XFCE (and other non-GNOME) desktops do not initialise gnome-keyring correctly / WARNING: gnome-keyring:: couldn't connect to PKCS11

When logging into a GNOME session gnome-keyring management is setup in such a way that both ssh key management is enabled and the osc commands find and access gnome-keyring.

The keyring needs to be unlocked only once per session, after that osc commands can access the key and it is not necessary to store account credentials in $HOME/.oscrc

The work around is to enable "Launch GNOME services on startup" in the "Advanced" tab of the "Session and Startup". However, this results in too many services running.

Adding information posted to opensuse-xfce list on this topic:

Initial post:

Hi,

Just switched to Xfce recently and have run across a couple of things that appear to be start up service related when compared to GNOME.

First, when building a package locally using osc, I end up with an "401 Authentication" error. Pocking around a bit this appears to be gnome-keyring related. However, I have gnome-keyring-daemon running and marked as "autostart". When I used GNOME I didn't do anything special, osc just worked. Anyone has any idea what I need to do to get the keyring usage working again?

Second, also authentication related, I now need to enter my passphrase when using key-authenticated ssh login. I suppose GNOME by default starts an ssh agent thus that the passphrase only gets entered once? How do I accomplish this with Xfce. The "autostratup" has an entry for "SSH Key Agent". What am I missing?

Follow up post:
When I turn on "Launch GNOME services on startup" in the "Advanced" tab of the "Session and Startup" settings I can get the behavior back I am used to in GNOME, i.e. when I ssh to a machine for the first time I get a dialog box that lets me type in my passphrase. Once I do this the key is "unlocked" and I can log into any machine without needing to enter my passphrase again.

However, enabeling this also means that I am running more stuff than I probably want.

I compared the list of processes running with the GNOME services launced and without and compared them. However, nothing sticks out as providing this nice "unlock the key" feature. Thus I am not certain how to enable just that service to allow me to disable the "Launch GNOME services on startup" setting again.

Guido's response:
you shouldn't use that setting, g-k-d is started through the PAM
module so that no additional password needs to be entered to
unlock it. It also needs to be initialized from the session and I
suspect something isn't working right there (either the xdg
autostart or session startup script) but I haven't had the time
to investigate it yet. Feel free to open a bug to track this,
it'll be needed anyway for a SRU.

Karl's response:
Traditionally, I have in my .xinitrc:

eval `ssh-agent -s`
ssh-add ~/.ssh/identity ~/.ssh/id_rsa &

which is ugly, and probably no longer needed, but "works".

The current situation is a bit complicated, having gnome-keyring automatically unlocked on login involves a startup process in two steps, first it must be started and unlocked via the PAM module on login and after that the desired components (e.g. gpg-/shh-agent functionality) need to be initialized again and certain environment variables need to be set for the session. Details are at http://live.gnome.org/GnomeKeyring/RunningDaemon.

The main problem with the current Xfce desktop is that these environment variables are not properly set if GNOME-compatibility mode is disabled.
Because the components of gnome-keyring are initialized from desktop files in /etc/xdg/autostart the environment variables printed to stdout are simply lost. When using GNOME, gnome-keyring passes the environment variables via DBus to gnome-session, Xfce however doesn't implement that DBus interface and the only way to get these environment variables is enabling the GNOME-compatibility mode in xfce4-session which will run gnome-keyring --start again, capture its output and set the environment variables accordingly. This has two unwanted side-effects, gnome-keyring --start seems to enable all of gnome-keyring's components making it impossible to selectively disable components by modifying the corresponding autostart files and of course xfce4-session's GNOME-compatibility mode will also start everything in /etc/xdg/autostart which is marked OnlyShowIn=GNOME.

A separate but related problem affects the usage of plain GPG/SSH-agents without gnome-keyring. gpg-agent which can also provides ssh-agent functionality is started twice by default, first in /etc/X11/xdm/sys.xsession and later again in /etc/xdg/xfce4/xinitrc and that even if the gpg-agent functionality of gnome-keyring is used. /etc/X11/xdm/sys.xsession will not try to start ssh-agent if gnome-keyring is already running (although a running gnome-keyring does not necessarily imply that ssh-agent functionality will be provided because that could be disabled). /etc/X11/xdm/sys.xsession will however unconditionally start either seahorse-agent if seahorse is installed and the session is GNOME (although it would be perfectly fine to use with Xfce) or fall back to gpg-agent if installed. When gnome-keyring provides gpg-agent functionality this results in a useless seahorse-/gpg-agent process running in the session and is also inconsistent with how ssh-agent is handled. /etc/xdg/xfce4/xinitrc then does not detect an already running gpg-agent and starts yet another instance of gpg-agent with ssh-agent functionality (which may also be potentially useless if the corresponding gnome-keyring functionality is enabled) and thereby breaks the usage of plain ssh-/gpg-agent.

OK, trying to find a different way to make this work.

So if I would start gnome-keyring-daemon from my login script, i.e. .login for C-shell and derivatives, and set

GNOME_KEYRING_CONTROL
GNOME_KEYRING_PID

in the environment is this sufficient to get things moving or is the login shell too late?

