I agree that nothing forces the use of a similar password. However, it is the default on a fresh Ubuntu install.
One possibility would be for gnome-keyring to have a configuration flag that would indicate if the password should be synchronised with the system password. No cleartext stored password should be necessary.
So the sequence would go:
1. On an Ubuntu fresh install the password sync flag would be set, and keyring password would be the same as the login password.
2. User's password is changed externally.
3. User logs in. The password is accepted for login, but does not unlock the keyring.
4. libpam-gnome-keyring has the new password since the user just logged in with it.
5. libpam-gnome-keyring needs the old password, so it prompts for it.
6. libpam-gnome-keyring changes the keyring password and unlocks the keyring.
7. The user changes the keyring password manually.
8. The password sync flag is cleared, and so libpam-gnome-keyring should no longer do steps 5 and 6.
I agree that nothing forces the use of a similar password. However, it is the default on a fresh Ubuntu install.
One possibility would be for gnome-keyring to have a configuration flag that would indicate if the password should be synchronised with the system password. No cleartext stored password should be necessary.
So the sequence would go: gnome-keyring has the new password since the user just logged in with it. gnome-keyring needs the old password, so it prompts for it. gnome-keyring changes the keyring password and unlocks the keyring. gnome-keyring should no longer do steps 5 and 6.
1. On an Ubuntu fresh install the password sync flag would be set, and keyring password would be the same as the login password.
2. User's password is changed externally.
3. User logs in. The password is accepted for login, but does not unlock the keyring.
4. libpam-
5. libpam-
6. libpam-
7. The user changes the keyring password manually.
8. The password sync flag is cleared, and so libpam-