Unlock the gnome-keyring when login in from the console (GNOME as DE)

starmatt · 2019-07-06 02:34:23

Hello everyone! I'm having some trouble with automatically unlocking the keyring on login.

I do not use a DM and start a Gnome wayland session from my .zprofile like so:

if [[ -z $DISPLAY && $(tty) == /dev/tty1 && ( -z $XDG_SESSION_TYPE || $XDG_SESSION_TYPE == tty )]]; then
    QT_QPA_PLATFORM=wayland XDG_SESSION_TYPE=wayland exec dbus-run-session gnome-session
fi

I've tried the PAM method to automatically unlock the keyring as described here and here but it does not work because (I think) I'm not using the keyring 'outside' Gnome. In fact, using the PAM method, the keyrings are missing when checking from Seahorse until I manually kill the daemon then they appear just like magic, and htop shows the the command that started gnome-keyring was

/usr/bin/gnome-keyring-daemon --daemonize --login

but normally I get

/usr/bin/gnome-keyring-daemon --start --components=secrets

So, do you guys know how I can unlock the keyring in Gnome without using a DM or how to fix PAM ?

Thanks a lot for your attention! Feel free to ask for more information

Edit: I seem to have the same symptoms as in this thread that was left unresolved... https://bbs.archlinux.org/viewtopic.php?id=203423

Last edited by starmatt (2019-07-06 02:49:56)

V1del · 2019-07-06 10:41:46

What happens if you do not run a separate dbus-run-session (I don't think it is inherently necessary, and whatever gnome-keyring that would be started on login will definitely be on another dbus bus)

starmatt · 2019-07-06 11:02:27

V1del wrote:

What happens if you do not run a separate dbus-run-session (I don't think it is inherently necessary, and whatever gnome-keyring that would be started on login will definitely be on another dbus bus)

so I modified my zprofile entry to look like so and rebooted:

if [[ -z $DISPLAY && $(tty) == /dev/tty1 && ( -z $XDG_SESSION_TYPE || $XDG_SESSION_TYPE == tty )]]; then
    QT_QPA_PLATFORM=wayland XDG_SESSION_TYPE=wayland exec gnome-session
fi

But it does not change anything, I get no prompt at start up (which is good), but I think because the daemon hasn't started properly (or only with the --daemonize option). Seahorse shows no 'Passwords' entry, and I have manually kill and start the daemon with

gnome-keyring-daemon --start --components=secrets

to have it working using the PAM method.

Thanks a lot for your answer tho!

Edit: I've also tried adding the .xinitrc method in my .zprofile, before starting up the session:

eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

which didn't seem to work either

Last edited by starmatt (2019-07-06 11:21:42)

Stratoblaster · 2019-07-06 11:31:38

Heres what I did for my Xorg/xorg-xinit/I3 setup. Hopefully, this may lend you some ideas
The wiki had all the info I needed under Gnome-keyring

Reviewing the wiki, it appears I did not have the pam bits in place in the file: /etc/pam.d/login

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_gnome_keyring.so <---Added this
account    include      system-local-login
session    include      system-local-login
session    optional     pam_gnome_keyring.so auto_start <--- Added this

At the end of my .xinitrc:

# If using startx, this is required for gnome-keyring for passwords
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

# Make sure this is before the 'exec' command or it won't be sourced.
[ -f /etc/xprofile ] && . /etc/xprofile
[ -f ~/.xprofile ] && . ~/.xprofile

exec i3

Since my .xprofile has all the bits I need to be loaded into I3, I source it from .xinitrc but before the calling of i3

Last edited by Stratoblaster (2019-07-06 11:39:11)

starmatt · 2019-07-06 11:38:07

Thanks for your answer Stratoblaster!

Yeah I've found this solution around the internet already, the catch is that I don't use .xinitrc since I startup a wayland session from my .zprofile file. As explained in my last post, I tried adding these lines to the .zprofile just before starting the session, but it doesn't work

starmatt · 2019-07-06 12:35:50

Hello again, I think I found something interesting!

