Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Gnome keyring bother and managing Services

Message
Author
User avatar
fehlix
Forum Guide
Forum Guide
Posts: 1156
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome keyring bother and managing Services

#11 Post by fehlix » Mon Jul 30, 2018 5:24 pm

boombaby wrote:
Mon Jul 30, 2018 5:08 am

Q.1. So why did turning OFF the settings not work?
Q.2. Is there a GUI facility for managing the Services similarly?
Better to ask questions related together within one thread. Ignoring for now the MATE/KDE questions here.

Firstly, I do understand your confusion. Unfortunately you do confuse your self more a little bit as you trying to solve something without understanding how/what to solve and also as you do mix different things together.

What is this gnome-keyring-thingy?
A couple of years ago the gnome-folks brought us their way of solving the saved credential issue.
Remember before gnome-keyring (GKR for now) all developer had to find a way to store somehow the credentials (username/password, etc), and all made it differently, secured, in plaintext, hidden etc.

GKR provides a way of store credential securely within a “encryped datasbase file”, which sometimes is simplified refered to as the “gnome keyring”. To access (store and retrieve) GKR comes with a programmable API which now developer can use.
But that was not enough, a next step was to provide a “service” API to provide access to save/restore credentials.

The service API is the part which you make accessible through the autostart entry of GKR-service.
That’s not a system-daemon/service. So no need to look there.

But there are a lot of programs out which do not care about that service anyway, but calling directly the GKR-API programatically.

And here probably starts your issue.
As you haven’t told as which programs you start, we don’t know which type of access to GKR those programs are using.

Some example: Firefox (and other firefox based browser) do not use GKR as they do have their own “keyring”
Chomium-based browser do uses directly GKR-features. Those programms which using the GKR-API using the gnome-subsystem calls to directly store (per sessions, or permanetly ) the credentials.
And you would get very often popups for those programs where you would need to enter e.g. the root password, but not always depending how those programs do call the gnome-subsystem, or of if call it et all.

To make the issue even worse for you: If you ticked in one of those first popup „Remember Password“ and „Save in keyring“ and within the next popup „Choose password for new keyring“ you changed your mind by pressing cancel. You would get always get a popup for entering and saving it into the new keyring as unfortunatly having pressed cancel did not cleared the first choice of “Save in the keyring” out of the gnome-sub-system. I.e. the (gnome-sub-) system still assumes you want to save to keyring. That’s why you might get always asked politely for a new name and password for the new keyring.

So you would need answer some questions,
as it is not clear for me what type of popup you are getting:
Let us know what programs you start and best make screenshots of the popups and do post those here
After that, we might be able to get you out of the mess.

Thats all for now.
Have a nice day.

boombaby
Forum Novice
Forum  Novice
Posts: 14
Joined: Fri Jul 27, 2018 1:41 am

Re: Gnome keyring bother and managing Services

#12 Post by boombaby » Tue Jul 31, 2018 4:37 am



Hello, fehlix


PART-1 (CLARITY)

Yes; NOW I am having a nice day. Thanks for asking.

And thanks for your explanation. Apart from me having to come to terms with the way you express English I found your explanatory reasoning FANTASTIC!

However it also provides a bit of a worry. It seems that to be effective with Linux I have to let "Developers" have access to the keyring. Of course that also means the crooks and hackers have access too. (Yes; I know it also depends on firewall and other security things.) Furthermore, if you have been following Snowden then that also means the NSA et al get access too. So; not good.

Fehlix, I had been pretty determined to keep my system isolated from all of that extraneous bother - but the way you have described it all, I can't stay isolated AND I shouldn't. That makes me sad (and angry). [To be clear:- NOT angry with You or your Colleagues; angry with "the bad guys" threat.]

So, here's a question that I hope you can answer which might provide a little further clarity about what you have described...

Developer's only need cross-access to passwords IF they "share" access or data, right? For instance, that would happen when I am using a web-browser and click on a link which requires sending an email, or (perhaps) I cut-and-paste from browser (website) to libreoffice document (on my system). Is that about right? In other words (as I said earlier) to be effective and "right" on linux I MUST provide the software programs (aka the Developers) access across my whole system (because of the way we do "things" on our PCs today) - correct?


PART-2 (RESPONSE TO YOUR REQUEST)

I use daily...

