[Bug 421603] New: Add gnome-keyring support to /etc/pam.d/passwd
https://bugzilla.novell.com/show_bug.cgi?id=421603 Summary: Add gnome-keyring support to /etc/pam.d/passwd Product: openSUSE 11.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: vuntz@novell.com QAContact: qa@suse.de Found By: --- According to http://live.gnome.org/GnomeKeyring/Pam, it's possible to integrate the GNOME keyring with password changes: "When the user changes their password, the PAM module changes the password of the 'login' keyring to match." It'd be useful to have this enabled by default. This just means adding the following line to /etc/pam.d/passwd: password optional pam_gnome_keyring.so I don't know enough about pam, but the "optional" might make this work even if this pam module isn't available? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 Robert Vojcik <rvojcik@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |bnc-team-gnome@forge.provo.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c1 --- Comment #1 from Vincent Untz <vuntz@novell.com> 2008-09-15 14:38:13 MDT --- FWIW, I think it should be assigned to the maintainer of pwdutils since this file is shipped by this package. It's bad to have a GNOME package modify the file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User jpr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c2 JP Rosevear <jpr@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo.novell.com |kukuk@novell.com --- Comment #2 from JP Rosevear <jpr@novell.com> 2008-09-18 14:01:01 MDT --- Thorsten, what do you think? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User jpr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c3 JP Rosevear <jpr@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |kukuk@novell.com --- Comment #3 from JP Rosevear <jpr@novell.com> 2008-09-18 14:01:23 MDT --- Actually need info -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c4 Thorsten Kukuk <kukuk@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@novell.com AssignedTo|kukuk@novell.com |bnc-team-gnome@forge.provo.novell.com Status|NEEDINFO |NEW Info Provider|kukuk@novell.com | --- Comment #4 from Thorsten Kukuk <kukuk@novell.com> 2008-09-18 15:12:00 MDT --- Adding it by default is not possible, since GNOME is not the default desktop on all products and don't need to be installed at all. If, then somebody has to add support for it to pam-config (if not already done) and pam_gnome_keyring package can enable it at install time. That's the policy for PAM modules not in the minimal base system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Add gnome-keyring support to /etc/pam.d/passwd |Use pam-config in gnome-keyring package (for | |/etc/pam.d/passwd) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 JP Rosevear <jpr@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo.novell.com |vuntz@novell.com Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c5 --- Comment #5 from Vincent Untz <vuntz@novell.com> 2008-10-30 11:12:36 MDT --- (In reply to comment #4 from Thorsten Kukuk)
If, then somebody has to add support for it to pam-config (if not already done) and pam_gnome_keyring package can enable it at install time. That's the policy for PAM modules not in the minimal base system.
I'm looking at this right now, and since I'm no expert in pam, some help would be welcome :-) I guess "password optional pam_gnome_keyring.so" only makes sense in /etc/pam.d/passwd and not in /etc/pam.d/common-password (since it's used when updating a password). Am I right? Also, do you think it makes sense to stop hard-coding the pam_gnome_keyring.so in /etc/pam.d/gdm and also use pam-config there? If yes, we probably need to be able to add different lines to a file, depending on what we want to do. Is it fine to use pam-config options like --gnome-keyring-auth, --gnome-keyring-session, --gnome-keyring-password to define what to put (as opposed to: "to define options for the pam module that will appear on the line we write") -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c6 --- Comment #6 from Vincent Untz <vuntz@novell.com> 2008-10-30 11:13:33 MDT --- (hrm, actually, we don't hardcode stuff in gdm, we do a bad hack with sed in gnome-keyring-pam...) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c7 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |440448 --- Comment #7 from Vincent Untz <vuntz@novell.com> 2008-10-30 22:12:31 MDT --- Okay, I've made a patch in bug 440448. If it gets accepted, we'll have to change the gnome-keyring spec file to support it -- the list of pam config we should support is passwd, gdm, gnome-screensaver, gnome-passwd (afaik). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c8 --- Comment #8 from Thorsten Kukuk <kukuk@novell.com> 2008-10-31 00:17:18 MDT --- (In reply to comment #5 from Vincent Untz)
I'm looking at this right now, and since I'm no expert in pam, some help would be welcome :-)
I guess "password optional pam_gnome_keyring.so" only makes sense in /etc/pam.d/passwd and not in /etc/pam.d/common-password (since it's used when updating a password). Am I right?
