You are not logged in.

#1 2019-09-26 12:46:21

sseneca
Member
Registered: 2019-09-26
Posts: 6
Website

Auto-login AND auto-unlock gnome keyring: possible?

In gnome-keyring's documentation, we can find:

Upon authenticating the user, the PAM module tries to unlock the 'login' keyring with the password entered by the user.

afaik, this is the only way to get auto-login set up on Arch. But this method doesn't require the input of a password at all, it would seem, so gnome-keyring can't use it to auto-unlock the keyring.

So, is it impossible to both:

  1. automatically log in a desired user on boot and

  2. once having logged in, have gnome-keyring also unlock itself

WITHOUT having to set the keyring's password to empty and therefore insecurely storing any password in the keyring plaintext?

Context is that since I've set up full disk encryption on my machine I'd like to type only one password in to decrypt the drive and that be it.

Offline

#2 2019-09-26 20:45:13

glitsj16
Member
Registered: 2015-04-26
Posts: 116

Re: Auto-login AND auto-unlock gnome keyring: possible?

If you use a display-manager like GDM, this should be possible and easy to configure. If memory surves me I think DM's like lightdm and xdm have PAM support too for auto-unlocking the keyring. The GNOME wiki page you referred to mentions checking OS support for it via grep -rq pam_gnome_keyring.so /etc/pam.* && echo "Have PAM Support". Have you tried that yet?

Offline

#3 2019-09-26 21:01:27

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Auto-login AND auto-unlock gnome keyring: possible?

I don't know of any existing way to do that. You should probably create a custom pam module that initiates the gnome keyring while loading the password from some type of storage.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#4 2019-09-26 21:03:29

sseneca
Member
Registered: 2019-09-26
Posts: 6
Website

Re: Auto-login AND auto-unlock gnome keyring: possible?

I do not use a DM... I've seen that it does seem to be possible with one though. Is there no way to do it without a DM then? That seems... strange.

Offline

#5 2019-09-26 21:04:30

sseneca
Member
Registered: 2019-09-26
Posts: 6
Website

Re: Auto-login AND auto-unlock gnome keyring: possible?

progandy wrote:

I don't know of any existing way to do that. You should probably create a custom pam module that initiates the gnome keyring while loading the password from some type of storage.

Thanks for your reply, I'll check out custom pam modules, have never heard about them. Seems like a lot to do for a fairly normal requirement though?

Offline

#6 2019-09-26 21:05:03

sseneca
Member
Registered: 2019-09-26
Posts: 6
Website

Re: Auto-login AND auto-unlock gnome keyring: possible?

glitsj16 wrote:

If you use a display-manager like GDM, this should be possible and easy to configure. If memory surves me I think DM's like lightdm and xdm have PAM support too for auto-unlocking the keyring. The GNOME wiki page you referred to mentions checking OS support for it via grep -rq pam_gnome_keyring.so /etc/pam.* && echo "Have PAM Support". Have you tried that yet?

I do not use a DM... I've seen that it does seem to be possible with one though. Is there no way to do it without a DM then? That seems... strange.

Offline

#7 2019-09-26 21:13:16

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Auto-login AND auto-unlock gnome keyring: possible?

sseneca wrote:

Thanks for your reply, I'll check out custom pam modules, have never heard about them. Seems like a lot to do for a fairly normal requirement though?

Most people probably use a blank password or don't trust automatic unlock.

Last edited by progandy (2019-09-26 21:13:58)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#8 2019-09-27 15:19:19

sseneca
Member
Registered: 2019-09-26
Posts: 6
Website

Re: Auto-login AND auto-unlock gnome keyring: possible?

progandy wrote:

Most people probably use a blank password or don't trust automatic unlock.

Why wouldn't people trust automatic unlock...? I am assuming you mean they don't trust it to consistently unlock their keyring since I don't understand why people would rather have their keyrings stored unencrypted.

Last edited by sseneca (2019-09-27 15:19:43)

Offline

#9 2019-09-27 15:35:34

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Auto-login AND auto-unlock gnome keyring: possible?

Your approach effectively stores the keys unencrypted - all I have to do is to boot the device. I get logged in and the keyring unlocked w/o ever having to pass any creds.
If the system is operated in a hostile environment (ie. you cannot rule out unauthorized access be it by your little sister) you better drop the idea altogether. The proper approach is to encrypt the entire system, no PW-less login and no PW-less key access either.
If it's not (because it's stationary in your home and you got a really intimidating dog) there's no reason to encrypt the keyring, since it would not provide any benefit if it's auto-decrypted anyway…
Therefore I'll also challenge your claim of "a fairly normal requirement" - it's not.

Offline

#10 2019-09-27 15:45:51

Swiggles
Member
Registered: 2014-08-02
Posts: 266

Re: Auto-login AND auto-unlock gnome keyring: possible?

If you have a TPM device and properly setup secure boot you can actually safely reverse this approach. Decrypt the machine on boot by the TPM device, but login normally.

Offline

#11 2019-09-27 19:06:36

sseneca
Member
Registered: 2019-09-26
Posts: 6
Website

Re: Auto-login AND auto-unlock gnome keyring: possible?

seth wrote:

Your approach effectively stores the keys unencrypted - all I have to do is to boot the device. I get logged in and the keyring unlocked w/o ever having to pass any creds.
If the system is operated in a hostile environment (ie. you cannot rule out unauthorized access be it by your little sister) you better drop the idea altogether. The proper approach is to encrypt the entire system, no PW-less login and no PW-less key access either.
If it's not (because it's stationary in your home and you got a really intimidating dog) there's no reason to encrypt the keyring, since it would not provide any benefit if it's auto-decrypted anyway…
Therefore I'll also challenge your claim of "a fairly normal requirement" - it's not.

Maybe you didn't see this in the OP: "Context is that since I've set up full disk encryption on my machine I'd like to type only one password in to decrypt the drive and that be it."

So what I'd like is:

Boot machine -> type master LUKS password -> machine boots, logins in as $user, unlocks keyring.

Surely that's safe? I guess it introduces one point of failure, i.e. if the master password is compromised everything's lost. But I can't think of anything else.

Offline

#12 2019-09-27 20:12:14

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Auto-login AND auto-unlock gnome keyring: possible?

No, I hooked into this rather late and did indeed no read the full thread, sorry.

If however the machine is fully encrypted and you want a single sign-in at boot, there's no point in encrypting the keyring on top of that, because the system is protected before and effectively open after the only sign-in.

Offline

Board footer

Powered by FluxBB