Re: [gnome-love] gnome-keyring and PAM
- From: "W. Michael Petullo" <mike flyn org>
- To: gnome-love gnome org
- Subject: Re: [gnome-love] gnome-keyring and PAM
- Date: Thu, 10 Jun 2004 01:04:51 +0000
Would it make sense to write a PAM module that unlocks the default
keyring automatically when a user logs in using the user's system
authentication token?
[...]
The MacosX keychain api does something similar to this.
See for instance:
http://developer.apple.com/documentation/Security/Conceptual/keychainServConcepts/02concepts/chapter_2_section_1.html
By default, each Mac OS X login account has one keychain (for a new
login on Mac OS X v10.3, this keychain is named login.keychain);
however, a user or application can create as many keychains as
desired. The login keychain is automatically unlocked during login
if it has the same password as the user’s login account password.
Somehow when you log in they save the password entered and try to use
that to unlock your keychain. I'm not sure how this is done though,
or if/how we could do it.
[...]
I have a very-preliminay version of pam_keyring available for comments
at http://www.flyn.org/projects/pam_keyring/index.html. Please also
see the Fedora RFE at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125682
if you are interested in seeing this on Fedora.
Here are some comments on getting pam_keyring 0.0.1 to work:
1. I am working on an SELinux policy for pam_keyring (see
pam_keyring_macros.te). In order to do this right I will have to make
some changes to some other policies. At this point, ask SELinux to
not enforce its policies if you want to experiment with pam_keyring.
2. Currently, gnome-session tries to start gnome-keyring-daemon.
This does not make sense if pam_keyring has already done so. Make the
following change to gnome-session in order to fix this (I plan on
submitting a patch soon):
- gsm_keyring_daemon_start ();
+ if (getenv("GNOME_KEYRING_SOCKET") == NULL)
+ gsm_keyring_daemon_start ();
3. Although I have read that calling gnome_keyring_unlock with NULL
as the first argument should unlock the default keyring, this does not
seem to be the case. Replace "test" in pam_keyring.c with the name of
your default keyring.
4. Ensure the password that unlocks your default keyring is the same
as your system password.
I hope to get something more usable out soon!
--
Mike
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