This is not correct. What happens if you change your password at login time, because you are required by policies to do so? Than pam_gnome_keyring will not see it. pam_gnome_keyring.so clearly needs to be added to /etc/pam.d/common-password, so that it will be called every time a password is changed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c9 --- Comment #9 from Thorsten Kukuk <kukuk@novell.com> 2008-10-31 00:22:54 MDT --- (In reply to comment #7 from Vincent Untz)
Okay, I've made a patch in bug 440448. If it gets accepted, we'll have to change the gnome-keyring spec file to support it -- the list of pam config we should support is passwd, gdm, gnome-screensaver, gnome-passwd (afaik).
Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...? I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c10 --- Comment #10 from Vincent Untz <vuntz@novell.com> 2008-10-31 00:43:56 MDT --- (In reply to comment #8 from Thorsten Kukuk)
(In reply to comment #5 from Vincent Untz) This is not correct. What happens if you change your password at login time, because you are required by policies to do so? Than pam_gnome_keyring will not see it.
pam_gnome_keyring.so clearly needs to be added to /etc/pam.d/common-password, so that it will be called every time a password is changed.
Okay, sounds sensible, indeed. (this of course means my patch for pam-config is wrong ;-)) (In reply to comment #9 from Thorsten Kukuk)
Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...?
I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me.
The thing is that someone logging in KDE probably doesn't want gnome-keyring to be spawned. (On the other hand, this argument is a bit flawed since you can log in KDE with gdm, and the user would just have to uninstall gnome-keyring-pam). A better example would be the console: I'm not sure gnome-keyring can really be useful there, at least for now. But I guess it makes sense in most cases, so I'll trust you here again. (I guess the wiki page was written with a "here's the minimum you want to do if you want a good integration for GNOME" mind) Thanks for the feedback! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c11 --- Comment #11 from Thorsten Kukuk <kukuk@novell.com> 2008-10-31 01:03:09 MDT --- (In reply to comment #10 from Vincent Untz)
(In reply to comment #9 from Thorsten Kukuk)
Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...?
I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me.
The thing is that someone logging in KDE probably doesn't want gnome-keyring to be spawned. (On the other hand, this argument is a bit flawed since you can log in KDE with gdm, and the user would just have to uninstall gnome-keyring-pam).
Hm, then I understand the webpage wrong. My understanding was, that pam_gnome_keyring is doing nothing if no gnome-keyring daemon is running. If this is correct, we can add it to the common-* files. If this assumption is wrong, then of course we can only add it to gdm and other gnome applications. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c12 --- Comment #12 from Thorsten Kukuk <kukuk@novell.com> 2008-10-31 01:04:48 MDT --- When I'm in the office in about 2 hours, I will look at the sources to see if we can add it to common-* or if we can only add it to selected PAM config files. Adding a module to common-password and some single PAM config files: I never tried this with pam-config, could be pretty hard to implement. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c13 --- Comment #13 from Vincent Untz <vuntz@novell.com> 2008-10-31 01:20:18 MDT --- (In reply to comment #11 from Thorsten Kukuk)
Hm, then I understand the webpage wrong. My understanding was, that pam_gnome_keyring is doing nothing if no gnome-keyring daemon is running.
When you use the auto_start option, gnome-keyring will be spawned. So putting it in common-auth won't harm (we probably don't want to use auto_start here -- it really makes sense for session only) and putting it in common-password makes sense as you mentioned (it will always start the daemon if it doesn't run in this case, I've filed a bug upstream to stop the daemon too). So the main question is for the session case. Putting it in common-session without auto_start looks useless. So we'd be back to adding it to gdm only. Looking at the pam-config code, I guess we can detect the case when we're called for common-* and the case when we're called for a single config file: just look if op == -1 and fp == NULL for the latter. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c14 --- Comment #14 from Thorsten Kukuk <kukuk@novell.com> 2008-10-31 03:05:50 MDT --- (In reply to comment #13 from Vincent Untz)
When you use the auto_start option, gnome-keyring will be spawned. So putting it in common-auth won't harm (we probably don't want to use auto_start here -- it really makes sense for session only) and putting it in common-password makes sense as you mentioned (it will always start the daemon if it doesn't run in this case, I've filed a bug upstream to stop the daemon too).
