Created attachment 526312 [details, diff] pambase-20150213-gnome-keyring.patch pambase[gnome-keyring] is broken in multiple ways: 1. gnome-keyring for years support only one instance per user. See [1]. Socket has fixed location. Each new instance rewrite the socket and make instances launched in previously opened sessions unusable. For example if you open a GUI session first and then login via ssh, then gnome-keyring in a GUI session will stop working. 2. pambase[gnome-keyring] prevents unlocking of login keyring in gnome-keyring-3.28 when the GUI session is started via gdm. See [2] (Thanks to Poncho for pointing this out). This is presumably due to both gdm and pambase pam configs include pam_gnome_keyring entries. 3. ssh sessions spawn gnome-keyring processes that does not get stopped automatically on logout. 4. Changing user password doesn't change login keyring password. Thus gnome-keyring should be started from the GUI sessions only and I'm suggesting the following changes to pambase (see attached patch): - remove gnome-keyring "auth" and "session" entries from pambase; - move "password" entry from pam.d/system-login to pam.d/passwd. Also maybe a good idea to start adding gnome-keyring support to other login managers (other than gdm). An example for lightdm: [3]. [1] https://git.gnome.org/browse/gnome-keyring/commit/?id=275a696131e41ea4be3d3ddf6690b8bcd0fe0105 [2] https://git.gnome.org/browse/gnome-keyring/commit/?h=gnome-3-28&id=9db67ef6e39ac51d426dee91da3b9305670241e6 [3] https://src.fedoraproject.org/rpms/lightdm/blob/master/f/lightdm.pam
Created attachment 526314 [details, diff] pambase-20150213-r1.ebuild.patch
Thanks for the investigation work. Who needs to approve what to get to the next step here? Would be nice to maybe have a masked ebuild in the tree or overlay for easier testing on a wider surface?
I'm very supportive of this undertaking. Every few month there is a bug like: "pam change A,B and C break gnome-keyring" What if we make an another PAM config called, say, "xsession_session" and shove all gnome/systemd specific PAM configs there? This way, desktop manager maintainers don't have to think anything about specific polkit/consolekit/systemd/elogind setup a user have.
[master fadc9f49e11f] sys-auth/pambase: Fix gnome-keyring (#652194 by Alexander Tsoy) 1 file changed, 106 insertions(+) create mode 100644 sys-auth/pambase/pambase-20150213-r2.ebuild
(In reply to Pacho Ramos from comment #4) > 1 file changed, 106 insertions(+) It would be good to upload the patch also :)
oh yes :S [master 669c574f742d] sys-auth/pambase: Commit forgotten patch 1 file changed, 48 insertions(+) create mode 100644 sys-auth/pambase/files/pambase-20150213-gnome-keyring.patch