Quote:
Haven't considered to uninstall the Gnome Keyring packages yet, fearing I might break something - need to check all the dependencies first, but only wanted to disable it. Good to know that I could use "-" for when I uninstall & blacklist those packages. Hope these will get optional, as I suggested in the Requests for -current thread . |
Actually, commenting the lines with -, in case the libs are still available, won't disable Gnome Keyring
- commented with "-" Code:
# grep gnome /etc/pam.d/system-auth Code:
# grep gnome /etc/pam.d/system-auth |
Quote:
Quote:
|
There is an option to control when gnome_keyring_daemon is started in PAM.
I added a "only_if" option in /etc/pam.d/system-auth: Code:
$ cat system-auth | grep pam_gnome_keyring Quote:
Also, kill any existing gnome keyring daemon currently running before starting sshd or su to confirm that the daemon is not started with the new PAM option. Code:
$ps aux | grep gnome-keyring Code:
$ tail /var/log/secure |
@gegechris99
I looked over all those options and implementation methods in my extended analysis, starting with post #13 and learned that some other distros enable it only under X, in xinitrc, like: https://wiki.archlinux.org/index.php...xinitrc_method I still failed to understand how/why is d-bus launching it instead of only "hooking" to it as an already running process (no doc found, mentioned that in my previous posts). I'm referring to: /usr/share/dbus-1/services/org.gnome.keyring.service Also observed (ps ax output) that it's launched with the "--login" option and didn't understand how it's supposed to open the "login vault". Available doc states: https://wiki.gnome.org/Projects/Gnom.../RunningDaemon Quote:
https://wiki.gnome.org/Projects/Gnom...g/Architecture I'm happy with it as optional package. |
First, I'm using Slackware64 and not Slackware ARM. Maybe some of my observations are not applicable to Slackware ARM.
I'm no specialist of Gnome keyring but I use KDE Wallet on KDE 5 and looked into how KDE Wallet can be automatically opened using PAM configuration when the user logs in. My understanding is that Gnome keyring is a vault/wallet managing user credentials just like KDE wallet (it may do more but you can get the idea). The default wallet of Gnome Keyring is called 'login': https://wiki.gnome.org/Projects/Gnom...g/KeyringIntro Quote:
My testing seems to show that Gnome keyring is started only by PAM in Slackware current. I tried only_if=xdm in my PAM configuration (see my previous post) and when I log in in my system using sddm as my graphical login program, Gnome Keyring is not started. If you use xdm to login, you can use option only_if=gdm to test whether or not Gnome Keyring starts after you log in. Regarding the current PAM configuration in /etc/pam.d/system-auth: Code:
$ cat system-auth | grep pam_gnome_keyring This PAM configuration will work if you use Gnome Keyring (I haven't tested it as I don't use it) If you don't use Gnome Keyring, you can comment out those lines. Using the only_if option could be useful if you want to start Gnome Keyring only for certain processes (login or xdm come to mind) and not do it for the others (su, sshd come to mind). Case 2: Gnome Keyring package(s) are not installed This PAM configuration will log error messages in /var/log/secure. In this case, prepend the - character at the beginning of the lines to avoid pesky error messages. Or you can comment out those lines as you don't even have Gnome Keyring. |
I understood the login keyring (vault/wallet) concept, failed to understand how it gets unlocked on login through pam, because that's the current issue, I get in /var/log/secure -> gkr-pam: couldn't unlock the login keyring.
So far I also understood that it doesn't handle the system login credentials, but it keeps its master password (for unlocking the login) in sync with the user system login password. What that means, is only to be found in the source code (or in the heads of the devs). Additionally, in that login keyring it also stores (if enabled) ssh private keys, and those are a little "touchy" IMHO. I don't mind storing NetworkManager Wifi passwords or other such "system non-critical" credentials. Actually, it's better to store them encrypted instead of clear text in some files that could be read by other users if improperly protected. Still, have no clue what encryption is employed, must be again available in the source code / devs heads. Some extra info (cannot call it documentation): https://wiki.gnome.org/Projects/Gnom...StoringSecrets - You can keep the secret somewhere safe, or safe enough, like: Your brain. Very secure. - I knew it! :) - Then, there is the section: How Storing Secrets in gnome-keyring Works https://wiki.gnome.org/Projects/Gnom...mless_Security - Unlocking on Login - SSH Agent https://wiki.gnome.org/Projects/Gnom...rityPhilosophy - at least they're thinking about potential issues and it's the Passive Attacks I'm more concerned about. |
All times are GMT -5. The time now is 01:02 PM. |