So the main question is for the session case. Putting it in common-session without auto_start looks useless. So we'd be back to adding it to gdm only.
So, my suggestion: For auth/session: Introduce auto_start_if=<service1,service2,..> and spawn gnome-keyring only if called by one of the listed services. I can do that the next days. For password: I think it should never spawn gnome-keyring, I don't see a case where this should be necessary.At least it should have the same behavior as auth and session, not per default, only with auto_start. Do you think we would get this patches upstream? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c15 --- Comment #15 from Thorsten Kukuk <kukuk@novell.com> 2008-10-31 03:12:49 MDT --- I took a look at the pam module, terrible. They are doing a lot of things wrong. Will create patches later today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c16 --- Comment #16 from Vincent Untz <vuntz@novell.com> 2008-10-31 09:08:10 MDT --- (In reply to comment #14 from Thorsten Kukuk)
So, my suggestion:
For auth/session: Introduce auto_start_if=<service1,service2,..> and spawn gnome-keyring only if called by one of the listed services. I can do that the next days.
This would be an option for the pam module? Fine by me. (I'm mostly blindly agreeing with you here anyway ;-))
For password: I think it should never spawn gnome-keyring, I don't see a case where this should be necessary.At least it should have the same behavior as auth and session, not per default, only with auto_start.
Well, it needs to start gnome-keyring so that the password on the keyring can actually be changed. But the process should be stopped after that (or the pam module could possibly do the change itself, but I guess this wasn't done this way for a reason).
Do you think we would get this patches upstream?
Sure. I can help with that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c17 --- Comment #17 from Thorsten Kukuk <kukuk@novell.com> 2008-11-05 06:46:37 MST --- Created an attachment (id=250000) --> (https://bugzilla.novell.com/attachment.cgi?id=250000) gnome-keyring-2.24.1.dif Patch, which introduces auto_start_if=<service>,... and kills the daemon on password change, if no auto_start option was given and if we started it. This patch is only tested that it compiles, and no docu was adjusted. Means this needs testing. But this should be the way to go to allow adding it with pam-config to the /etc/pam.d/common-* files. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 Bug 421603 depends on bug 440448, which changed state. Bug 440448 Summary: Add gnome-keyring support to pam-config https://bugzilla.novell.com/show_bug.cgi?id=440448 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c18 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |http://bugzilla.gnome.org/show_bug.cgi?id=559781 Keywords| |should_go_upstream --- Comment #18 from Vincent Untz <vuntz@novell.com> 2008-11-08 18:52:38 MST --- I split your patch in two and rewrote some part of it so that it follows the same code style as the one used in gnome-keyring, and I've sent the patches upstream: http://bugzilla.gnome.org/show_bug.cgi?id=558636 http://bugzilla.gnome.org/show_bug.cgi?id=559781 I tested all this a bit, and it seems to work fine. It's submitted to oS:F (#3619). I need to get the latest pam-config package to finish this, will do it tomorrow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |443189 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 Bug 421603 depends on bug 443189, which changed state. Bug 443189 Summary: Fix gnome-keyring support in pam-config https://bugzilla.novell.com/show_bug.cgi?id=443189 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c19 --- Comment #19 from Vincent Untz <vuntz@novell.com> 2008-11-12 05:04:41 MST --- Blocking on http://bugzilla.gnome.org/show_bug.cgi?id=560488 now. It's really too late to implement this for openSUSE 11.1, so I'll stop now. If we want this for SLE, tell me and I'll give it a try. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c20 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |477488 --- Comment #20 from Vincent Untz <vuntz@novell.com> 2009-02-18 16:46:35 MST --- Talked with upstream quite a bit. And I filed bug 477488 to improve pam-config to do the right thing for us here. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c21 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|477488 | --- Comment #21 from Vincent Untz <vuntz@novell.com> 2009-02-18 21:08:43 MST --- Actually, I moved to pam-config even now, by including a patch that will make things work okay in most case (except for the password case, where we still need bug 477488 -- but it's still an improvement compared to before since we didn't have anything to update the keyring password before). (removing bug from the blocker list, since I can't close the bug this way...) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c22 Vincent Untz <vuntz@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #22 from Vincent Untz <vuntz@novell.com> 2009-02-18 21:09:15 MST --- and really closing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com