$ ps -ef --sort=start_time | grep gnome-keyring
matt       400     1  0 14:23 pts/0    00:00:00 /usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh
matt       897     1  0 14:24 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
matt      1389     1  0 14:24 pts/2    00:00:00 /usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh
matt      1525  1377  0 14:24 pts/2    00:00:00 grep --color=auto gnome-keyring

It seems that the keyring is started before I login, or at least before pam initializes the daemon (at 14:23). Maybe there's a conflict somewhere ? How can I found how the first

/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh

is started ?
Maybe from pam as well ?

$ grep -r pam_gnome_keyring.so /etc/pam.*
/etc/pam.d/login:auth       optional     pam_gnome_keyring.so
/etc/pam.d/login:session    optional     pam_gnome_keyring.so auto_start
/etc/pam.d/passwd:password      optional        pam_gnome_keyring.so
/etc/pam.d/gdm:#auth            optional        pam_gnome_keyring.so
/etc/pam.d/gdm:#session         optional        pam_gnome_keyring.so  auto_start
/etc/pam.d/gdm-pin:auth     optional  pam_gnome_keyring.so
/etc/pam.d/gdm-pin:password optional  pam_gnome_keyring.so use_authtok
/etc/pam.d/gdm-pin:session  optional  pam_gnome_keyring.so auto_start
/etc/pam.d/gdm-password:auth     optional  pam_gnome_keyring.so
/etc/pam.d/gdm-password:password optional  pam_gnome_keyring.so use_authtok
/etc/pam.d/gdm-password:session  optional  pam_gnome_keyring.so auto_start
/etc/pam.d/gdm-autologin:auth     optional  pam_gnome_keyring.so
/etc/pam.d/gdm-autologin:session  optional  pam_gnome_keyring.so auto_start

I don't think the gdm files are relevant since I don't use it to log in.

Thanks again for your help!

Edit: There was some entries in /etc/xdg/autostart

$ grep -r 'keyring' /etc/xdg/autostart
/etc/xdg/autostart/gnome-keyring-ssh.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=ssh
/etc/xdg/autostart/gnome-keyring-ssh.desktop:X-GNOME-Bugzilla-Product=gnome-keyring
/etc/xdg/autostart/gnome-keyring-secrets.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets
/etc/xdg/autostart/gnome-keyring-secrets.desktop:X-GNOME-Bugzilla-Product=gnome-keyring
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=pkcs11
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop:X-GNOME-Bugzilla-Product=gnome-keyring

I've tried disabling these by copying them to

~/.config/autostart

and replacing their contents with

[Desktop Entry]
Hidden=true

which didn't seem to work either...

Edit 2: Disregard that last edit, it doesn't seem to be the issue

Last edited by starmatt (2019-07-06 13:25:41)

Ropid · 2019-07-06 15:26:50

starmatt wrote:

Hello again, I think I found something interesting!
[...]
It seems that the keyring is started before I login, or at least before pam initializes the daemon (at 14:23). Maybe there's a conflict somewhere ? How can I found how the first [...] is started ?
Maybe from pam as well ?
[...]
Edit: There was some entries in /etc/xdg/autostart
[...]

The gnome-keyring-daemon program is started by PAM. It will not fully start up at that point, it will sleep and wait. You have to send a message to it with that "--start" parameter to make it complete its initialization, and then it will start working.

This is documented in "man gnome-keyring-daemon" in the description for the "--login" and "--start" parameters.

