Automatically Unlocking the Default Gnome-Keyring : PAM Keyring

By | 2007/07/12

This post is in part an update to my previous post on resetting the gnome keyring, and partly due to my continued laziness, efficiency push. I want my machine to do everything for me anymore. The less tedious work I have to do the more actual work I can get done, right? This post will walk you through setting up your machine to auto-authenticate the gnome-keyring at login. One less password you have to enter when you login to your machine.

Installing the Package

We’ll need one tiny package for this to be supported. Using your favorite package manager install libpam-keyring, or use the following command:

sudo aptitude install libpam-keyring

Configuring PAM

Once this is installed we need to add a few lines to a configuration file. Follow this next step carefully. If you put the line in the wrong place it may cause problems with other parts of machine authentication.

Edit the /etc/pam.d/gdm file and append the following line to the end of the file:

@include common-pamkeyring

At this point the gnome-keyring will be handed your login password and, if they are the same, will be authenticated at login. If your login password and gnome-keyring password are different this will not work. Options? Set the passwords to match by first resetting the gnome-keyring password (this will wipe any saved keyring data) or come up with a solution that will authenticate one with the other, even if they are not the same. The latter solution I would be interested in, but am not aware of.

Thanks to Thad for the origins of this post, although slightly different between FC6 and Feisty.

31 thoughts on “Automatically Unlocking the Default Gnome-Keyring : PAM Keyring

  1. jldugger

    Does this also work around the highly annoying network-manager keyring “feature”? I’d still rather start internet connection from laptop to my home router far before I log in, but this would at least be a step in the right direction!

    Reply
  2. Ubuntu Tutorials

    jldugger – this does just that thing. Anything saved to your default keyring (which includes the NetworkManager) will be unlocked by your login password.

    Reply
  3. Sameer Morar

    If you have a keyring password that’s different to your login password, you can create a script to authenticate your app.

    For example, this is how I startup gajim on login:

    echo “password” | /usr/lib/libpam-keyring/pam-keyring-tool -u -s; gajim &

    Reply
  4. erik

    Wtf, why this isn’t installed by default?!!? Insane.

    Reply
  5. JGJones

    However what happens when you change your login password? I assume that this doesn’t also update the keyring password as well, so as soon as one change their password, PAM-keyring won’t be able to authernicate anymore…

    This is gonna get annoying for those that change their password regularly…

    If it’s not already submitted as a bug – it’ll be ideal for Ubuntu if that the keyring could be linked to login password?

    Cheers

    Reply
  6. Ubuntu Tutorials

    JGJones – It doesn’t automagically update the keyring password when you change your login password (some people prefer to have them different), but you can update your keyring password manually by visiting System > Admin > Keyring Manager.

    Reply
  7. LOR

    Great article! Just what I’ve been looking for. It works great except when combined with automatic login. When automatic login is enabled the keyring manager asks for the damn password. Does anyone know why and how to get it working?

    Reply
  8. Marius Scurtescu

    “you can update your keyring password manually by visiting System > Admin > Keyring Manager”

    and then what?

    I cannot figure how to change the darn password :-(

    Reply
  9. waunko

    to reset the default keyring password, open system->keyring manager select view->keyrings and delete the default keyring, the next time u start a session, u will be prompted for a new password. note … this deletes all your keys on the keyring

    Reply
  10. Max Randor

    I did this (or something like this) a while ago, however it does not appear to work if automatic login is enabled… which is two extra things to type in, username and password and I want to get from turning the computer on to being on the desktop, with internet (requires keyring) in the shortest possible time.

    Reply
  11. Pingback: ???.info » Stop Gnome Keyring Prompt For A Password

  12. Pingback: I’m baaaack! at The ScatterBrain Chronicles

  13. alejaaandro

    any luck for those with automatic login?
    I ve got the same problem…

    Reply
  14. Mike

    Argh. I did this on Gutsy and now I am getting “Authentication Failed” with an OK button and no way of logging in at all. Help me please!

    Reply
  15. Ubuntu Tutorials

    @Mike – if you’re not able to login at the graphical login you should be able to do “ctrl-alt-f1″ to get a virtual console. You can try reverting your changes from the shell and see if that resolves your problem.

    Reply
  16. Simon

    this should definitely be included as default… it’s the same level of security, just invisible to the end user.

    Reply
  17. Rakesh Kotecha

    Hi – I have been looking for a solution for this since I installed Gutsy (my first linux installation) and this does not seem to work on this.

