You are not logged in.

Pages: 1

#1 2025-06-24 18:44:59

sebastian-65
Member
Registered: 2021-11-08
Posts: 38

gnome-keyring auto-unlocking stopped working (Xfce, SDDM autologin)

- Keyring used to get unlocked during autologin just fine (unfortunately more then a month ago)
- I believe PAM should be handling it alone (no conflicting services / workarounds should be in place)
- Keyring password is matching login one, I'm able to unlock keyring manually
- Absolutely clueless after hours debugging and god knows how many reboots

cat /etc/pam.d/system-auth

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
auth       [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
auth       optional                    pam_gnome_keyring.so

account    [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

password   [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so
password   optional                    pam_gnome_keyring.so use_authtok

session    optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so
session    optional                    pam_gnome_keyring.so auto_start

cat /etc/pam.d/sddm-autologin

#%PAM-1.0
auth        required    pam_env.so
auth        required    pam_faillock.so preauth
auth        required    pam_shells.so
auth        required    pam_nologin.so
auth        required    pam_permit.so
auth        optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
account     include     system-local-login
password    include     system-local-login
password    optional    pam_gnome_keyring.so    use_authtok
session     include     system-local-login
session     optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start

sudo journalctl -b | grep -i pam | tail -40

Jun 24 17:36:03 nuvo sddm-helper[855]: gkr-pam: gnome-keyring-daemon started properly
Jun 24 17:36:03 nuvo (systemd)[866]: pam_warn(systemd-user:setcred): function=[pam_sm_setcr
ed] flags=0x8002 service=[systemd-user] terminal=[] user=[sebastian] ruser=[<unknown>] rhos
t=[<unknown>]
Jun 24 17:36:03 nuvo (systemd)[866]: pam_unix(systemd-user:session): session opened for use
r sebastian(uid=1000) by sebastian(uid=0)
Jun 24 17:36:03 nuvo (systemd)[866]: gkr-pam: unable to locate daemon control file
Jun 24 17:36:03 nuvo (systemd)[866]: gkr-pam: gnome-keyring-daemon started properly
Jun 24 17:36:03 nuvo sddm-helper[855]: gkr-pam: couldn't unlock the login keyring.
Jun 24 17:36:06 nuvo sudo[1154]: pam_unix(sudo:session): session opened for user root(uid=0
) by sebastian(uid=1000)
Jun 24 17:36:06 nuvo sudo[1154]: gkr-pam: couldn't unlock the login keyring.
Jun 24 17:36:06 nuvo sudo[1154]: pam_unix(sudo:session): session closed for user root
Jun 24 17:36:06 nuvo sudo[1270]: pam_unix(sudo:session): session opened for user root(uid=0
) by sebastian(uid=1000)
Jun 24 17:36:06 nuvo sudo[1270]: gkr-pam: couldn't unlock the login keyring.
Jun 24 17:36:06 nuvo sudo[1270]: pam_unix(sudo:session): session closed for user root
Jun 24 17:36:06 nuvo sudo[1281]: pam_unix(sudo:session): session opened for user root(uid=0
) by sebastian(uid=1000)
...repeated many times...

Jun 24 17:39:46 nuvo sudo[3332]: gkr-pam: couldn't unlock the login keyring.

