I hope someone can help me because I have spent a week on this and still I can't make it to work. I have a CentOS 5.5 server and I am trying to set it up so that upon login the gnome default keyring is unlocked. I don't have a desktop as users will login using ssh only. I have search the forum and google it, and I did find some help. All the articles though said to change /etc/pam.d/gdm (which I think is for the Gnome Desktop Manager). I did it anyway but no joy. I tried changin /etc/pam.d/login, and no joy. I'm becoming a bit desperate. The changes I have done are to add auth optional pam_keyring.so (sometimes with try_first_pass) and session optional pam_keyring.so auto_start (sometimes without auto_start) All the time the gnome-keyring-daemon is not started. But even if I start it at login, with a new /etc/prodile.d/gnome-keyring-daemon.sh script which runs export `/usr/bin/gnome-keyring-daemon`, the keyring is not unlocked at login. Just to let you know, I use the keyring to store passwords for a Subversion repository. The first time, after logging in, I use Subversion I am asked for the password to unlock the keyring. Then everything goes fine, i.e. I'm not ask for the Subversion password. After I sorted this out I need to set the server so that the keyring password is changed automatically when the user changes his login password (I tried alread, changing /etc/pam.d/passwd similarly as I've done above but it's not working) So, please can anyone help me? Thanks Giulio Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03
Giulio Troccoli wrote:> I hope someone can help me because I have spent a week on this and > still I can't make it to work. > > I have a CentOS 5.5 server and I am trying to set it up so that upon > login the gnome default keyring is unlocked. I don't have a desktop > as users will login using ssh only.I have a similar situation. I'm not quite familiar enough with linux to know if my experience will help you. Anyway ... I boot my laptop home computer (1 user) into runlevel 5 with *auto-login*. It has wifi built-in, and I wanted to set it up to auto-connect, _and_ not have to enter the keyring password. I tried making the keyring's password the same as the user's - didn't work. To test the process, I turned off auto-login - it worked! My semi-newbie skills led me to the conclusion that, if gnome does not have to ask for the password (auto-login mode), then the keyring manager never sees it (and asks for it anyway). Conversely, if gnome has to ask for the password (standard log-in mode), the keyring manager sees it, and the keyring is unlocked. To help me learn a bit more, inform me how much this applies to your situation. You're working on a server; do you use auto-login for your own account?
> Just to let you know, I use the keyring to store passwords for a Subversion repository. The first time, after logging in, I use Subversion I am asked for the password to unlock the keyring. Then everything goes fine, i.e. I'm not ask for the Subversion password.Which version of Subversion are you using? Just a thought: don't you think you should rather go for a Subversion specific mechanism to store the passwords / access safely the repositories? I can imagine that you are worried about the famous limitation that SVN passwords are stored in plaintext on Linux: http://help.collab.net/index.jsp?topic=/faq/cachepassword.html http://www.linuxforu.com/previews/subversion-16-security-improvements-illustrated/ But maybe, if you control the SVN server config as well, you could setup a certificate based auth in Apache (restricted to your clients IPs) without requiring to use the actual password: your Linux client setup would then be as safe as your Linux auth (since the certificates would be protected in the .subversion of your users) Another approach could be to use an svn+ssh:// access to your repository for your server-side Linux users. The problem is that it doesn't work well with parallel access. But if this is just to start a build from time to time that may be enough... (I hope your developers are not working on their code on a server from the command line :) I was just trying to think on another approach, in case this is only for Subversion that you have to go through this pain. It feels kind of wrong to use gnome-keyring on the server (I use it with pam_keyring on my CentOS workstations, but you already tried that). Anyhow, I'm really interested in your effort, because I will have to set up something similar soon.