    I think gutsy uses a different version and that libpam is not part of gutsy??

    sorry not sure!! (bit of a newbie)

    Is there any chance of an uodate to this post.

    Believe me I have tried loads of variations and searched all the forums. I tried the script solution, the wi fi radar solution, etc etc!

    Driving me insane!! heelelllppp!!

    Reply
  18. Andersen

    I do not reset my keyring password. I do not have the file. So I restarted the computer and now I can not login to Ubuntu gusty. (Authentication Failed) How can I revert back this package. Thanks

    Reply
  19. phil

    i am having the same problem (Authentication Failed), no idea what to type in after ctrl +alt + f1, could someone post the code to get back into ubuntu?

    Reply
  20. Adam

    To revert back, login using another terminal with the keys Ctrl+Alt+F1.

    When logged in, type ‘sudo nano /etc/pam.d/gdm’ and edit the gdm file. Remove the line you added following this tutorial.

    Press Ctrl+Alt+F7 to get back to the login screen. Press “Ok” in the weird dialog and login as usual, everything should be back to normal.

    Reply
  21. Hugo

    Thank god there was a solution to this problem.
    Got the same problem as phil, but this fixed it.
    Next time I’ll think twice before changing passwords…

    Reply
  22. Agent_Mulder

    I tried this procedure, but I cannot edit the gdm file, keeps telling me I do not have permissions? Is there any way to edit this file in the gui?

    Reply
  23. somewhat beginner

    i also had that problem in the beginning :) you can open a editor as root though the console, ie: sudo gedit /etc/pam.d/gdm
    my version of ubuntu (think its 8.10 but its wtth netbook remix) already had (gnome-)pam installed and adding the suggested line at the end didnt help :( . I get the keyring thing when i use auto login but not when i log in manually…

    Reply
  24. Fred

    Worked like a charm for me. I just typed sudo nano /etc/pam.d/gdm, changed @include-password to @include-pamkeyring, saved the file and reboot.

    Reply
  25. mahutchinson

    There is no lib-pam package showing on Synaptic in Ubuntu 9.10.

    Reply
  26. Paul

    @Max Randor
    For just resolving the wifi connection without keyring password I commend to you Wicd network manager, just started using it and it does seem a lot preferable to netmanager default applet.

    This workaround is not working for me yet, maybe because automatic logon is on? must investigate further….

    Reply
  27. Don

    Tried it on Ubuntu 10.10, and it doesn’t work. :(

    Reply
  28. No

    Does not work in Lucid.

    Instead go to Applications>Accessories>Passwords & Encryption Keys
    Right click on Passwords:login, set a blank password.

    Reply
  29. Simon

    I guess that if this feature is there, it’s because it makes your computer safer. So the question that comes to my mind is: If I just put a blank password, isn’t my computer at risk?

    Reply
  30. ivanbev

    @Simon – there are reasons why you may want to have password-less logins and password-less authentication of some credentials once logged in. A demonstration is a ‘living-room’ system that needs to run GUI apps .. like mythtv. If you boot the machine and sit there with a remote control you don’t want to have to connect a keyboard to type in your username/password; correspondingly you don’t want to have to do the same for wifi SSID credentials (if you use wifi for it) … so you want them to “automatically work”.

    Being able to have the same keyring password as the user’s login one means that, whilst it’s not secure “on the console” in gnome, it is slightly more secure if you ssh in (because you still need the user’s password & the same for keyring, because this only works in gnome).

    The keyring doesn’t make your computer safer per-se – in some ways it does the opposite (as you only need one password/passphrase to get access to lots of accounts). You could argue that it makes stuff safer because you can then choose a difficult password/passphrase for other accounts (like banking websites, wifi SSIDs etc) and not have to remember them because you just need your master password/passphrase to unlock the keyring.

    The thing to be wary of about using a keyring is that if something happens to it (eg it gets deleted or the computer crashes unrecoverably or you carry out a new install) then you lose access to those account credentials (username/password). This means you either need to backup regularly, and/or take a copy of the keyring file any time you change it (eg to USB stick), and/or keep a copy of passwords elsewhere (eg a password manager like keepass). This is the same for any kind of keyring (eg Firefox one, Thunderbird, etc). This is potentially a common problem, and I’ve tried to help people recover passwords lost in this way (eg tell application to save my username/password to auto-login), so consider issues before doing that :)

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *