zaitcev: The crazy keyring thing

Pete Zaitcev (

zaitcev) wrote,
@ 2008-10-05 14:03:00

Entry tags:

fedora, gnome, linux

The crazy keyring thing

Recent Rawhide (F10 Alpha and Beta) has one of the oddest features ever (Gnome Power Manager level of "odd" here). Whenever one runs ssh (including scp) for the first time, a dialog pops up, asking for a "password to unlock keyring".

Entering any kind of password fails: the dialog reappears again. I must click "Deny" to proceed. V.odd.

It's a little scary to realize that someone well-meaning interposed some pretty big chunk of [currently broken] software into something as fundamental as ssh. Who knows what else it does aside from contacting my X.

P.S. This can be disabled, right? Right?

UPDATE: Peter Robinson e-mailed that the missing package is seahorse. Also, there's apparently a stuck ~/.gnome2/keyring/login.keyring. Removing that gets it regenerated and functional, so gnome-keyring-manager can be used.

In case anyone is curious, GNOME hooks ssh by setting SSH_AUTH_SOCK to something like /tmp/keyring-HIZ5We/ssh. The socket is created by gnome-keyring. Apparently, ssh hooking cannot be disabled selectively.

I wrote before that it would be great if GNOME provided a central persistent keyring for applications such as Pidgin (which otherwise stores your Gmail password in plaintext). Unfortunately, they began with hooking OpenSSH, which has its own secure key management already, and left Pidgin out -- where this kind of capability would actually be useful.

UPDATE LATER: Ka-Hing Cheung wrote me that a plugin for Pidgin to use gnome-keyring exists. It was written under the auspices of Google Summer of Code, and is likely to be merged in a couple of releases.

(Post a new comment)

	unixronin 2008-10-05 11:47 pm UTC (link)
	That sounds like an astoundingly bad idea. (Reply to this)

	jldugger 2008-10-06 12:40 am UTC (link)
	If you add the proper key to the ring, you can then probably just use the keyring for everything. "Single sign on" of sorts. Its probably not as broke as you think; ssh has been tied to PAM for some time, check your PAM configuration for oddities. (Reply to this) (Thread)

	zaitcev 2008-10-06 12:56 am UTC (link)
	Maybe I miss a package. This system was continuously upgraded as a Rawhide box since FC4 or something. (Reply to this) (Parent)(Thread)

trs80 [typekey.com]
2008-10-06 06:25 am UTC (link)

seahorse-agent wraps your X session, inserting its SSH_AUTH_SOCK into the environment. pam_gnome_keyring.so is what unlocks your GNOME keyring upon login via gdm, but only if it has the same password as your login. So when you ssh, seahorse is called as the ssh agent, and tries to access your GNOME keyring, but is denied and asks for your password. The brute-force solution is to delete ~/.gnome2/keyrings/login.keyring, the nuanced way is to look at Preferences/Encryption and Keyrings to see if you can unlock it there.

(Reply to this) (Parent)

	spot 2008-10-06 01:10 am UTC (link)
	I'm pretty sure this is your login password. I just want it to unlock that keyring automatically when I log in. (Reply to this) (Thread)

	zaitcev 2008-10-06 01:48 pm UTC (link)
	Thanks, Tom. I installed missing packages and got it working by rm ~/.gnome2/keyrings/login.keyring. It was stuck there since 2007. No idea what happened back then. This system was installed very long time ago and was continuously updated with Rawhide, so it's hard to tell how this occured. (Reply to this) (Parent)(Thread)

	spot 2008-10-06 01:58 pm UTC (link)
	Yeah, I'm in the same situation. (Reply to this) (Parent)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs