8.04. Thanks a lot!
    Step 7 is different for Xubuntu though. It’s under Applications -> Settings -> Settings Manager -> Autostarted Apps

  • Sasha said,

    Uhoh…
    I can’t even log on anymore >:|
    On login I get an “Authentication failed” notice.
    help?

  • Sasha said,

    This is a pretty awful fix -__-

  • gmendoza said,

    I’m sorry you’ve run into trouble. These instructions were originally intended for an earlier version of Ubuntu where the keyring was not unlocked by default. See “UPDATED: (10/25/2007)” note. Ubuntu 8.04 should not need this at all, unless you are using the auto-login feature, in which case you can use the instructions at the end of this post.

    From a command line (Ctrl+Alt+F1), log in, and edit the /etc/pam.d/gdm configuration file. Remove any additional lines you added to the end of the file. Restart GDM (sudo /etc/init.d/gdm restart).

    You should be able to log in again.

  • kojak said,

    Thanks – worked great on Gutsy 7.10. The constant retyping of the password was a real pain.;)

  • jac0b said,

    Thanks for the tip gmendoza, makes startup much easier.

  • houtek said,

    just upgraded a Dell Mini 9 to Ubuntu 8.10 – asking for password to access keyring for wifi – any way to eliminate this? thanks, h

  • Free Biao » Blog Archive » Ubuntu: Automatic keyring login; installing VMware Server 2.0 on Ubuntu 8.10 (Intrepid Ibex); VMware networking; VirtualBox said,

    [...] nm-applet from authenticating with the keyring: PAM_KEYRING: Automatic Keyring Authentication UPDATE (11-03-2008): These instructions are no longer applicable to Ubuntu version 8.10 and [...]

  • Free Biao » Blog Archive » Ubuntu: Automatic keyring login for wireless connections in 8.10 said,

    [...] entry was sort of the right direction but didn’t quite get me there. PAM_KEYRING: Automatic Keyring Authentication [savvyadmin.com] UPDATE (11-03-2008): These instructions are no longer applicable to Ubuntu [...]

  • israel vainsencher said,

    thanks for the tip, it works nice and clean in 8.10:
    The keyring passwords are now easy to change from “Applications… Accessories… Passwords and Encryption Keys… Edit menu… Preferences… Password Keyrings.” Highlight the “login” entry, and use the “Change Unlock Password” button.

  • Tarjan said,

    In Xubuntu 9.10, in the Network Manager -> Edit Connections, check “connect automatically” and “available to all users” on the bottom.

  • Autologin e GNOME Keyring unlock su Ubuntu 10.04 « gpz500′s Weblog said,

    [...] http://savvyadmin.com/pam_keyring-automatic-keyring-authentication/ [...]

Add A Comment

home top