Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 652194 - sys-auth/pambase - rework gnome-keyring support
Summary: sys-auth/pambase - rework gnome-keyring support
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: PAM Gentoo Team (OBSOLETE)
Depends on:
Reported: 2018-04-02 10:31 UTC by Alexander Tsoy
Modified: 2018-09-23 19:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

pambase-20150213-gnome-keyring.patch (pambase-20150213-gnome-keyring.patch,1.33 KB, patch)
2018-04-02 10:31 UTC, Alexander Tsoy
Details | Diff
pambase-20150213-r1.ebuild.patch (pambase-20150213-r1.ebuild.patch,1.38 KB, patch)
2018-04-02 10:34 UTC, Alexander Tsoy
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Tsoy 2018-04-02 10:31:03 UTC
Created attachment 526312 [details, diff]

pambase[gnome-keyring] is broken in multiple ways:

1. gnome-keyring for years support only one instance per user. See [1]. Socket has fixed location. Each new instance rewrite the socket and make instances launched in previously opened sessions unusable. For example if you open a GUI session first and then login via ssh, then gnome-keyring in a GUI session will stop working.
2. pambase[gnome-keyring] prevents unlocking of login keyring in gnome-keyring-3.28 when the GUI session is started via gdm. See [2] (Thanks to Poncho for pointing this out). This is presumably due to both gdm and pambase pam configs include pam_gnome_keyring entries.
3. ssh sessions spawn gnome-keyring processes that does not get stopped automatically on logout.
4. Changing user password doesn't change login keyring password.

Thus gnome-keyring should be started from the GUI sessions only and I'm suggesting the following changes to pambase (see attached patch):
- remove gnome-keyring "auth" and "session" entries from pambase;
- move "password" entry from pam.d/system-login to pam.d/passwd.

Also maybe a good idea to start adding gnome-keyring support to other login managers (other than gdm). An example for lightdm: [3].

Comment 1 Alexander Tsoy 2018-04-02 10:34:28 UTC
Created attachment 526314 [details, diff]
Comment 2 Leho Kraav (:macmaN @lkraav) 2018-07-18 07:44:44 UTC
Thanks for the investigation work.

Who needs to approve what to get to the next step here?

Would be nice to maybe have a masked ebuild in the tree or overlay for easier testing on a wider surface?
Comment 3 Pavel 2018-07-25 12:27:18 UTC
I'm very supportive of this undertaking. Every few month there is a bug like: "pam change A,B and C break gnome-keyring"

What if we make an another PAM config called, say, "xsession_session" and shove all gnome/systemd specific PAM configs there? This way, desktop manager maintainers don't have to think anything about specific polkit/consolekit/systemd/elogind setup a user have.
Comment 4 Pacho Ramos gentoo-dev 2018-09-23 16:46:40 UTC
[master fadc9f49e11f] sys-auth/pambase: Fix gnome-keyring (#652194 by Alexander Tsoy)
 1 file changed, 106 insertions(+)
 create mode 100644 sys-auth/pambase/pambase-20150213-r2.ebuild
Comment 5 cyrillic 2018-09-23 19:21:21 UTC
(In reply to Pacho Ramos from comment #4)

>  1 file changed, 106 insertions(+)

It would be good to upload the patch also :)
Comment 6 Pacho Ramos gentoo-dev 2018-09-23 19:34:52 UTC
oh yes :S
[master 669c574f742d] sys-auth/pambase: Commit forgotten patch
 1 file changed, 48 insertions(+)
 create mode 100644 sys-auth/pambase/files/pambase-20150213-gnome-keyring.patch