Bug 164375

Summary:	pam_keyring-0.0.8 fails to work with gnome-keyring-0.6.0
Product:	Gentoo Linux	Reporter:	Fredrik Blom <fhm.blom>
Component:	Current packages	Assignee:	Olivier Crete (RETIRED) <tester>
Status:	RESOLVED FIXED
Severity:	normal	CC:	follettoonip, jklawiter, marek, olaf, pam-bugs+disabled, rdalek1967, srrijkers
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	pam_keyring-0.0.8-sigchild_dfl.patch pam_keyring-0.0.8-compat.patch

Description Fredrik Blom 2007-01-29 10:17:49 UTC

pam_keyring is supposed to be able to execute gnome-keyring with the users' password upon login while at the same time export the necessary GNOME_KEYRING_SOCKET and GNOME_KEYRING_PID environment variables. Well, it does start gnome-keyring-daemon upon login, but it does not export the environment variables as it should. Thus, no application can communicate with gnome-keyring-daemon.

This is my /etc/pam.d/gdm :
auth       optional     pam_env.so

auth        optional    pam_keyring.so try_first_pass

auth       include      system-auth
auth       required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

session     optional    pam_keyring.so

And this is what /var/log/auth.log says when I try to log in via GDM:
gdm[8995]: pam_keyring: gdm: pam_keyring: starting gnome-keyring-daemon
gdm[8995]: pam_keyring: gdm: pam_keyring: gnome-keyring-daemon failed to start correctly, exit code: 157

The exit codes seems to change now and then. I do not know why.

As I wrote earlier, it does manage to start gnome-keyring-daemon, but does not export the environment variables.

Reproducible: Always

Steps to Reproduce:
1. Emerge gnome-keyring and pam_keyring.
2. Edit /etc/pam.d/gdm , typing in something similar to what can be found in /usr/share/doc/pam_keyring-0.0.8/gdm.example.gz .
3. Log in via GDM.
4. Open a terminal and try to echo $GNOME_KEYRING_PID and $GNOME_KEYRING_SOCKET .
Actual Results:  
gnome-keyring-daemon is started, but no GNOME_KEYRING_* environment variables are exported.

Expected Results:  
gnome-keyring-daemon should be started and successfully export the GNOME_KEYRING_* environment variables.

$ emerge --info

Portage 2.1.1-r2 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.4-r4, 2.6.18-hardened i686)
=================================================================
System uname: 2.6.18-hardened i686 Intel(R) Celeron(R) M processor         1.50GHz
Gentoo Base System version 1.12.6
Last Sync: Sun, 28 Jan 2007 12:00:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -mtune=i686 -pipe -g"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-Os -mtune=i686 -pipe -g"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms splitdebug strict"
GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo/"
LANG="sv_SE.UTF-8"
LINGUAS="sv_SE"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage-overlays/xfce /usr/local/portage-overlays/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 3dnow 3dnowext a52 aac acl alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol avahi bitmap-fonts bzip2 cairo cdr cjk cli cracklib crypt cups dbus dlloader dri dts dvd dvdr dvdread elibc_glibc flac gdbm gnome gnutls gpm hal hardened iconv input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipv6 isdnlog jpeg kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text lcms libg++ libnotify linguas_sv_SE lirc mad mmx mmxext mpeg ncurses nls nptl nptlonly ogg opengl pam pcre pdf pic png ppds pppd python readline reflection sdl session speex spell spl sse sse2 ssl startup-notification svg tcpd theora truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_i810 video_cards_nv video_cards_radeon vorbis xinerama xorg xv xvid xvmc zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Olaf Walkowiak 2007-02-07 11:04:56 UTC

Same here. I tried changing the order of entries in /etc/pam.d/gdm, but that does not help.

Comment 2 srrijkers 2007-02-25 17:58:40 UTC

Created attachment 111213 [details, diff]
pam_keyring-0.0.8-sigchild_dfl.patch

Applying this patch from Debian fixes it for me (it seems to have to do with gdm). It needs a modified version of pam_keyring-0.0.8-fixes.patch because of duplication between the patches.

Comment 3 srrijkers 2007-02-25 18:00:42 UTC

Created attachment 111214 [details, diff]
pam_keyring-0.0.8-compat.patch

Modified version of fixes patch which I renamed to better reflect its content.

Comment 4 Fredrik Blom 2007-03-17 14:28:31 UTC

(In reply to comment #3)
> Created an attachment (id=111214) [edit]
> pam_keyring-0.0.8-compat.patch
> 
> Modified version of fixes patch which I renamed to better reflect its content.
> 

Seems to work just fine now. Nice. :)

Comment 5 onip 2007-03-30 15:55:32 UTC

Patches seems to work correctly here too. The only problem is that now I have to enter password to gdm _twice_ .

After some googling I found this one ( http://www.ee.surrey.ac.uk/Personal/R.Peel/observations.html ) which solved this issue too.

