pam_keyring is supposed to be able to execute gnome-keyring with the users' password upon login while at the same time export the necessary GNOME_KEYRING_SOCKET and GNOME_KEYRING_PID environment variables. Well, it does start gnome-keyring-daemon upon login, but it does not export the environment variables as it should. Thus, no application can communicate with gnome-keyring-daemon. This is my /etc/pam.d/gdm : auth optional pam_env.so auth optional pam_keyring.so try_first_pass auth include system-auth auth required pam_nologin.so account include system-auth password include system-auth session include system-auth session optional pam_keyring.so And this is what /var/log/auth.log says when I try to log in via GDM: gdm[8995]: pam_keyring: gdm: pam_keyring: starting gnome-keyring-daemon gdm[8995]: pam_keyring: gdm: pam_keyring: gnome-keyring-daemon failed to start correctly, exit code: 157 The exit codes seems to change now and then. I do not know why. As I wrote earlier, it does manage to start gnome-keyring-daemon, but does not export the environment variables. Reproducible: Always Steps to Reproduce: 1. Emerge gnome-keyring and pam_keyring. 2. Edit /etc/pam.d/gdm , typing in something similar to what can be found in /usr/share/doc/pam_keyring-0.0.8/gdm.example.gz . 3. Log in via GDM. 4. Open a terminal and try to echo $GNOME_KEYRING_PID and $GNOME_KEYRING_SOCKET . Actual Results: gnome-keyring-daemon is started, but no GNOME_KEYRING_* environment variables are exported. Expected Results: gnome-keyring-daemon should be started and successfully export the GNOME_KEYRING_* environment variables. $ emerge --info Portage 2.1.1-r2 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.4-r4, 2.6.18-hardened i686) ================================================================= System uname: 2.6.18-hardened i686 Intel(R) Celeron(R) M processor 1.50GHz Gentoo Base System version 1.12.6 Last Sync: Sun, 28 Jan 2007 12:00:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -mtune=i686 -pipe -g" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-Os -mtune=i686 -pipe -g" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms splitdebug strict" GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo/" LANG="sv_SE.UTF-8" LINGUAS="sv_SE" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage-overlays/xfce /usr/local/portage-overlays/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow 3dnowext a52 aac acl alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol avahi bitmap-fonts bzip2 cairo cdr cjk cli cracklib crypt cups dbus dlloader dri dts dvd dvdr dvdread elibc_glibc flac gdbm gnome gnutls gpm hal hardened iconv input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipv6 isdnlog jpeg kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text lcms libg++ libnotify linguas_sv_SE lirc mad mmx mmxext mpeg ncurses nls nptl nptlonly ogg opengl pam pcre pdf pic png ppds pppd python readline reflection sdl session speex spell spl sse sse2 ssl startup-notification svg tcpd theora truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_i810 video_cards_nv video_cards_radeon vorbis xinerama xorg xv xvid xvmc zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Same here. I tried changing the order of entries in /etc/pam.d/gdm, but that does not help.
Created attachment 111213 [details, diff] pam_keyring-0.0.8-sigchild_dfl.patch Applying this patch from Debian fixes it for me (it seems to have to do with gdm). It needs a modified version of pam_keyring-0.0.8-fixes.patch because of duplication between the patches.
Created attachment 111214 [details, diff] pam_keyring-0.0.8-compat.patch Modified version of fixes patch which I renamed to better reflect its content.
(In reply to comment #3) > Created an attachment (id=111214) [edit] > pam_keyring-0.0.8-compat.patch > > Modified version of fixes patch which I renamed to better reflect its content. > Seems to work just fine now. Nice. :)
Patches seems to work correctly here too. The only problem is that now I have to enter password to gdm _twice_ . After some googling I found this one ( http://www.ee.surrey.ac.uk/Personal/R.Peel/observations.html ) which solved this issue too. In short you have to modify a pam.d/ file (system-auth) to let gdm ask you your pass only once. Maybe that file could be installed with modifications already in.
(In reply to comment #5) This did not happen for me, so perhaps it is due to a different issue?
(In reply to comment #6) It could be, but I don't think so. That gdm issue appeared only after I installed pam_keyring with patches in this bug. Before, with the portage one, it just asked pass once but it didnt' work.
(In reply to comment #7) > (In reply to comment #6) > > It could be, but I don't think so. That gdm issue appeared only after I > installed pam_keyring with patches in this bug. Before, with the portage one, > it just asked pass once but it didnt' work. > I don't have that problem myself. Could you post your /etc/pam.d/{system-auth,gdm} so I can compare my files with yours?
nip @ Lebowsky ~ $ cat /etc/pam.d/gdm #%PAM-1.0 auth optional pam_env.so auth optional pam_keyring.so try_first_pass auth include system-auth auth required pam_nologin.so account include system-auth password include system-auth session include system-auth session optional pam_console.so session optional pam_keyring.so onip @ Lebowsky ~ $ cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth try_first_pass nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so try_first_pass nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so Here they are. In last file I've just added some try_first_pass where you see them. Sorry for the late response
Sorry for the bugspam, but could the package maintainer perhaps have a look at this? It has been two months since I posted the patches that fix this. The version currently in portage does not seem to work without them.
I've run into the same problem: pam_keyring writes in the ``/var/log/messages`` file: gdm[6566]: pam_keyring: gdm: pam_keyring: gnome-keyring-daemon failed to start correctly, exit code: 0 (which is funny enough, because it always fails with exit code 0) Setting the "Hardware" field to "All" would be good, as it does not work on amd64 properly as well. So I replaced ``pam_keyring-0.0.8-fixes.patch`` by the ``pam_keyring-0.0.8-compat.patch`` and added ``pam_keyring-0.0.8-sigchild_dfl.patch``, re-emerged and it works. Partly. GDM asks me twice for a password but this is some setting that has to be done in ``/etc/pam.d/system-auth``. Adding a note in a README file would be nice, though. I'll try to contact the maintainer (I think it's tester <http://www.tester.ca/>) to find a nice solution.
(In reply to comment #5) > Patches seems to work correctly here too. The only problem is that now I have > to enter password to gdm _twice_ . > > After some googling I found this one ( > http://www.ee.surrey.ac.uk/Personal/R.Peel/observations.html ) which solved > this issue too. > > In short you have to modify a pam.d/ file (system-auth) to let gdm ask you your > pass only once. This issue is resolved in pam-0.99.8.1-r1 (which was unmasked recently) which already ships a `system-auth` file which works properly. The older version, pam-0.78-r5 had this problem. So the only problem now are the outdated patches. Could some Gentoo developer please add them to the portage tree, as there are numerous people (including me) who have tried them successfully.
fyi, this package is going away soon, the pam module has been integrated into gnome-keyring 2.20
Happy to hear that! After all, it's just a logical thing to do :) But could you still update the current ebuild? I hope it's not that much work and it will probably stabilize faster than GNOME 2.20, so it could be still useful to people who don't use Gentoo ~arch. Thanks a lot, tester!
Update: GNOME 2.20 hit stable today, and it contains gnome-keyring which provides `pam_gnome_keyring.so`. So I unmerged pam_keyring, removed all of its configuration in `/etc/pam.d/gdm` and added the configuration for GNOME PAM keyring in `/etc/pam.d/system-auth` taken from <http://planet.gentoo.org/developers/remi/2007/10/29/gnome_s_cool_features_gnome_keyring_aamp> If boils down to these lines: auth optional pam_gnome_keyring.so password optional pam_gnome_keyring.so session optional pam_gnome_keyring.so auto_start It works great, even better than before, so `sys-auth/pam_keyring` can now be safely removed from the without any problems. This bug can now be closed.
its masked.. use gnome-base/gnome-keyring