GNOME Keyring doesn't work if I log in remotely

dviktor · 2019-09-19 10:07:01

FOREWORD
I've already set up GNOME Keyring as described in wiki article. My DE is Cinnamon, I have no login manager and use console-based login (with .xinitrc for TTY1).

/etc/pam.d/login

[12:46 viktor@desolve-lab ~]$ cat /etc/pam.d/login
#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_gnome_keyring.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_gnome_keyring.so        auto_start

~/.xinitrc

[12:48 viktor@desolve-lab ~]$ cat .xinitrc 
#!/bin/sh

# merge in defaults and keymaps
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/etc/X11/xinit/.Xresources
sysmodmap=/etc/X11/xinit/.Xmodmap

if [ -f $sysresources ]; then
    xrdb -merge $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f "$userresources" ]; then
    xrdb -merge "$userresources"
fi

if [ -f "$usermodmap" ]; then
    xmodmap "$usermodmap"
fi

# load default stuff
if [ -d /etc/X11/xinit/xinitrc.d ] ; then
 for f in /etc/X11/xinit/xinitrc.d/?*.sh ; do
  [ -x "$f" ] && . "$f"
 done
 unset f
fi

# keyring-aware variables
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

# turn numlock on
numlockx &

# DPMS
xset s 1200 1200
xset dpms 1200 1200 1800

# start cinnamon
exec cinnamon-session

ssh-add -L lists all my active SSH keys (will not post here to save space, but if that matters I could post it later).

I have default keyring which has the same password as my account so it unlocks automatically if I log in on that computer locally on TTY1 (graphical login). I'm able to log in into services which requires passwords without being asked for passhrases if I've already added these passwords into default keyring (in my case it's password-protected SMB shares). The same is true for accessing SSH resources (however, not all of my keys are added to the default keyring so it asks me for passphrase for those servers, it's ok for me) - for example, GitHub.

When I log in via console to my account (graphical login on TTY1 or console login on TTY2-7) I can see that keyring daemon have started (it's true for my local user and root user too, so I believe that /etc/pam.d/login works right):

[12:50 viktor@desolve-lab ~]$ ps aux | grep keyring
viktor       870  0.0  0.0 314672  7752 ?        Sl   12:46   0:00 /usr/bin/gnome-keyring-daemon --daemonize --login

PROBLEM
However, when I try to log in to that computer remotely (via SSH) or via console-only TTY (TTY2-7) then GNOME Keyring doesn't work at all. I'll explain. If I've connected remotely here is no entry in ps aux output for gnome-keyring-daemon for newly connected user. If I've logged in via console-only TTY (TTY2-7) I can see gnome-keyring-daemon in ps aux output.

Finally, when I try to connect to SSH server which passphrase is stored in default keyring (and shouldn't be asked so) then it still asks me for password and even after successful connection keeps asking every time when I want to connect again to it (main example is working with GitHub: I've added passphrase for my GitHub private key into default keyring and I'm able to work without any asking for passphrases if I logged in graphically on TTY1).

Can anyone point me where I'm wrong and how it can be fixed? Thank you!

Last edited by dviktor (2019-09-19 10:15:39)

Swiggles · 2019-09-19 11:24:41

I am not 100% sure, but I think you have to add these two lines to any service that uses PAM:

auth       optional     pam_gnome_keyring.so
session    optional     pam_gnome_keyring.so auto_start

At least this is true for other DMs. So I would try adding these lines to your /etc/pam.d/sshd

Edit: This answer is wrong, because SSH does not transfer the required credentials to the server if the user is not logged in via normal means. It does work out of the box if you have already an established session for the user. So please disregard the info above. Just leaving it here, because it still might be useful for people using another DM than gnome.

Last edited by Swiggles (2019-09-19 11:53:27)

dviktor · 2019-09-19 13:22:50

Seems like I found the cause of the problem. Starting keyring daemon with PAM isn't enough, one should explicitly start its components and export SSH_AUTH_SOCK. As for current wiki instructions one should place these lines into ~/.xinitrc:

eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

However, this will work only for graphical logins. Just for the test purposes I've logged in via console tty (in my case TTY2-7). Before execution of two aforementioned lines it asked me for passphrase every time I tried to access SSH server. However, after execution of these lines it didn't ask anything upon my request for SSH connection to GitHub.

Naive solution is to move these lines into ~/.bashrc, however I think this is bad practice, because every interactive BASH session will execute this. I don't know how to properly configure things to satisfy graphical, console and remote logins without breaking anything else.

EDIT
Nope, I'm wrong. For clean test I've rebooted and without logging in graphical tty tried to connect to GitHub after eval and export commands - I wasn't able to connect. After logging in DE connection to GitHub worked flawlessly, however when I tried to connect to SSH server passphrase for which file isn't stored in keyring then it asked me for password, but asked on my TTY1 in graphical DE instead of console TTY. So it seems like incorrect solution

Last edited by dviktor (2019-09-19 13:35:08)

Arch Linux

#1 2019-09-19 10:07:01

GNOME Keyring doesn't work if I log in remotely

#2 2019-09-19 11:24:41

Re: GNOME Keyring doesn't work if I log in remotely

#3 2019-09-19 13:22:50

Re: GNOME Keyring doesn't work if I log in remotely

Board footer