Initializing VPN in networkmanager Cause Request for Default Keyring Passphrase
 

Greeting Slackers!

I have an annoying issue that I've tried numerous solutions to resolve and still can't seem to beat it down. Maybe someone here can help me?

I just signed on to a vpn service last night. I manually set up networkmanager using one of the provider's downloadable .ovpn files. All went well. I'm scooting along happily in my vpn tunnel.

Here's the problem, though...

Networkmanager will not save the password for the vpn. It keep asking me for the keyring default passphrase. I have no clue what that might be. I've tried my login password, my root password, my default gpg password, etc. It's evidently not what the popup is asking for.

My question is this: how can I get nm to remember the damned vpn passwords so I won't have to enter them each time? And, how do I get this damned keying default passphrase request to stop popping up... or how can I set the passphrase?

Thanks!

~Eric

I'm not a Gnome desktop user, but if you edit your VPN connection so that it is configured as 'Available to all users' (ie system connection), then it should store the authentication credential in the configuration file, rather than using the Gnome Keyring. It is similar for KDE, where KWallet is used for user-specific connections. BTW, this applies to all connection types where authentication is required.

Hi, ferrari!

I don't run Gnome either. I running Xfce4 in Slackware64 14.1. The Gnome gpg tools seem to be a native part of Slackware. I've always used them for the past decade or so. Even with the Gnome daemon not running, networkmanager still wants that default keyring opened so it can save the vpn password. And yes, I've already checked "available for all users." Didn't make any difference. Strange, huh?

I've never had an issue like this with Slack in all the years I've been using it. It's weird. I always thought the keyring was unlocked once you logged in with your username in Slack. I've always used the gpa graphic frontend to store and manipulate my keys. I've also used Gnome Privacy Guard (gpg) to encrypt files and emails (via enigmail on Thunderbird) on my system.

Well, thanks for the quick reply and the suggestions. I guess I'll just keep tinkering till I blow something up. ;)

Cheers,

~Eric

Well, the Gnome NM front-end just uses the Gnome Keyring by default (regardless of DE), but this is used for user-defined connections. System-wide connections are those that need to accessible before any desktop session is active (so no password manager yet running), and can be setup for all users to access.

Did you log out and back in before trying this? Try recreating the connection and then restart the DE. Start the VPN connection. Any difference?

I don't think that be related to VPN, Eric, more to the link between NM and the Gnome keyring somehow.

I say that because I observed a similar behavior (admittedly on Slint-pre14.2 but I don't think that can make a difference) not using a VPN but just setting a wireless connection in XFCE to a network with a WEP key.

Wanting to use nm-applet to set up the connection I was "greeted" by the keyring dialog asking to set a password. I didn't know what to do so just provided one.

It seems that when it's done you have to use it even with other WM like Fluxbox: you need to enter the password every time you open a session, to be able to get a connection, maybe depending of your settings.

There may be a way to set this thing in such a way to avoid avoid that, or completely disable the keyring. I will have to investigate as I am a complete newbie in that matter.

Of course a practical and comprehensive how-to on that topic provided on SlackDocs would help a lot.

Anyone?

There is, but mentioning it in this forum is likely to trigger a civil war so gruesome it'll make 1642-1651 look like a pleasant day out in the park. ;)

For what it's worth, I've been using this setup for the best part of ten years, and it works well.

Thanks for the info CTM. Maybe there is another way, that does not need a change unlikely to occur so close to the release of Slackware 14.2?

Anyway I feel guilty not to have done my homework. I will investigate after my afternoon walk.

A Gnome keyring requires a passphrase to unlock, and the unmentionable solution I linked to can be used to automatically pass a user's login password through to the gnome-keyring daemon so it can unlock the "login" keyring when the user logs in via a display manager. Of course, this requires that the login password and "login" keyring passphrase are the same. The only other way I can see this working is if a patch is written for XDM and/or KDM that starts gnome-keyring and sends the daemon a command to unlock the "login" keyring whenever a user logs in, at which point you've essentially reimplemented The Unspeakable, but in a less configurable and reusable way.

Tried all of that, but no joy. :(

HA-HA! Yes, most definitely.

And yes, you are correct, I believe, that it is not a VPN issue. It's the NM asking for permission to unlock the default keyring so it can encrypt the VPN password for storage purposes (the SAVE option in NM). This is what I'm trying to do so that the NM will start up prior to the DE with my VPN running already.

I'm thinking of going back to Wicd. I used it primarily for many years. I can't really remember why I changed over to Network Manager.

Well, I'll keep tinkering...

Thanks! :)

PAM is a fine suggestion. No need for blood and guts because of a mention of that, as far as I'm concerned. I do NOT currently have PAM active/setup on my system, so it's something to consider.

Thanks, CTM. :)

Ah... nevermind about Wicd. No VPN support.

https://answers.launchpad.net/wicd/+faq/1867

Oh, well. :(

No, no! You didn't say it! He didn't say it! He didn't say it!

(It works well for this, and there's minimal intrusion on the stock packages: you'll need to get PAM from somewhere (vbatts maintains a good SlackBuild), then you'll need to recompile shadow, gnome-keyring and your display manager of choice with PAM support and configure PAM to unlock your "login" keyring when you log in by adding the appropriate lines to the /etc/pam.d/ configuration files.)

No. No. You misread. I said HAM. I like HAM. HAM is tasty. ;)

Solved (I think).
 

Visited ArchLinux, built and installed Seahorse (latest version: 3.20.0), ran seahorse as didier, followed the instructions to blank the password found on ArchLinux, now the Gnome keyring is out of my way.

Caveat emptor:

• I didn't test on genuine Slackware. However I would be very surprised if it wouldn't work there (no dependency beyond a full Slackware-current).
• I do not advise anyone to blank the master password as I did. Everyone is responsible of the security of one's system.

I will request that seahorse be shipped in Slackware and if it is not, will include a package for it in Slint.