Created attachment 526312 [details, diff]
pambase[gnome-keyring] is broken in multiple ways:
1. gnome-keyring for years support only one instance per user. See . Socket has fixed location. Each new instance rewrite the socket and make instances launched in previously opened sessions unusable. For example if you open a GUI session first and then login via ssh, then gnome-keyring in a GUI session will stop working.
2. pambase[gnome-keyring] prevents unlocking of login keyring in gnome-keyring-3.28 when the GUI session is started via gdm. See  (Thanks to Poncho for pointing this out). This is presumably due to both gdm and pambase pam configs include pam_gnome_keyring entries.
3. ssh sessions spawn gnome-keyring processes that does not get stopped automatically on logout.
4. Changing user password doesn't change login keyring password.
Thus gnome-keyring should be started from the GUI sessions only and I'm suggesting the following changes to pambase (see attached patch):
- remove gnome-keyring "auth" and "session" entries from pambase;
- move "password" entry from pam.d/system-login to pam.d/passwd.
Also maybe a good idea to start adding gnome-keyring support to other login managers (other than gdm). An example for lightdm: .
Created attachment 526314 [details, diff]
Thanks for the investigation work.
Who needs to approve what to get to the next step here?
Would be nice to maybe have a masked ebuild in the tree or overlay for easier testing on a wider surface?
I'm very supportive of this undertaking. Every few month there is a bug like: "pam change A,B and C break gnome-keyring"
What if we make an another PAM config called, say, "xsession_session" and shove all gnome/systemd specific PAM configs there? This way, desktop manager maintainers don't have to think anything about specific polkit/consolekit/systemd/elogind setup a user have.
[master fadc9f49e11f] sys-auth/pambase: Fix gnome-keyring (#652194 by Alexander Tsoy)
1 file changed, 106 insertions(+)
create mode 100644 sys-auth/pambase/pambase-20150213-r2.ebuild
(In reply to Pacho Ramos from comment #4)
> 1 file changed, 106 insertions(+)
It would be good to upload the patch also :)
oh yes :S
[master 669c574f742d] sys-auth/pambase: Commit forgotten patch
1 file changed, 48 insertions(+)
create mode 100644 sys-auth/pambase/files/pambase-20150213-gnome-keyring.patch