libpam-keyring broken on autologins
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNOME Keyring |
Invalid
|
Medium
|
|||
One Hundred Papercuts |
Invalid
|
Undecided
|
Unassigned | ||
gdm (Baltix) |
New
|
Undecided
|
Unassigned | ||
gdm (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
network-manager-applet (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
pam-keyring (Ubuntu) |
Won't Fix
|
Undecided
|
Laurent Bigonville | ||
Bug Description
Binary package hint: libpam-keyring
This is on up-to-date Gutsy:
libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature.
As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it). This locks the loading process, which is very annoying.
Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. That's why I'm marking this as a (minor) security vulnerability.
Note: of course this can be worked-around by simply disabling the plugin in /etc/pam.
It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional, lower-security feature.
Here's my config:
$ cat /etc/pam.
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=
auth required pam_permit.so
auth optional pam_keyring.so try_first_pass
@include common-account
session required pam_limits.so
session optional pam_keyring.so
@include common-session
@include common-password
description: | updated |
description: | updated |
Changed in gnome-keyring: | |
status: | Unknown → New |
Changed in gnome-keyring: | |
status: | New → Invalid |
Changed in gdm: | |
status: | New → Confirmed |
Changed in gdm: | |
assignee: | nobody → canonical-desktop-team |
Changed in gnome-keyring: | |
importance: | Unknown → Medium |
I'm not sure the dialog belong to pam-keyring, could you provide me a screenshot because I've never seen a such message.
pam-keyring is quite old and not maintained, maybe you should try the libpam-keyring package instead