automatic unlocking of keyring
Alexander Larsson
alexl at redhat.com
Wed Dec 19 08:49:01 UTC 2007
On Mon, 2007-12-17 at 17:03 -0300, Thomas M Steenholdt wrote:
> Alexander Larsson wrote:
> >
> > That "works", but is not ideal, as it means the keyring pam daemon will
> > ask for the password instead of using the cached result from the
> > system-auth result. This is clearly a problem if you mistype you
> > password...
> >
> > The solution is to fix the system-auth so that it runs and then runs the
> > pam modules after it. This is fixed in rawhide with the pam-stacks
> > supports i believe.
> >
>
> Hi
>
> I'm only asked to enter the password once (on login by gdm). Even if I
> typed the password incorrectly, that wouldn't mean problems, since I
> wouldn't be logged in in the first place, so how could it be causing
> problems. Once I enter my password correctly, it caches the correct
> password and uses that to unlock the keyring.
The problem is not that you need to enter the password multiple times,
that password is saved and reused for later pam modules. In fact this is
how pam-keyring is meant to work, system-auth asks for the password, its
saved and then pam-keyring reads this and uses it to try to unlock the
keyring.
However, if pam-keyring is run first then it is the one asking for the
password instead of system-auth, and system-auth is the part using the
saved password. This is a problem, because pam-keyring can't do things
like verifying the password you entered is correct, or ask again if it
is not. I'm not sure what the exact result will be in this case, but its
not ideal.
More information about the Fedora-desktop-list
mailing list