Welcome!
Forum users

Current releases
--MX-23 release info here
--Migration information to MX-23 here
--antiX-23.1 (Arditi del Popolo) release info here

Important information
--If in starting your system it boots to an unwanted Desktop, right click desktop, then select leave and logout. At the
login screen there is a session chooser at the top of the screen.

News
-- MX Linux on social media: here
-- New Forum Features, Marking Solved and Referencing a User: here

Gnome-keyring - unlocked

Post Reply
Message
Author
User avatar
fehlix
Developer
Posts: 10275
Joined: Wed Apr 11, 2018 5:09 pm

Gnome-keyring - unlocked

#1 Post by fehlix »

Gnome-keyring - unlocked
Enable secure password store with gnome-keyring to avoid keyring prompt

Gnome-keyring’s default password-stores used by different apps like Chrome/Chromium and other can be setup in such a way that they automatically get unlocked during session login.
Within MX Linux we are already prepared to enable and use this auto-unlock feature provided by the Pluggable Authentication Modules (PAM) mechanism:
After the user enters the login password the pam-library will unlock the login-keyring managed by the gnome-keyring subprocess. To turn PAM on we have only to install the package libpam-gnome-keyring. Use either MX Package Installer, Synaptic or the CLI to install the package:

Code: Select all

sudo apt-get install libpam-gnome-keyring 
After logout and login do open „Password and Keys“ to verify that the newly created Login-keyring is automatically unlocked.

Only one keyring : Login keyring
If no other password-store keyring is already in use the Login-keyring will also become the default password-store keyring.
Right click with the Login-keyring to verify / set it to default password store.
1_kr-login-empty.png
When you open an application which requires to save/fetch it’s credential into/from the default password-store keying the keyring to store passwords will be used.
E.g. open Chromium and you‘ll see that Chromiums internal encryption keys get stored within the default (login) keyring:
2_kr-login-default.png
Default keyring already exists
If you already have a password-store “Default keyring” in use by chromium, which holds your passwords and chromiums internal encryption keys you can secure this keyring with a password and automatically unlock the keyring on application request by means of the PAM-Login-keyring mechanism.

To secure and enable auto-unlock of existing “Default keyring” used by chromium (or any other app):
- close Chromium
- open „Password and Keys“
- right click on your existing password store “Default keyring” → set default
- right click on “Default keyring” to verify or change existing password
Now the trick:
- right click on you existing “Default keyring” password store → Lock
And now - this is important:
- right click again on your existing “Default keyring” password store → Unlock
→ Click on “Automatically unlock this keyring whenever I’m logged in”
and enter the password of your “Default keyring”.

Logout, login and to verfiy with „Password and Keys“ that you login-keyring is unlocked
and you “Default keyring” is still locked.
3-kr-log-def-locked.png
Now open chromium and verify that the “Default keyring”
used by chromum get’s automaticaly unlocked.
4-ld-unlocked.png
Attched the above as PDF-file.

--fehlix
on behalf of MX Linux community
You do not have the required permissions to view the files attached to this post.
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
dreamer
Posts: 738
Joined: Sun Oct 15, 2017 11:34 am

Re: Gnome-keyring - unlocked

#2 Post by dreamer »

Thanks for your guide, fehlix.
This is something I don't understand. In Ubuntu 14.04 (still supported) gnome-keyring is installed. I have never been asked to create a password.

Not by:
Networkmanager
Evolution
Skype
Chrome
or any other application.

gnome-keyring is wonderfully unintrusive in Ubuntu. It is running in taskmanager (sleeping). It is marked in start-up manger with this command:
/usr/bin/gnome-keyring-daemon --start --components=secrets

EDIT: I found one more start-up entry/command:
/usr/bin/gnome-keyring-daemon --start --components=gpg

Why is gnome-keyring so silent in Ubuntu and so intrusive in MX Linux?
Last edited by dreamer on Wed Sep 12, 2018 6:14 pm, edited 1 time in total.

User avatar
fehlix
Developer
Posts: 10275
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome-keyring - unlocked

#3 Post by fehlix »

Don't know. But Chromium changed recently something forcing user to use gnome-keyring mainly to store their internal encrpytion key, which are used to "secure" all "sensible" collected (user-)data (aka cookies and DOM-cookies), even if you dont save any passwords.
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
dreamer
Posts: 738
Joined: Sun Oct 15, 2017 11:34 am

Re: Gnome-keyring - unlocked

#4 Post by dreamer »

fehlix wrote: Wed Sep 12, 2018 6:10 pm Don't know. But Chromium changed recently something forcing user to use gnome-keyring mainly to store their internal encrpytion key, which are used to "secure" all "sensible" collected (user-)data (aka cookies and DOM-cookies), even if you dont save any passwords.
Weird. What does Chromium use on Windows? Also, do the Antix guys ship gnome-keyring?
The Password and Keys application is dangerous. It shows my Hotmail password in plain text and I don't even need root to launch it.

