https://bugzilla.novell.com/show_bug.cgi?id=421603 Robert Vojcik changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |bnc-team-gnome@forge.provo.novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User jpr@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c2 JP Rosevear changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo.novell.com |kukuk@novell.com --- Comment #2 from JP Rosevear 2008-09-18 14:01:01 MDT --- Thorsten, what do you think? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c4 Thorsten Kukuk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@novell.com AssignedTo|kukuk@novell.com |bnc-team-gnome@forge.provo.novell.com Status|NEEDINFO |NEW Info Provider|kukuk@novell.com | --- Comment #4 from Thorsten Kukuk 2008-09-18 15:12:00 MDT --- Adding it by default is not possible, since GNOME is not the default desktop on all products and don't need to be installed at all. If, then somebody has to add support for it to pam-config (if not already done) and pam_gnome_keyring package can enable it at install time. That's the policy for PAM modules not in the minimal base system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 JP Rosevear changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-gnome@forge.provo.novell.com |vuntz@novell.com Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c6 --- Comment #6 from Vincent Untz 2008-10-30 11:13:33 MDT --- (hrm, actually, we don't hardcode stuff in gdm, we do a bad hack with sed in gnome-keyring-pam...) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c8 --- Comment #8 from Thorsten Kukuk 2008-10-31 00:17:18 MDT --- (In reply to comment #5 from Vincent Untz)

I'm looking at this right now, and since I'm no expert in pam, some help would be welcome :-)

I guess "password optional pam_gnome_keyring.so" only makes sense in /etc/pam.d/passwd and not in /etc/pam.d/common-password (since it's used when updating a password). Am I right?

This is not correct. What happens if you change your password at login time, because you are required by policies to do so? Than pam_gnome_keyring will not see it. pam_gnome_keyring.so clearly needs to be added to /etc/pam.d/common-password, so that it will be called every time a password is changed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c10 --- Comment #10 from Vincent Untz 2008-10-31 00:43:56 MDT --- (In reply to comment #8 from Thorsten Kukuk)

(In reply to comment #5 from Vincent Untz) This is not correct. What happens if you change your password at login time, because you are required by policies to do so? Than pam_gnome_keyring will not see it.

pam_gnome_keyring.so clearly needs to be added to /etc/pam.d/common-password, so that it will be called every time a password is changed.

Okay, sounds sensible, indeed. (this of course means my patch for pam-config is wrong ;-)) (In reply to comment #9 from Thorsten Kukuk)

Hm, why only this limited number of applications? Why shouldn't we support xdm, kdm, login, ...?

I don't know enough about gnome-keyring, but I think this is something for /etc/pam.d/common-* files, so that every application you login with will set the keyring. The description on that gnome webpage is very GNOME centric and assumes nobody will use ever other tools, this doesn't look correct to me.

The thing is that someone logging in KDE probably doesn't want gnome-keyring to be spawned. (On the other hand, this argument is a bit flawed since you can log in KDE with gdm, and the user would just have to uninstall gnome-keyring-pam). A better example would be the console: I'm not sure gnome-keyring can really be useful there, at least for now. But I guess it makes sense in most cases, so I'll trust you here again. (I guess the wiki page was written with a "here's the minimum you want to do if you want a good integration for GNOME" mind) Thanks for the feedback! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c12 --- Comment #12 from Thorsten Kukuk 2008-10-31 01:04:48 MDT --- When I'm in the office in about 2 hours, I will look at the sources to see if we can add it to common-* or if we can only add it to selected PAM config files. Adding a module to common-password and some single PAM config files: I never tried this with pam-config, could be pretty hard to implement. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User kukuk@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c14 --- Comment #14 from Thorsten Kukuk 2008-10-31 03:05:50 MDT --- (In reply to comment #13 from Vincent Untz)

When you use the auto_start option, gnome-keyring will be spawned. So putting it in common-auth won't harm (we probably don't want to use auto_start here -- it really makes sense for session only) and putting it in common-password makes sense as you mentioned (it will always start the daemon if it doesn't run in this case, I've filed a bug upstream to stop the daemon too).

So the main question is for the session case. Putting it in common-session without auto_start looks useless. So we'd be back to adding it to gdm only.

So, my suggestion: For auth/session: Introduce auto_start_if= and spawn gnome-keyring only if called by one of the listed services. I can do that the next days. For password: I think it should never spawn gnome-keyring, I don't see a case where this should be necessary.At least it should have the same behavior as auth and session, not per default, only with auto_start. Do you think we would get this patches upstream? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c16 --- Comment #16 from Vincent Untz 2008-10-31 09:08:10 MDT --- (In reply to comment #14 from Thorsten Kukuk)

So, my suggestion:

For auth/session: Introduce auto_start_if= and spawn gnome-keyring only if called by one of the listed services. I can do that the next days.

This would be an option for the pam module? Fine by me. (I'm mostly blindly agreeing with you here anyway ;-))

For password: I think it should never spawn gnome-keyring, I don't see a case where this should be necessary.At least it should have the same behavior as auth and session, not per default, only with auto_start.

Well, it needs to start gnome-keyring so that the password on the keyring can actually be changed. But the process should be stopped after that (or the pam module could possibly do the change itself, but I guess this wasn't done this way for a reason).

Do you think we would get this patches upstream?

Sure. I can help with that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 Bug 421603 depends on bug 440448, which changed state. Bug 440448 Summary: Add gnome-keyring support to pam-config https://bugzilla.novell.com/show_bug.cgi?id=440448 What |Old Value |New Value ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 Vincent Untz changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |443189 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c19 --- Comment #19 from Vincent Untz 2008-11-12 05:04:41 MST --- Blocking on http://bugzilla.gnome.org/show_bug.cgi?id=560488 now. It's really too late to implement this for openSUSE 11.1, so I'll stop now. If we want this for SLE, tell me and I'll give it a try. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=421603 User vuntz@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=421603#c21 Vincent Untz changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|477488 | --- Comment #21 from Vincent Untz 2009-02-18 21:08:43 MST --- Actually, I moved to pam-config even now, by including a patch that will make things work okay in most case (except for the password case, where we still need bug 477488 -- but it's still an improvement compared to before since we didn't have anything to update the keyring password before). (removing bug from the blocker list, since I can't close the bug this way...) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.