Last edited by Ropid (2019-07-06 15:30:45)

starmatt · 2019-07-06 16:34:52

Hi Ropid, thanks for your answer, as I said in my previous posts, I've tried running that through my .zprofile before and after starting the DE, to no avail. I can see the process has started with the ps command, but applications can't access the keyring, it's definitely not unlocked, and I they don't even show up in seahorse, until I manually kill the process.

starmatt · 2019-07-06 16:42:55

Here's what journalctl has to say about it:

juil. 06 17:48:40 star gnome-keyring-daemon[1021]: The Secret Service was already initialized
juil. 06 17:50:56 star gnome-keyring-daemon[2713]: couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
juil. 06 17:50:56 star gnome-keyring-d[2713]: couldn't access control socket: /run/user/1000/keyring/control: No such file or directory
juil. 06 17:50:58 star gnome-keyring-daemon[2713]: no private keys found in file
juil. 06 17:50:58 star gnome-keyring-d[2713]: no private keys found in file
juil. 06 17:50:58 star gnome-keyring-daemon[2713]: invalid or unrecognized private SSH key: [redacted]
juil. 06 17:50:58 star gnome-keyring-d[2713]: invalid or unrecognized private SSH key: [redacted]
juil. 06 18:34:32 star gnome-keyring-daemon[818]: The SSH agent was already initialized
juil. 06 18:34:32 star gnome-keyring-daemon[818]: The Secret Service was already initialized
juil. 06 18:34:32 star gnome-keyring-daemon[818]: The PKCS#11 component was already initialized
juil. 06 18:34:32 star gnome-keyring-daemon[818]: The SSH agent was already initialized
juil. 06 18:34:32 star gnome-keyring-ssh.desktop[879]: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
juil. 06 18:34:32 star gnome-keyring-daemon[818]: The Secret Service was already initialized
juil. 06 18:34:32 star gnome-keyring-secrets.desktop[881]: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
juil. 06 18:34:32 star gnome-keyring-daemon[818]: The PKCS#11 component was already initialized
juil. 06 18:34:32 star gnome-keyring-pkcs11.desktop[882]: SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
juil. 06 18:34:37 star gnome-keyring-daemon[818]: The Secret Service was already initialized

It seems it tries to access the keyrings in /run/user/1000/keyring/ when really my keyrings are stored in ~/.local/share/keyrings ... Any idea how I can change this?

Ropid · 2019-07-06 16:48:57

Can you try commenting out that stuff in your .zprofile and restart? Then log in and check if gnome-keyring-daemon is running to see if PAM has started it. Then run that "gnome-keyring-daemon --start" command yourself manually and see what happens.

The entries in /run/user/1000/keyring/ are not normal files. They are "sockets".

Last edited by Ropid (2019-07-06 16:50:50)

starmatt · 2019-07-06 17:10:11

Here you go, I only have the pam.d lines added:

$ ps -ef --sort=start_time | grep gnome-keyring
matt       904     1  0 18:53 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
matt      1871  1728  0 18:54 pts/2    00:00:00 grep --color=auto gnome-keyring

After running the start command

$ /usr/bin/gnome-keyring-daemon --start --components=secrets
GNOME_KEYRING_CONTROL=/home/matt/.cache/keyring-XHPT4Z

matt       904     1  0 18:53 ?        00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
matt      1926     1  0 18:59 pts/2    00:00:00 /usr/bin/gnome-keyring-daemon --start --components=secrets
matt      1941  1728  0 19:00 pts/2    00:00:00 grep --color=auto gnome-keyring

But applications sill can't access it and seahorse shows no entry.
Now if I kill the process first

pkill gnome-keyring-d

and rerun the start commanid, it works, although the keyrings are still locked which makes sense... (it's how I've been doing until now to connect to wifi and post here )

Thanks again!

starmatt · 2019-07-06 17:34:00

Ah, I found something else.

At login, if I run seahorse from the command-line, it opens up and I can see the keyrings; although they are not unlocked. If I unlock them, networkmanager still doesn't pick up on them.
But if I concurrently run seahorse from the Gnome's application menu, then I can't see the keyrings.

So there seem to be a conflict somewhere, but I don't know where to look... user groups?

Stratoblaster · 2019-07-06 17:54:03

Out of curiosity; why Wayland over Xorg?

starmatt · 2019-07-06 17:56:50

Stratoblaster wrote:

Out of curiosity; why Wayland over Xorg?

