[Bug 421603] New: Add gnome-keyring support to /etc/pam.d/passwd
https://bugzilla.novell.com/show_bug.cgi?id=421603 Summary: Add gnome-keyring support to /etc/pam.d/passwd Product: openSUSE 11.1 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: vuntz@novell.com QAContact: qa@suse.de Found By: --- According to http://live.gnome.org/GnomeKeyring/Pam, it's possible to integrate the GNOME keyring with password changes: "When the user changes their password, the PAM module changes the password of the 'login' keyring to match." It'd be useful to have this enabled by default. This just means adding the following line to /etc/pam.d/passwd: password optional pam_gnome_keyring.so I don't know enough about pam, but the "optional" might make this work even if this pam module isn't available? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
Robert Vojcik
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c1
--- Comment #1 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c2
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=421603
User jpr@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c3
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c4
Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=421603
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
JP Rosevear
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c5
--- Comment #5 from Vincent Untz
If, then somebody has to add support for it to pam-config (if not already done) and pam_gnome_keyring package can enable it at install time. That's the policy for PAM modules not in the minimal base system.
I'm looking at this right now, and since I'm no expert in pam, some help would be welcome :-) I guess "password optional pam_gnome_keyring.so" only makes sense in /etc/pam.d/passwd and not in /etc/pam.d/common-password (since it's used when updating a password). Am I right? Also, do you think it makes sense to stop hard-coding the pam_gnome_keyring.so in /etc/pam.d/gdm and also use pam-config there? If yes, we probably need to be able to add different lines to a file, depending on what we want to do. Is it fine to use pam-config options like --gnome-keyring-auth, --gnome-keyring-session, --gnome-keyring-password to define what to put (as opposed to: "to define options for the pam module that will appear on the line we write") -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c6
--- Comment #6 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c7
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c8
--- Comment #8 from Thorsten Kukuk
I'm looking at this right now, and since I'm no expert in pam, some help would be welcome :-)
I guess "password optional pam_gnome_keyring.so" only makes sense in /etc/pam.d/passwd and not in /etc/pam.d/common-password (since it's used when updating a password). Am I right?
This is not correct. What happens if you change your password at login time, because you are required by policies to do so? Than pam_gnome_keyring will not see it. pam_gnome_keyring.so clearly needs to be added to /etc/pam.d/common-password, so that it will be called every time a password is changed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c9
--- Comment #9 from Thorsten Kukuk
Okay, I've made a patch in bug 440448. If it gets accepted, we'll have to change the gnome-keyring spec file to support it -- the list of pam config we should support is passwd, gdm, gnome-screensaver, gnome-passwd (afaik).
Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...? I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c10
--- Comment #10 from Vincent Untz
(In reply to comment #5 from Vincent Untz) This is not correct. What happens if you change your password at login time, because you are required by policies to do so? Than pam_gnome_keyring will not see it.
pam_gnome_keyring.so clearly needs to be added to /etc/pam.d/common-password, so that it will be called every time a password is changed.
Okay, sounds sensible, indeed. (this of course means my patch for pam-config is wrong ;-)) (In reply to comment #9 from Thorsten Kukuk)
Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...?
I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me.
The thing is that someone logging in KDE probably doesn't want gnome-keyring to be spawned. (On the other hand, this argument is a bit flawed since you can log in KDE with gdm, and the user would just have to uninstall gnome-keyring-pam). A better example would be the console: I'm not sure gnome-keyring can really be useful there, at least for now. But I guess it makes sense in most cases, so I'll trust you here again. (I guess the wiki page was written with a "here's the minimum you want to do if you want a good integration for GNOME" mind) Thanks for the feedback! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c11
--- Comment #11 from Thorsten Kukuk
(In reply to comment #9 from Thorsten Kukuk)
Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...?
I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me.
The thing is that someone logging in KDE probably doesn't want gnome-keyring to be spawned. (On the other hand, this argument is a bit flawed since you can log in KDE with gdm, and the user would just have to uninstall gnome-keyring-pam).
Hm, then I understand the webpage wrong. My understanding was, that pam_gnome_keyring is doing nothing if no gnome-keyring daemon is running. If this is correct, we can add it to the common-* files. If this assumption is wrong, then of course we can only add it to gdm and other gnome applications. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c12
--- Comment #12 from Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c13
--- Comment #13 from Vincent Untz
Hm, then I understand the webpage wrong. My understanding was, that pam_gnome_keyring is doing nothing if no gnome-keyring daemon is running.
When you use the auto_start option, gnome-keyring will be spawned. So putting it in common-auth won't harm (we probably don't want to use auto_start here -- it really makes sense for session only) and putting it in common-password makes sense as you mentioned (it will always start the daemon if it doesn't run in this case, I've filed a bug upstream to stop the daemon too). So the main question is for the session case. Putting it in common-session without auto_start looks useless. So we'd be back to adding it to gdm only. Looking at the pam-config code, I guess we can detect the case when we're called for common-* and the case when we're called for a single config file: just look if op == -1 and fp == NULL for the latter. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c14
--- Comment #14 from Thorsten Kukuk
When you use the auto_start option, gnome-keyring will be spawned. So putting it in common-auth won't harm (we probably don't want to use auto_start here -- it really makes sense for session only) and putting it in common-password makes sense as you mentioned (it will always start the daemon if it doesn't run in this case, I've filed a bug upstream to stop the daemon too).
So the main question is for the session case. Putting it in common-session without auto_start looks useless. So we'd be back to adding it to gdm only.
So, my suggestion:
For auth/session: Introduce auto_start_if=
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c15
--- Comment #15 from Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c16
--- Comment #16 from Vincent Untz
So, my suggestion:
For auth/session: Introduce auto_start_if=
and spawn gnome-keyring only if called by one of the listed services. I can do that the next days.
This would be an option for the pam module? Fine by me. (I'm mostly blindly agreeing with you here anyway ;-))
For password: I think it should never spawn gnome-keyring, I don't see a case where this should be necessary.At least it should have the same behavior as auth and session, not per default, only with auto_start.
Well, it needs to start gnome-keyring so that the password on the keyring can actually be changed. But the process should be stopped after that (or the pam module could possibly do the change itself, but I guess this wasn't done this way for a reason).
Do you think we would get this patches upstream?
Sure. I can help with that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User kukuk@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c17
--- Comment #17 from Thorsten Kukuk
https://bugzilla.novell.com/show_bug.cgi?id=421603 Bug 421603 depends on bug 440448, which changed state. Bug 440448 Summary: Add gnome-keyring support to pam-config https://bugzilla.novell.com/show_bug.cgi?id=440448 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c18
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603 Bug 421603 depends on bug 443189, which changed state. Bug 443189 Summary: Fix gnome-keyring support in pam-config https://bugzilla.novell.com/show_bug.cgi?id=443189 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c19
--- Comment #19 from Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c20
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c21
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=421603
User vuntz@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=421603#c22
Vincent Untz
participants (1)
-
bugzilla_noreply@novell.com