How to unlock Gnome Keyring after passwordless login with Solokey (Yubiko)?

Question

I experimented on a Ubuntu 19.04 system a bit and took a look here: https://schulz.dk/2019/08/23/using-solokey-for-linux-login/ and here: https://wiki.gnome.org/Projects/GnomeKeyring/Pam#Advanced_configuration

After this created a file named common-fido-auth and included it in

/etc/pam.d/sudo

and /etc/pam.d/gdm-password

The last one looks like this

#%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-fido-auth #instead of @include common-auth
@include common-account
@include common-session-noninteractive

I assumed that common-auth has modules which unlocks the gnome keyring and copied some lines from common-auth

auth include common-fido
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

Where as common-fido looks like

auth sufficient pam_u2f.so
auth [success=1 default=ignore] pam_unix.so nullok_secure

But it seems to be wrong. The pam_unix.so is not interpereted properly and with the Solokey I have to type in my password for the Gnome Keyring

Has someone any ideas?

I m having the same problem. Using Fedora MATE 31. Key changes I made are: `# diff passwd passwd.bk0 4c4 < password optional pam_gnome_keyring.so use_authtok --- > -password optional pam_gnome_keyring.so use_authtok # diff lightdm lightdm.bk0 3d2 < auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue 6c5 < auth optional pam_gnome_keyring.so --- > -auth optional pam_gnome_keyring.so 21c20 < session optional pam_gnome_keyring.so auto_start --- > -session optional pam_gnome_keyring.so auto_start` but still no luck. — Karsus, Apr 27 '20 at 00:26
MAybe this helps. Had a longer discussion here: https://github.com/Yubico/pam-u2f/issues/130 — Twinkybot, Apr 28 '20 at 07:29

Ralph Meijer · Answer 1 · 2020-12-21T12:45:07.573

3

As mentioned in https://github.com/Yubico/pam-u2f/issues/130, that Twinkybot referenced above, GNOME Keyring requires a password to unlock, so if you log using other means, there's no way to have the password provided to the GNOME Keyring daemon by pam.

Alternatives include:

Leaving the password blank. This does mean what's stored in the keyring is no longer encrypted.
Encrypt the password using keys stored on your security key (GPG or PIV), so if you have it plugged in for login, a script can automatically unlock your keyring with the file holding the encrypted password.

edited Dec 21 '20 at 12:45

answered Nov 04 '20 at 11:11

Ralph Meijer

31
4

Thanks for your explanation! – Twinkybot Aug 14 '21 at 10:26

score 0 · Accepted Answer · answered Aug 13 '21 at 09:36

0

There is now a project which solves this by creating a file with the encrypted password for the keyring in a form that can be automatically decrypted using the hardware dongle.

https://github.com/recolic/gnome-keyring-yubikey-unlock

answered Aug 13 '21 at 09:36

Aaron Digulla

5,918
4
19
17

How to unlock Gnome Keyring after passwordless login with Solokey (Yubiko)?

2 Answers2