In http://live.gnome.org/GnomeKeyring/Pam it is proclaimed that PAM looks for GNOME_KEYRING_CONTROL. Therefore my thought about getting things rolling in .login

Thoughts?

(In reply to comment #3)
> OK, trying to find a different way to make this work.
>
> So if I would start gnome-keyring-daemon from my login script, i.e. .login for
> C-shell and derivatives, and set
>
> GNOME_KEYRING_CONTROL
> GNOME_KEYRING_PID
>
> in the environment is this sufficient to get things moving or is the login
> shell too late?

Yes, that's too late, it will only affect the current shell. This would have to go into the session wrapper, but rather than such a hack the real solution would be to move the gnome-keyring support out of the GNOME compatibility mode of xfce4-session and make it a separate option. That's something I need to bring up with upstream but haven't gotten round to yet.
Unfortunately even that would not provide the ability to selectively enable/disable gnome-keyring components through autostart files because xfce4-session does not support early autostart files and modification of the session environment through DBus.

Well, one would think there must be some kind of work-around that lets me run gnome-keyring such that it is actually useful.

The background here is that it really bothers me to have my password in plain text format stored in .oscrc and apparently the keyring is the solution to this.

So I tried:

eval `/usr/bin/gnome-keyring-daemon --daemonize`

in my .xinitrc file. But the result was not pleasant. By the time the desktop was up and operational I had 3 gnome-keyring-daemon processes running, for whatever reason. How and why would that happen?

The second undesirable side effect was that the nm_applet was running but it was not showing up in the panel and I was unable to connect to a network.

The environment didn't appear to be completely setup either, the GPG and KEYRING environment variables were set but the SSH environment was not set.

I'd like to find some way, however hacky it may be to get the keyring stuff running. This at least would keep me going until a better solution is available from Xfce upstream.

Of course if there is yet another way to beat the osc authorization trap without running the keyring I am open to use that as well.

OK, have "working" but would like some input/review of my work-around.

Starting the keyring daemon in .xinitrc somehow causes trouble for the nm_applet, as mentioned in the previous comment. Thus I decided to try the login shell, i.e. .login file for tcsh (which I run).

In .login I know have the following:

set gkeyd=/usr/bin/gnome-keyring-daemon
set gkeydArgs="--start"
set gkeydInfo=~/.gnome2/keyrings/daemon-info
set countFile=~/.gnome2/keyrings/daemon-counter

if ( -r $gkeydInfo ) source $gkeydInfo
if ( $?GNOME_KEYRING_PID ) then
    set this=`ps -elf | grep ${GNOME_KEYRING_PID} | grep gnome-keyring-daemon > /dev/null`
    # start the daemon if it is not running
    if (( $? != 0 ) && ( -x "gkeyd" )) then
        $gkeyd $gkeydArgs | awk -F = '{print "setenv " $1 " " $2}' > $gkeydInfo
        echo "1" > $countFile
        source $gkeyInfo
    else
        set count=`cat ${countFile}`
        echo "$count + 1" | bc > $countFile
    endif
else
    $gkeyd $gkeydArgs | awk -F = '{print "setenv " $1 " " $2}' > $gkeydInfo
    echo "setenv GNOME_KEYRING_COUNTER ${$countFile}" >> $gkeydInfo
    echo "setenv GNOME_KEYRING_INFO ${gkeydInfo}" >> $gkeydInfo
    echo "1" > $countFile
    source $gkeydInfo
endif

After I restart everything is working, ssh-agent, which I start separately in .xinitrc as follows:

eval `/usr/bin/ssh-agent -s`
SSH_ASKPASS=/usr/lib64/ssh/ssh-askpass
if test -S "$SSH_AUTH_SOCK" -a -x "$SSH_ASKPASS"; then
       ssh-add < /dev/null
fi

And the keyring is running. Better yet running an osc command it actually appears to use the keyring and I no longer get stupid "auth" errors.

Now the problem. Although everything is running there was no ~/.gnome2/keyrings/daemon-info file and the daemon-counter was empty. Does the daemon somehow fiddle with the .gnome2/keyrings directory when it starts? I can certainly store the file somewhere else.

Other comments/thoughts on this solution?

I will test this for a while and if things work I'll write a blog on Lizards.

Argh, and one more thing. Is there any reason I should kill the keyring daemon on logout?

I would suggest the following workaround for now:

1. Open the Session settings:
   Settings -> Preferences -> Settings Manager -> Session and Startup
2. Enable GNOME compatibility mode:
   Go to Advanced, check "Launch GNOME services on startup"
3. Disable unwanted GNOME-only autostart files:
   Execute the following one-liner on the shell:
   for gnome_autostart in $(awk '/^OnlyShowIn=/ && /GNOME;/ && !/XFCE;/ { print FILENAME }' /etc/xdg/autostart/*); do : sed '$aHidden=true' ${gnome_autostart} >${HOME}/.config/autostart/${gnome_autostart##*/}; done

I'll talk to upstream later and see if we can move gnome-keyring support out of GNOME compatibility mode.

