186189 – create a PAM policy for pam_keyring

Bug 186189 - create a PAM policy for pam_keyring

Summary: create a PAM policy for pam_keyring

Status:	RESOLVED FIXED
Duplicates (3):	168559 174720 215595 (view as bug list)

Alias:	None

Product:	openSUSE 10.3
Classification:	openSUSE
Component:	GNOME (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Chris Rivera
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	192400
	Show dependency tree / graph

Clone This Bug

Reported:	2006-06-19 13:03 UTC by Stanislav Brabec
Modified:	2007-09-18 17:29 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stanislav Brabec 2006-06-19 13:03:15 UTC

There is a new package - pam_keyring.

Wee need to decide, how to integrate required PAM configuration change to /etc/pam.d:
  * Using %post, %postun, %triggerin in the package.
  * Using YaST
  * Add it to the default of gdm (probably not possible for gdm-autologin).
  * Add it to the default of all DM PAM configs.
  * Create new common-xsession module and include it, where appropriate.

All solutions have a problem, how to provide not starting in KDE sessions.

Reference: Feature 300590

Comment 1 Stanislav Brabec 2006-09-01 11:52:33 UTC

Lines to be added:

auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

But we should do this, only if GNOME session is selected (or improve pam_keyring.so to ask only for GNOME session).

Comment 2 JP Rosevear 2006-10-26 14:03:13 UTC

We actually have separate pam configs for gdm and gnome-screensaver now, wouldn't this make it gnome specific?

Comment 3 Stanislav Brabec 2006-10-26 14:28:17 UTC

There is a different problem:

It would be ideal to start GNOME keyring daemon in GNOME session, nod depending on display manager and not start it in other session types, wven if we are using gdm. 

I don't know, where there is a simple way to implement it.

pam_keyring is not intended for screensaver (maybe only if GNOME keyring will implement timed/idle key forgetting).

Comment 4 Stanislav Brabec 2006-10-31 18:18:27 UTC

In 10.2, pam_keyring is not in the default installation. As a temporary solution, I am adding scriptlets, which add required lines to /etc/pam.d/gdm. It works well, but only in gdm and starts gnome-keyring for all session types.

Comment 5 Andreas Hanke 2006-11-24 16:11:33 UTC

*** Bug 215595 has been marked as a duplicate of this bug. ***

Comment 6 Stanislav Brabec 2006-11-24 16:19:43 UTC

Launch policy problems topic presented in GNOME desktop-devel-list:
http://mail.gnome.org/archives/desktop-devel-list/2006-November/msg00146.html

Comment 7 JP Rosevear 2007-02-09 21:31:06 UTC

*** Bug 174720 has been marked as a duplicate of this bug. ***

Comment 8 JP Rosevear 2007-02-14 21:46:56 UTC

*** Bug 168559 has been marked as a duplicate of this bug. ***

Comment 9 JP Rosevear 2007-08-02 21:50:11 UTC

Time to resurrect this issue upstream with the inclusion of a pam module in gnome-keyring proper.

Comment 10 Stanislav Brabec 2007-08-03 10:11:26 UTC

Maybe writing of desktop neutral backend would be a clean solution - both kwallet and gnome-keyring might use it and session would unlock this one.

Comment 11 JP Rosevear 2007-08-03 12:40:57 UTC

That could be longer term, but right now we could use DESKTOP_SESSION or something similar to detect a gnome session or not.  This is a major usability issue, so I think really trying to have this in 10.3 is important.

Comment 12 Magnus Boman 2007-09-17 22:22:36 UTC

Ping...

Comment 13 Chris Rivera 2007-09-18 17:29:26 UTC

I checked in a patch to gnome-keyring that should avoid auto starting the daemon in KDE.