Vivaldi browser 1.15.1147.55 (Stable channel) (64-bit) - Vivaldi has some interesting features I can't do without ;
LibreOffice (Writer) 6.0.1.1 - sometimes for standalone work; sometimes cut and paste from Net ;
Sylpheed email Version 3.5.1 (Build 1174) GTK+ 2.24.31 / GLib 2.50.3 ;
Leafpad 0.8.18.1 ;
PCmanFM 1.2.5 ;
Conky - just for interest ;
Mahjonng (Gnome) 3.22.0 ;

Very occasionally other software: Htop; Calculator; Stellarium; Photonic; Chromium [edit: ie the game]; et al.

Here is the screenshot of the gnome-keyring-poppup-thingy
Image
It pops up just as Vivaldi appears on screen. Then it appears twice (one after another) when I connect to the first website.


PART-3 ("Stew")

I am assuming that the "stew" being referred to (and I make a lovely stew, by the way) is because I have shifted from MX/xfce TO MX/MATE. Is that what the problem is? I thought that's what One does in Linux? As for the KDE Settings panel inside Control Centre in MATE - it's just more controls, more herbs 'n spices? If you want to briefly comment, then fine. I will address this in another Thread - as you implied.


PART-4 (Colleagues)

Since richb has now described some inner workings of MX Team a little bit I now have a better view of the forum "capability". However, NOW you are playing with the big boys (girls?) so expectations of "Customers" (aka Users, aka me) might need to be "altered" a little.

No-one should be taking offense from me because I meant none. Anyway, I'm having a better day now.


PART-5 (Outcomes)

* So given my type of software usage do I NEED to provide access to the keyring thingy (especially when it wasn't needed in the past)?
* Is the poppup and "access" a sole consequence of using "Gnome" - and so should I just change to some other desktop (and remove Gnome components) to be "rid" of that kind of "problem"?
* Some other suggestion?


Regards,
boombaby
You do not have the required permissions to view the files attached to this post.
Last edited by boombaby on Tue Jul 31, 2018 1:16 pm, edited 1 time in total.

User avatar
fehlix
Forum Guide
Forum Guide
Posts: 1156
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome keyring bother and managing Services

#13 Post by fehlix » Tue Jul 31, 2018 11:50 am

boombaby wrote:
Tue Jul 31, 2018 4:37 am
* Is the poppup and "access" a sole consequence of using "Gnome" - and so should I just change to some other desktop (and remove Gnome components) to be "rid" of that kind of "problem"?
As you have indicated the password prompt above shows up only when starting/using vivaldi, right? Even if you do not use vivaldi‘s feature to store passwords you are now wondering why you get those prompts.
Well, vivaldi, based on google‘s chromium, does store a lot of confidential data besides password (Login Data) within the vivaldi user-profile. Those are all types of short- and long time cookies, which do hold all of your digital live information you expirienced with this google-based browser, and other data like auto-fill, notes, extension cookies etc.
For some of those data (login data, and might be some more undocumented) vivaldi needs to have access to a protecting encryption/decryption key. This encryption key is stored outside vivaldi.
Even if you do not store passwords, vivaldi needs to be prepared to do so!

So how to get rid of this „Choose password for new keyring“ popup:
If you don‘t give access for vivaldi to save it‘s magic encryption key
you could instruct vivaldi to not encrypt any of your data securely,
by starting vivaldi as such:

Code: Select all

vivaldi --password-store=basic
By this vivaldi would not ask you any longer to creating a new keyring.
To mitigate the non-encrypted security issue a bit you have to make sure to disable
vivaldi‘s internal password store which you can do by open vivaldi’s internal password-manager page:

Code: Select all

chrome://settings/passwords/
or the non-internal password-manager page:

Code: Select all

vivaldi://settings/passwords
To add: The recommendation within the manual or from others within this
forum to create a keyring with an empty password, is actually not what I would recommend from security perspective. By having an unencrypted/unprotected keyring for storing credential information, is effectively the same as storing the password unencrypted. :eek:

Let me know if you seek for other ways of storing password securely, if at all.

Another hint: To reduce uneeded traffic/ from 3rd parties I do recommend
the extension "uBlock Origin", one of the best arround - a kind of "Application Firewall" protecting
you a bit from the "evil" outside, originally build for Firefox but meanwhile available for chromium-based browser too.