There's a typo, the one liner should read:

for gnome_autostart in $(awk '/^OnlyShowIn=/ && /GNOME;/ && !/XFCE;/ { print
FILENAME }' /etc/xdg/autostart/*); do sed '$aHidden=true' ${gnome_autostart}
>${HOME}/.config/autostart/${gnome_autostart##*/}; done

Thanks.

Still having issues with osc, but these appear to be osc problems now as the environment is certainly set.

ssh key management now works the same as it did when I was using GNOME.

After discussing this with upstream (see http://thread.gmane.org/gmane.comp.desktop.xfce.devel.version4/19646) there is now a RFE on the Xfce bugzilla. The proposed solution is to remove an explicit GNOME compatibility mode and the code currently associated with it and to add support for GNOME autostart phases to xfce4-session.

I've just added a patch to the upstream bug which implements a part of the discussed GNOME compatibility modernization and also addresses this bug.
Basically it removes obsolete parts of GNOME compatibility mode such as GNOME SMProxy compatibility and GConf shutdown. Furthermore it implements the discussed changes in how autostart files are treated, GNOME- or KDE-only files are now treated the same way as inactive files, they will not be unconditionally started in GNOME-/KDE-compatibility mode any more but are displayed in xfce4-session-settings and can be explicitly enabled.
This way GNOME compat mode can be safely enabled to start gnome-keyring while potentially unwanted and harmful services such as gnome-settings-daemon or gnome-power-manager will not be started by default any more.
xfce4-session packages which contain a backport of this patch are available for testing from home:gberh:branches:X11:xfce/xfce4-session.

This is an autogenerated message for OBS integration:
This bug (710038) was mentioned in
https://build.opensuse.org/request/show/87771 Factory / xfce4-session

Fixed in Factory.

(In reply to comment #14)
> Fixed in Factory.

it's back again in 12.3-RC1 (or never got fixed?) !

I'm using 12.3-RC1 plus updates and run XFCE4.

    /usr/bin/gnome-keyring-daemon --daemonize --login

gets started and it's loading offering all my ssh-keys, which is a no-go!

when debugging my ssh-agent problems, I found the hint in some discussions to rename/remove nome-keyring-daemon (or remove execute permission).

this worked fine for me -- until bug #805048:
NetworkManager needs gnome-keyring-daemon to ask for wifi passphrases :-((

so gnome-keyring-daemon is back in businees, and trashes my ssh usage:-(

looking for other solutions I found e.g.
http://ubuntuforums.org/showthread.php?t=1655397

but

     sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-keyring/daemon-components/ssh FALSE
does not help.

https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/932177/comments/20

does not work either for me, the key daemon still loads/offers all ssh keys (output of "ssh-add -l").

for now I've hacked the gnome-keyring-daemon to garble the path to my keys:

diff <( strings /usr/bin/gnome-keyring-daemon~ ) <( strings /usr/bin/gnome-keyring-daemon )
9543c9543
< ~/.ssh
---
> ~/@ssh

but of corse that's not the way to go:-(

so my question for running XFCE4:

how can I disable the ssh-agent functionality for gnome-keyring-daemon these days ???

thanks for the real[tm] solution!!!

(In reply to comment #15)
> (In reply to comment #14)
> > Fixed in Factory.
>
> it's back again in 12.3-RC1 (or never got fixed?) !
>
> I'm using 12.3-RC1 plus updates and run XFCE4.
>
> /usr/bin/gnome-keyring-daemon --daemonize --login
>
> gets started and it's loading offering all my ssh-keys, which is a no-go!
>
> when debugging my ssh-agent problems, I found the hint in some discussions to
> rename/remove nome-keyring-daemon (or remove execute permission).
>
> this worked fine for me -- until bug #805048:
> NetworkManager needs gnome-keyring-daemon to ask for wifi passphrases :-((
>
> so gnome-keyring-daemon is back in businees, and trashes my ssh usage:-(
>
> looking for other solutions I found e.g.
> http://ubuntuforums.org/showthread.php?t=1655397
>
> but
>
> sudo gconftool-2 --direct --config-source
> xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set
> /apps/gnome-keyring/daemon-components/ssh FALSE
> does not help.
>
>
> https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/932177/comments/20
>
> does not work either for me, the key daemon still loads/offers all ssh keys
> (output of "ssh-add -l").
>
>
> for now I've hacked the gnome-keyring-daemon to garble the path to my keys:
>
> diff <( strings /usr/bin/gnome-keyring-daemon~ ) <( strings
> /usr/bin/gnome-keyring-daemon )
> 9543c9543
> < ~/.ssh
> ---
> > ~/@ssh
>
>
> but of corse that's not the way to go:-(
>
>
> so my question for running XFCE4:
>
> how can I disable the ssh-agent functionality for gnome-keyring-daemon these
> days ???

That's currently not possible, you can either start all components of gnome-keyring-daemon (by enabling GNOME compatibility mode) or not start it at all. This bug was about making it work properly at all which has been the case since 12.1. The ability to selectively enable/disable components is a different issue and would need to be addressed upstream. Please file a new enhancement request, preferably on the upstream tracker or here if you want me to forward it for you.