Arch Linux

Simaryp

Member

Registered: 2018-04-28

Posts: 153

Automatic login to tty1 and gnome-keyring unlock

I have my system setup to autologin into tty1 and start sway. I use full disk encryption and entering password again for login in single user system appears redundant.

When I start eg. evolution I get a prompt to insert the keyring password, which is identical to user password. I read through the wiki and tried out some things with the aim to unlock it automatically. With no success so far. When I used gdm it used to work with my ~/.config/sway/config, my ~/.bash_profile, and my ~/.config/environment.d/envvars.conf.

#
# ~/.bash_profile
#

[[ -f ~/.bashrc ]] && . ~/.bashrc
export $(/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator)

envvars.conf

SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
MOZ_ENABLE_WAYLAND=1
QT_QPA_PLATFORM=wayland
QT_WAYLAND_FORCE_DPI=96
QT_WAYLAND_DISABLE_WINDOWDECORATION=1
QT_QPA_PLATFORMTHEME=qt5ct
_JAVA_AWT_WM_NONREPARENTING=1
PATH=$HOME/.local/bin:$PATH
EDITOR=nvim
VISUAL=nvim

Lines in sway/config:

exec eval $(gnome-keyring-daemon --start)

In order to change to automatic login, I disabled gdm, created drop_in module for agetty and edited ~/.bash_profile.

`cat /etc/systemd/system/getty@tty1.service.d/autologin.conf `

[Service]
ExecStart=
ExecStart=-/sbin/agetty -o '-p -f -- \\u' --noclear --skip-login --noissue --autologin jacob %I $TERM

#
# ~/.bash_profile
#

[[ -f ~/.bashrc ]] && . ~/.bashrc
export $(/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator)
[ "$(tty)" = "/dev/tty1" ] && exec sway

I tried out to add the export of SSH_AUTH_SOCK and/or `exec eval $(dbus-update-activation-environment DISPLAY XAUTHORITY WAYLAND_DISPLAY)`  `exec eval $(dbus-update-activation-environment --all)` with only effect that I was losing the prompt, but no unlock happening.

I read in the wiki about PAM method for automatic console login and changed the `/etc/pam.d/login` accordingly, but with no noticable effect.

I wonder if all the suggestions in the wiki are there to reach what I already had, which is getting a prompt to enter keyring password or if I am missing something out and automatic unlock is possible.

I know that there is an option to pass the password to `gnome-keyring-daemon --start`, but then I would need to store my user login password in my config file which I don't want.

Last edited by Simaryp (2023-01-11 07:58:51)

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 25,259

Re: Automatic login to tty1 and gnome-keyring unlock

You can't fix this with autologin. Your options are an empty gnome-keyring password which makes it moot or a login providing your password via pam (which you're avoiding with the autologin) - or providing it to applications when they need it.

Last edited by V1del (2023-01-11 08:35:00)

Simaryp

Member

Registered: 2018-04-28

Posts: 153

Re: Automatic login to tty1 and gnome-keyring unlock

Hmm, okay.
If I would make use of greetd with agreeter and auto login, would that work?

Regarding the empty password. It feels bad at first glance, but is it in a full disk encryption setup? If I have keyring encrypted with password and unlocked. Is this different of having it unencrypted? There is no other user setup and if device is powered of it's decrypted.

Edit: A really strange thing. I can remove the keyring related lines from envvars.conf and sway/config and still be prompted to the right keyring if starting evolution. I can also see in journalctl that some other thing starts the keyring.
But without my config it's not available in terminal eg. for ssh unlock.
With the config I will be prompted to unlock keyring if I need ssh keys unlock. But in the popup I can't enter it. Password is not accepted. If I unlock it via opening evolution I have it unlocked and can use it in terminal too. That is somewhat cumbersome I tried out different keyboard layout too.

Last edited by Simaryp (2023-01-11 12:26:24)

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 25,259

Re: Automatic login to tty1 and gnome-keyring unlock

It doesn't matter which greeter you use, since you are not providing a password to PAM (which is what does the actual login and relevant verification everything uses that), which is what would be used to unlock the keyring, you will invariably have to be asked for the password with some other means. The password protection of the keyring is mostly relevant during runtime, i.e. in the case that your disk encryption is unlocked anyway. If you have an empty keyring password, there's nothing stopping a rogue application from asking for the details in your keyring and it will simply get everything that's stored there (you might get a prompt when an application first wants access even if it would access an already open keyring, but not sure what gnome-keyring does here).   To be actually more properly secure here you'd also configure a delay with which the keyring is closed again so you'd get reprompted if something asks for it again after a specific time.

Regarding the environment questions. This is not at all strange, evolution is hard linked to - and will ask for the gnome-keyring regardless. The environment variables are for telling an ssh-agent (which technically has support for other means of authentication) that your preferred method is the gnome-keyring. As for why the popup doesn't work not sure, might be a wayland specifica

Last edited by V1del (2023-01-11 13:48:57)

Simaryp

Member

Registered: 2018-04-28

Posts: 153

Re: Automatic login to tty1 and gnome-keyring unlock

I understand.

I read that gdm has support to unlock the keyring with the password entry from luks decryption if it's identical to keyring password. Is this some complicated stuff or in the end something like a small one shot service that one could write independently?

Simaryp

Member

Registered: 2018-04-28

Posts: 153

Re: Automatic login to tty1 and gnome-keyring unlock

I got the hint that I need to add a certain PAM module that reads out the kernel keyring and use that to unlock the keyring.
https://www.reddit.com/r/gnome/comments … are_button

It might be that systemd as init is needed to store the luks phrase in there.

Would be really cool if that would work.

Simaryp

Member

Registered: 2018-04-28

Posts: 153

Re: Automatic login to tty1 and gnome-keyring unlock

I stumbled over this solution https://wiki.archlinux.org/title/Pam_autologin
That might be easier, but it seems it doesn't work as I hoped.
It logs me in automatically too. But the gnome-keyring still stays locked.

Simaryp

Member

Registered: 2018-04-28

Posts: 153

Re: Automatic login to tty1 and gnome-keyring unlock

I set up my system now to use systemd for initramfs. I enabled gdm for a test and configuredthe autologin. Indeed it works as expected. I enter my luks password and my user is logged in and the keyring unlocked.

I wonder now how I can make use of pam_gdm.so without gdm.

My rough understanding is the following. I need to get at least the line from gdm_autologin somewhere else. But I am unsure which file and what else needs to be done.