Have a nice Day!
fehlix

User avatar
Eadwine Rose
Forum Veteran
Forum Veteran
Posts: 5973
Joined: Wed Jul 12, 2006 2:10 am

Re: Gnome keyring bother and managing Services

#14 Post by Eadwine Rose » Tue Jul 31, 2018 12:10 pm

fehlix wrote:
Tue Jul 31, 2018 11:50 am
To add: The recommendation within the manual or from others within this
forum to create a keyring with an empty password, is actually not what I would recommend from security perspective. By having an unencrypted/unprotected keyring for storing credential information, is effectively the same as storing the password unencrypted. :eek:
What are the actual risks then? That the pass gets found?

First of all someone needs to hack your system to even get in. That will take a lot of effort to do first.

Or someone needs to log into your system to find it.

Most people don't even know how to use this linux system, let alone find stuff on there like the keyring location and such.

I read about giving developers access.. how then? It is not installed on their computer, they can't get into yours. Is it when you upgrade?



Is it REALLY this big of a deal?
I am seriously trying to understand why the fuss, because IMHO if you are cautious enough with the logins and yadda yadda, when is this risk, really?
MX-17.1_x64 Horizon 14-3-2018 * 4.15.0-1-amd64 ext4 Xfce 4.12.3 * AMD Asus M4A785TD-V EVO AM3 * ASUS GF GT640-1GD5-L NVIDIA 384.130 * AMD Proc. Athl II X4 635, sAM3 * HDA ATI SB VT1708S An * 2x4Gb DDR3 1600 Kingst * 22" Samsung SyncM P2250 * HP F2280

User avatar
fehlix
Forum Guide
Forum Guide
Posts: 1156
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome keyring bother and managing Services

#15 Post by fehlix » Tue Jul 31, 2018 12:37 pm

Eadwine Rose wrote:
Tue Jul 31, 2018 12:10 pm
fehlix wrote:
Tue Jul 31, 2018 11:50 am
To add: The recommendation within the manual or from others within this
forum to create a keyring with an empty password, is actually not what I would recommend from security perspective. By having an unencrypted/unprotected keyring for storing credential information, is effectively the same as storing the password unencrypted. :eek:
What are the actual risks then? That the pass gets found?
You'r password can easily send out by just running a little script, e.g from autostart,
or other little hacky tricks.
That's it. Not more, not less. :cool:
EDIT: ... and any physical access to you'r drive,
the password are accessible as they are stored unencypted or the encryption key is not protected.

boombaby
Forum Novice
Forum  Novice
Posts: 14
Joined: Fri Jul 27, 2018 1:41 am

Re: Gnome keyring bother and managing Services

#16 Post by boombaby » Tue Jul 31, 2018 1:15 pm


Hello again, fehlix

Thanks for the follow up.

In your earlier post I deduced from your language that you were some foreign dude. Got that wrong. [Not that there's something wrong with foreign dudes. I'M a foreign dude - to some other foreign dude.]

Your most recent post was "university lecture" stuff. Brilliant! I'm totally satisfied with explanations. Now it's up to me to apply your solutions.


[Although solved, I don't usually mark a thread "Solved" for a day or two because other people might want to chip in with something or other. I know that might bump it up a bit, but I still reackon that is a fair outcome for everyone. However, if the "Forum" Team prefers "finality" then just mark it solved now.]


Once again, fehlix, thanks to you and the Team. Solved.
boombaby

User avatar
fehlix
Forum Guide
Forum Guide
Posts: 1156
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome keyring bother and managing Services

#17 Post by fehlix » Tue Jul 31, 2018 1:34 pm

boombaby wrote:
Tue Jul 31, 2018 1:15 pm
.. foreign dude.
... Solved.
Please do mark, this thread [Solved] within the subject line of your first post, when you feel to do so.
Thanks.
Aren't we foreigners almost everywhere, somehow?
:puppy:

rej
Forum Regular
Forum Regular
Posts: 149
Joined: Thu Mar 09, 2017 11:11 pm

Re: Gnome keyring bother and managing Services

#18 Post by rej » Wed Aug 01, 2018 5:25 pm

Boombaby -

Mate desktop environment wants that passcode on the keyring and I believe this only occurs if you are set to login automatically.

Here's what I found disables it:

SHORT version:

1. Comment out autologin in the "lightdm.conf" file - save file
2. Open "Passwords and Keys" application
3. Choose login option to change password - leave it blank
4. Log out of desktop and log back in
5. Remove the comment you put in the "lightdm.conf" file - save file
_____________________________________________________
_____________________________________________________
(online links at the bottom)

Details:

Login set to "auto-login" has to be temporarily disabled before you make the adjustment or it won't do it. [You reset it to auto-login after you are done making the change later.] If you are new to using the Terminal or Nano, the following will be the most difficult part of it. If you can "edit as root through a filer [Caja? Dolphin? Thunar?] - much easier, but be careful!