~/.config/autostart$ grep -r . *

gnome-keyring-autologin.desktop:[Desktop Entry]
gnome-keyring-autologin.desktop:Type=Application
gnome-keyring-autologin.desktop:Name=GNOME Keyring Autologin
gnome-keyring-autologin.desktop:Comment=Handle GNOME Keyring for autologin sessions
gnome-keyring-autologin.desktop:Exec=sh -c 'if [ -n "$DESKTOP_SESSION" ]; then eval $(gnome-keyring-daemon --start --components=pkcs11,secrets,ssh) && export GNOME_KEYRING_CONTROL && export SSH_AUTH_SOCK; fi'
gnome-keyring-autologin.desktop:NoDisplay=true
gnome-keyring-autologin.desktop:X-GNOME-Autostart-Phase=PreDisplayServer
gnome-keyring-env.desktop:[Desktop Entry]
gnome-keyring-env.desktop:Type=Application
gnome-keyring-env.desktop:Name=GNOME Keyring Environment
gnome-keyring-env.desktop:Comment=Set up GNOME Keyring environment variables
gnome-keyring-env.desktop:Exec=sh -c 'export GNOME_KEYRING_CONTROL=/run/user/1000/keyring && export SSH_AUTH_SOCK=/run/user/1000/keyring/ssh'
gnome-keyring-env.desktop:NoDisplay=true
gnome-keyring-env.desktop:X-GNOME-Autostart-Phase=PreDisplayServer
gnome-keyring-pkcs11.desktop:[Desktop Entry]
gnome-keyring-pkcs11.desktop:Type=Application
gnome-keyring-pkcs11.desktop:Name=Certificate and Key Storage
gnome-keyring-pkcs11.desktop:Comment=GNOME Keyring: Certificate and Key Storage
gnome-keyring-pkcs11.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=pkcs11
gnome-keyring-pkcs11.desktop:NoDisplay=true
gnome-keyring-pkcs11.desktop:X-GNOME-Autostart-Phase=PreDisplayServer
gnome-keyring-pkcs11.desktop:X-GNOME-AutoRestart=false
gnome-keyring-pkcs11.desktop:X-GNOME-Autostart-Notify=true
gnome-keyring-secrets.desktop:[Desktop Entry]
gnome-keyring-secrets.desktop:Type=Application
gnome-keyring-secrets.desktop:Name=Secret Storage Service
gnome-keyring-secrets.desktop:Comment=GNOME Keyring: Secret Service
gnome-keyring-secrets.desktop:Exec=/usr/bin/gnome-keyring-daemon --start --components=secrets
gnome-keyring-secrets.desktop:NoDisplay=true
gnome-keyring-secrets.desktop:X-GNOME-Autostart-Phase=PreDisplayServer
gnome-keyring-secrets.desktop:X-GNOME-AutoRestart=false
gnome-keyring-secrets.desktop:X-GNOME-Autostart-Notify=true
gnome-keyring-start.desktop:[Desktop Entry]
gnome-keyring-start.desktop:Type=Application
gnome-keyring-start.desktop:Name=GNOME Keyring Daemon
gnome-keyring-start.desktop:Comment=Start GNOME Keyring daemon for XFCE
gnome-keyring-start.desktop:Exec=sh -c 'eval $(gnome-keyring-daemon --start --components=pkcs11,secrets) && export GNOME_KEYRING_CONTROL && export SSH_AUTH_SOCK'
gnome-keyring-start.desktop:NoDisplay=true
gnome-keyring-start.desktop:X-GNOME-Autostart-Phase=PreDisplayServer
gnome-keyring-unlock.desktop:[Desktop Entry]
gnome-keyring-unlock.desktop:Type=Application
gnome-keyring-unlock.desktop:Name=GNOME Keyring Unlock
gnome-keyring-unlock.desktop:Comment=Unlock GNOME Keyring with login password
gnome-keyring-unlock.desktop:Exec=sh -c 'echo "$(logname)" | gnome-keyring-daemon --unlock'
gnome-keyring-unlock.desktop:NoDisplay=true
gnome-keyring-unlock.desktop:X-GNOME-Autostart-Phase=Application

sudo journalctl -u sddm --since "50 minutes ago" | grep -i keyring

Jun 24 19:51:37 nuvo gnome-keyring-daemon[917]: asked to register item /org/freedesktop/secrets/collection/login/1, but it's already registered

env | grep -E "(GNOME_KEYRING|SSH_AUTH_SOCK)"

GNOME_KEYRING_CONTROL=/home/sebastian/.cache/keyring-S7DS82

ps aux | grep gnome-keyring | grep -v grep

sebasti+ 917 0.0 0.0 395184 5020 ? SLl 19:31 0:00 /usr/bin/gnome-keyring-daemon --daemonize --login

cat /etc/pam.d/login

#%PAM-1.0

auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_gnome_keyring.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_gnome_keyring.so auto_start
password   include      system-local-login

cat /etc/pam.d/system-login

#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so
session    optional   pam_mail.so          dir=/var/spool/mail nopen
session    optional   pam_umask.so
-session   optional   pam_systemd.so
session    required   pam_env.so

cat /etc/pam.d/sddm

#%PAM-1.0

auth        include     system-login
auth        optional    pam_gnome_keyring.so

account     include     system-login

password    include     system-login
password    optional    pam_gnome_keyring.so    use_authtok

session     optional    pam_keyinit.so          force revoke
session     include     system-login
session     optional    pam_gnome_keyring.so    auto_start

cat /etc/pam.d/sddm-greeter

#%PAM-1.0

# Load environment from /etc/environment and ~/.pam_environment
auth            required pam_env.so

# Always let the greeter start without authentication
auth            required pam_permit.so

# No action required for account management
account         required pam_permit.so

# Can't change password
password        required pam_deny.so

# Setup session
session         required pam_unix.so
session         optional pam_systemd.so

Last edited by sebastian-65 (2025-06-24 19:08:22)

I'm not the sharpest tool in the shed. Say it to me like I'm 5, please!

Arch Linux | ZFS | systemd | Xfce/X11/SDDM | ASUS S435 | Intel CPU 11th gen | Intel TigerLake-LP GT2 | 16GB RAM

Offline

Pages: 1

Board footer

Powered by FluxBB