Better HIDPI support

Ropid · 2019-07-06 18:38:02

I'm only seeing that one "gnome-keyring-daemon --daemonize --login" process here on Xorg with LightDM and XFCE. That second "--start" process you have is not there, maybe that process is not supposed to keep running? I'm thinking that "--start" process is just supposed to write a message into one of those sockets in "/run/user/1000/keyring/" and then exit immediately.

EDIT:

Can you share your whole "/etc/pam.d/login" file? Maybe the order of the lines there is important.

Last edited by Ropid (2019-07-06 18:40:04)

starmatt · 2019-07-06 18:52:39

$ cat /etc/pam.d/login
#%PAM-1.0

auth    required    pam_securetty.so
auth    requisite    pam_nologin.so
auth    include    system-local-login
auth    optional     pam_gnome_keyring.so
account    include    system-local-login
session    include    system-local-login
session    optional    pam_gnome_keyring.so auto_start

I've been told in the gnome subreddit that I shouldn't need that --start command because, since I use a gnome session, the DE already sets that up on its own.

Ropid · 2019-07-06 19:01:33

I think your "/etc/pam.d/login" file looks like it should. Your lines seem to be in a similar order as to what's happening here for me in the file that LightDM installed in that pam.d folder.

Maybe you should concentrate on what's happening in "/run/user/1000/keyring/"? In that error message you shared earlier, it seemed like one of the entries there is missing for you, that socket named "control". The things there look like this for me here, there's three entries:

$ ls /run/user/1000/keyring/
control  pkcs11  ssh

Last edited by Ropid (2019-07-06 19:01:59)

starmatt · 2019-07-06 22:14:49

I have all three entries.

monojp · 2019-08-04 09:02:33

starmatt wrote:

I have all three entries.

Hi, I'm having the same problem. Any updates on this, did you find a solution?

cogeary · 2019-08-24 17:19:27

monojp wrote:

starmatt wrote:
I have all three entries.
Hi, I'm having the same problem. Any updates on this, did you find a solution?

Same problem here. Haven't been able to find a solution yet.

masterleming · 2019-12-13 22:29:54

Hi starmatt.

Today I was trying to achieve similar thing in sway composer. I have folowed the PAM method as described on ArchWiki, but could not get the Gnome Keyring to be accessible right after logging in. However, I have noticed that the daemon was running. So I tried what if I execute in bash (I did not add pkcs11 as I don't need it):

gnome-keyring-daemon --start --components=secrets,ssh

It turned out that in that very shell I could use ``ssh-add`` to add key. So I added to my ``.bash_profile``:

eval $(/usr/bin/gnome-keyring-daemon --start --components=secrets,ssh)
export SSH_AUTH_SOCK

For me that was enough to have functional ssh-agent.

miomio · 2021-05-18 12:53:54

Did this get solved?

Having similar issue: I am using the PAM config to automatically start the gnome-keyring-daemon at login. However, if you change your password, a) does gnome-keyring-daemon still try to unlock with the previous password?, b) how do you update the password via the command line?

Arch Linux

#1 2019-07-06 02:34:23

Unlock the gnome-keyring when login in from the console (GNOME as DE)

#2 2019-07-06 10:41:46

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#3 2019-07-06 11:02:27

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#4 2019-07-06 11:31:38

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#5 2019-07-06 11:38:07

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#6 2019-07-06 12:35:50

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#7 2019-07-06 15:26:50

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#8 2019-07-06 16:34:52

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#9 2019-07-06 16:42:55

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#10 2019-07-06 16:48:57

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#11 2019-07-06 17:10:11

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#12 2019-07-06 17:34:00

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#13 2019-07-06 17:54:03

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#14 2019-07-06 17:56:50

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#15 2019-07-06 18:38:02

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#16 2019-07-06 18:52:39

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#17 2019-07-06 19:01:33

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#18 2019-07-06 22:14:49

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#19 2019-08-04 09:02:33

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#20 2019-08-24 17:19:27

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#21 2019-12-13 22:29:54

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

#22 2021-05-18 12:53:54

Re: Unlock the gnome-keyring when login in from the console (GNOME as DE)

Board footer