User avatar
fehlix
Developer
Posts: 10275
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome-keyring - unlocked

#5 Post by fehlix »

dreamer wrote: Wed Sep 12, 2018 5:58 pm /usr/bin/gnome-keyring-daemon --start --components=secrets
EDIT: I found one more start-up entry/command:
/usr/bin/gnome-keyring-daemon --start --components=gpg
It's not started in MX Linux, as it was never used intensively as elsewhere.
With PAM enabled, it will make sure you don't have to reenter passwords to unlock.
The components=gpg is usefull, if you intent to use gpg signing and encryption e.g. with
Thunderbird or other emailers.
So I assume in other Linux OS's, the usage might by more intensive.
You migh check with Seahorse (= "Passwords and Keys") to see what they do save with gnome-keyring.
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
fehlix
Developer
Posts: 10275
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome-keyring - unlocked

#6 Post by fehlix »

dreamer wrote: Wed Sep 12, 2018 6:22 pm
fehlix wrote: Wed Sep 12, 2018 6:10 pm Don't know. But Chromium changed recently something forcing user to use gnome-keyring mainly to store their internal encrpytion key, which are used to "secure" all "sensible" collected (user-)data (aka cookies and DOM-cookies), even if you dont save any passwords.
Weird. What does Chromium use on Windows? Also, do the Antix guys ship gnome-keyring?
The Password and Keys application is dangerous. It shows my Hotmail password in plain text and I don't even need root to launch it.
Well, if you setup to store passwords automatically, it's your decision!
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
fehlix
Developer
Posts: 10275
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome-keyring - unlocked

#7 Post by fehlix »

dreamer wrote: Wed Sep 12, 2018 6:22 pm Weird. What does Chromium use on Windows? Also, do the Antix guys ship gnome-keyring?
If you user Chromium, recent version force you to store the internal encryption keys, other wise you might get functional issues. Chromium offers three options to use as password-store "kwallet", "gnome-keyring" or "basic" ="plaintext".
I.e. if you dont have kwallet or gnome-keyring, Chromim would save it's internal encrypotion key and any passwords, in a "cleartext" level :eek:
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

clicktician
Posts: 136
Joined: Sat May 02, 2015 4:35 pm

Re: Gnome-keyring - unlocked

#8 Post by clicktician »

dreamer wrote: Wed Sep 12, 2018 5:58 pm Thanks for your guide, fehlix.
This is something I don't understand. In Ubuntu 14.04 (still supported) gnome-keyring is installed. I have never been asked to create a password.

Not by:
Networkmanager
Evolution
Skype
Chrome
or any other application.
Opera on Ubuntu 14.04 will prompt you to set up your gnome-keyring. And it will ask you to unlock that keyring once in the login session in which it is started.
Now, I don't know if that's just a bug in Opera, or if it is one of the few apps using the keyring as it was intended. Lol. <shrug> It's anyone's guess.
Son, someday all this will belong to your ex wife.

User avatar
fehlix
Developer
Posts: 10275
Joined: Wed Apr 11, 2018 5:09 pm

Re: Gnome-keyring - unlocked

#9 Post by fehlix »

clicktician wrote: Wed Sep 12, 2018 6:41 pm Opera on Ubuntu 14.04 will prompt you to set up your gnome-keyring. And it will ask you to unlock that keyring once in the login session in which it is started.
Now, I don't know if that's just a bug in Opera, or if it is one of the few apps using the keyring as it was intended. Lol. <shrug> It's anyone's guess.
With the described auto-unlock PAM technique above, you can have opera's keyring to auto-unlock with help of the Login-keyring. It's the identical precedure as described for chromium above.
Gigabyte Z77M-D3H, Intel Xeon E3-1240 V2 (Quad core), 32GB RAM,
GeForce GTX 770, Samsung SSD 850 EVO 500GB, Seagate Barracuda 4TB

User avatar
dreamer
Posts: 738
Joined: Sun Oct 15, 2017 11:34 am

Re: Gnome-keyring - unlocked

#10 Post by dreamer »

fehlix wrote: Wed Sep 12, 2018 6:33 pm
dreamer wrote: Wed Sep 12, 2018 6:22 pm Weird. What does Chromium use on Windows? Also, do the Antix guys ship gnome-keyring?
If you user Chromium, recent version force you to store the internal encryption keys, other wise you might get functional issues. Chromium offers three options to use as password-store "kwallet", "gnome-keyring" or "basic" ="plaintext".
I.e. if you dont have kwallet or gnome-keyring, Chromim would save it's internal encrypotion key and any passwords, in a "cleartext" level :eek:
I just launched latest Chrome on Ubuntu 14.04 and no demand for keyring password. Maybe it's a Chromium thing...
However, I launched Seahorse (Password and Keys) on Ubuntu and there were entries for both Chrome and Evolution so it must have added them by itself. At least it didn't bother the user to come up with a password. No user should have to deal with gnome-keyring, that's just annoying.
With the described auto-unlock PAM technique above, you can have opera's keyring to auto-unlock with help of the Login-keyring. It's the identical precedure as described for chromium above.
That should be standard. We have a login password to protect our accounts. If some applications want to use gnome-keyring let them do it and if the user wants to set a password then Seahorse is a good place to do that. But giving the user a keyring promt at first launch is the wrong way that may scare away users. Ubuntu does it right, you don't have to deal with gnome-keyring if you don't want to. I didn't even know it was there.

The Evolution thing is annoying, storing my Hotmail password in plain text on both Ubuntu and MX Linux. I can't use it if it insists to store my password in plain text. I have an older version of FossaMail set up. It has a launch password (not keyring related) and I have also gone through the account settings. Not anywhere can I find my Hotmail password so FossaMail seems more secure.

Post Reply

Return to “Software / Configuration”