[If you still have the Xfce desktop installed after installing Mate, Thunar is easy to root edit - select in the Thunar file menu "open root thunar here" when you select the "lightdm" directory. Caja (needs caja-gksu installed - get it from Synaptic Package Manager in Control Center or if you still have "Application finder" from Xfce installed, look in there) - right click file and select in the menu "Open as adminstrator"]
--------
In Terminal:

sudo nano /etc/lightdm/lightdm.conf

or

Edit the (/etc/lightdm/lightdm.conf) file in your file manager by editing as "root" after selecting the "lightdm" directory and opening the "lightdm.conf" file.

I find the latter easier. Nano is probably safer though.
-------------------------------
Under the heading:
[SeatDefaults]
-------
Insert a comment [#] in front of the auto-login line below [this will disable autologin]:

autologin-user=[your login name will be already here...]

(example: #autologin-user=[your login name will be already here...])
--
Save the file
--------------
Next - Log out of your desktop session and log back in.
-------------
Next - In your applications menu, go to "Passwords and Keys (Seahorse if you are using the Terminal)

In Menu - Login option will appear

Put in password leave new password blank - click (there will be a warning regarding security risk).

Then go back to lightdm and uncomment autologin. Save file.

The keyring popup request should now be gone. I think this will disable it in all your applications, including Skype and all other browsers that use it. If it does show up just hit enter with the password blank and it should not return again.

NOTE: Attempting to disable Automatic Login from "User Manager" or disabling Gnome keyring in "Startup Programs" did not work. The "lightdm.conf" file has to be manually edited in root for the "Passwords and Keys"-"login option" to appear in the menu.

After you have reset your autologin, if you choose to manually log out of your session, you will still be asked for your password to log back in, but when you boot, it will automatically log in if that is what you choose.

It is not clear to me as to what you are actually asking for, but if you want to disable the keyring popup altogether, this worked in Mate desktop environment for me. Backup your system or make a snapshot if you are new to this kind of editing.

I assume this would be reversible if you later change your mind and want to add a password, however, I have never tried it and someone else would have to advise you on that.

Fehlix & Eadwine Rose have provided information regarding the browser security issues with leaving the keyring password blank and
NOTE: this may not be a good option for you if you prefer to disable the keyring password in one application or browser, only.

Apologies for the length of this and repetitive details, as I am hesitant to suggest the disabling any type of security, especially since I do not know what other protection you have in place - such as browser extensions (ublock origin, adblockplus,etc., whether you allow browsers to store your passwords, sandboxing, firewall, router configuration or if you have a patched kernel, practice safe browsing, install regular updates, run an antivirus, who has physical access to your PC, etc., just sharing what worked for me when I tried out Mate.
_____________________________________________________
_____________________________________________________
Online links to information:

https://askubuntu.com/questions/106428/ ... in-lightdm

https://forums.linuxmint.com/viewtopic.php?t=220091

https://www.systutorials.com/240997/how ... -password/

boombaby
Forum Novice
Forum  Novice
Posts: 14
Joined: Fri Jul 27, 2018 1:41 am

Re: Gnome keyring bother and managing Services

#19 Post by boombaby » Wed Aug 01, 2018 11:48 pm


Hello, rej

I just did a quick scan of your post.

It seems it all stems from the premise that I have my system set to autologin. I do not.

Nevertheless, very interesting stuff. Since it is long and complex (good stuff) I will take a bit of time to analyse it - and report back. It still might apply.

Yes; I have xfce still installed, but not used. I was sticking with MATE. However, I thought it was possible to choose a desktop environment at will - once they are both/any installed. I also thought a User could choose between them with no (or few) disruptive interplay "issues" because Linux is designed to work that way. ("Older" Linux only?)

Anyway I will read your info, try stuff, and get back to you a little later. I am not you classic, dive-in-up-to-elbows, CLI, got-it-all-in-my-head, dream-about-man-pages-every-night, type of Linux "nerd". ( No offence meant - at all - to the GREAT work being acheived by the Aforementioned.) I love youz all! Oops; where did THAT come from?]

Regards,
boombaby

Post Reply

Return to “Software / Configuration”