In short you have to modify a pam.d/ file (system-auth) to let gdm ask you your pass only once.

Maybe that file could be installed with modifications already in.

Comment 6 srrijkers 2007-03-31 08:58:49 UTC

(In reply to comment #5)

This did not happen for me, so perhaps it is due to a different issue?

Comment 7 onip 2007-03-31 09:40:49 UTC

(In reply to comment #6)

It could be, but I don't think so. That gdm issue appeared only after I installed pam_keyring with patches in this bug. Before, with the portage one, it just asked pass once but it didnt' work.

Comment 8 Fredrik Blom 2007-03-31 13:10:01 UTC

(In reply to comment #7)
> (In reply to comment #6)
> 
> It could be, but I don't think so. That gdm issue appeared only after I
> installed pam_keyring with patches in this bug. Before, with the portage one,
> it just asked pass once but it didnt' work. 
> 

I don't have that problem myself. Could you post your /etc/pam.d/{system-auth,gdm} so I can compare my files with yours?

Comment 9 onip 2007-04-02 15:56:26 UTC

nip @ Lebowsky ~ $ cat  /etc/pam.d/gdm
#%PAM-1.0
auth       optional             pam_env.so
auth       optional             pam_keyring.so try_first_pass

auth       include              system-auth
auth       required             pam_nologin.so
account    include              system-auth
password   include              system-auth
session    include              system-auth

session    optional             pam_console.so
session    optional             pam_keyring.so


onip @ Lebowsky ~ $ cat  /etc/pam.d/system-auth 
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth try_first_pass nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so try_first_pass nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so


Here they are. In last file I've just added some try_first_pass where you see them. Sorry for the late response

Comment 10 srrijkers 2007-04-23 12:09:59 UTC

Sorry for the bugspam, but could the package maintainer perhaps have a look at this? It has been two months since I posted the patches that fix this. The version currently in portage does not seem to work without them.

Comment 11 Marek Kubica 2007-10-03 20:48:06 UTC

I've run into the same problem: pam_keyring writes in the ``/var/log/messages`` file:

gdm[6566]: pam_keyring: gdm: pam_keyring: gnome-keyring-daemon failed to start correctly, exit code: 0

(which is funny enough, because it always fails with exit code 0)

Setting the "Hardware" field to "All" would be good, as it does not work on amd64 properly as well.

So I replaced ``pam_keyring-0.0.8-fixes.patch`` by the ``pam_keyring-0.0.8-compat.patch`` and added ``pam_keyring-0.0.8-sigchild_dfl.patch``, re-emerged and it works. Partly. GDM asks me twice for a password but this is some setting that has to be done in ``/etc/pam.d/system-auth``. Adding a note in a README file would be nice, though.

I'll try to contact the maintainer (I think it's tester <http://www.tester.ca/>) to find a nice solution.

Comment 12 Marek Kubica 2007-10-29 11:54:04 UTC

(In reply to comment #5)
> Patches seems to work correctly here too. The only problem is that now I have
> to enter password to gdm _twice_ .
> 
> After some googling I found this one (
> http://www.ee.surrey.ac.uk/Personal/R.Peel/observations.html ) which solved
> this issue too.
> 
> In short you have to modify a pam.d/ file (system-auth) to let gdm ask you your
> pass only once.

This issue is resolved in pam-0.99.8.1-r1 (which was unmasked recently) which already ships a `system-auth` file which works properly. The older version, pam-0.78-r5 had this problem.

So the only problem now are the outdated patches. Could some Gentoo developer please add them to the portage tree, as there are numerous people (including me) who have tried them successfully.

Comment 13 Olivier Crete (RETIRED) gentoo-dev

2007-10-29 13:31:49 UTC

fyi, this package is going away soon, the pam module has been integrated into gnome-keyring 2.20

Comment 14 Marek Kubica 2007-10-29 14:09:12 UTC

Happy to hear that! After all, it's just a logical thing to do :)

But could you still update the current ebuild? I hope it's not that much work and it will probably stabilize faster than GNOME 2.20, so it could be still useful to people who don't use Gentoo ~arch.

Thanks a lot, tester!

Comment 15 Marek Kubica 2007-11-20 22:49:06 UTC

Update: GNOME 2.20 hit stable today, and it contains gnome-keyring which provides `pam_gnome_keyring.so`. So I unmerged pam_keyring, removed all of its configuration in `/etc/pam.d/gdm` and added the configuration for GNOME PAM keyring in `/etc/pam.d/system-auth` taken from <http://planet.gentoo.org/developers/remi/2007/10/29/gnome_s_cool_features_gnome_keyring_aamp>

If boils down to these lines:

auth optional pam_gnome_keyring.so
password optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start

It works great, even better than before, so `sys-auth/pam_keyring` can now be safely removed from the without any problems. This bug can now be closed.

Comment 16 Olivier Crete (RETIRED) gentoo-dev

2007-11-20 23:14:20 UTC

its masked.. use gnome-base/gnome-keyring