NM requires keyring password to connect to WEP/WPA network

Bug #34898 reported by sam tygier on 2006-03-14
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Fix Released
network-manager (Ubuntu)

Bug Description

network manager stores WEP keys in gnome keyring. this means it needs a password to be given to connect to a WEP network.

this seems like an unnecissary hassle.

there appears to be no way for NM to store WEP keys its self, or to grant it automatic access to the keyring

Dennis Kaarsemaker (dennis) wrote :

Upstream is planning to implement global configuration (ie: no more gnome-keyring) for 0.7

Changed in network-manager:
status: Unconfirmed → Confirmed
sam tygier (samtygier) wrote :

this is not a dupe of bug #35225.
bug #35225 is about NM asking for the WEP key again if it failed to connect.
this bugs is about asking for the gnomekeyring password before making a connection.

This also applies to getting WPA-keys of course.
I'm guessing that 0.7 will not (unfortunately) be in Dapper, seing that 0.6 supposedly was a stretch.
Hoping for a patch then. Reason:
 if Network-manager is supposed to be more or less standard in Dapper, we should save users from having to punch in their password to let nm-applet connect. Network-manager is very good for laptops, and that means a lot of rebooting, which would make this problem *very* visible.

- Ketil

sam tygier (samtygier) wrote :

is gnome keyring scriptable? can something be made to unlock the keyring at log in.

j^ (j) wrote :

you can find a pam module that would unlock the default keyring
with the users login password during login.
the problem is that this plugin requires pam>=0.99
which is not in ubuntu right now. so its rather unlikely that
this will make it into dapper. i am sure this will be in dapper+1 though.

Andrew Conkling (andrewski) wrote :

I just made a mess. I didn't see the link on the right side for the GNOME bug, and I couldn't find one on bugzilla, so I reported one, linked it here, and only then noticed the existing bug.

At this point, I marked this affecting upstream, so that the link is more centralized, and there are now two bugs linked on the right. I'd remove it if I knew how.

I guess it's just not my day. O_o

Changed in network-manager:
status: Confirmed → In Progress

pam_keyring 0.0.8 now also compiles with PAM >=0.77. And it works fine here.

Scott Robinson (scott-ubuntu) wrote :

Confirmed in edgy.

Brian Ross (bross-scu) wrote :

I also have this problem in Edgy. I love Network Manager, but I do think there is some work to do before it is perfected. I'd like it to have a WEP key manager in the program so that one could edit/delete/add/prioritize wireless networks stored on the machine.


Some thoughts ... since festy will support network roaming, this could become a great pain... imagine everytime you roam having to enter your keyring key.

magilus (magilus) wrote :

Yeah, this can definitely confuse users (first they have to enter a keyring password two times, then they have to enter a keyring password every time they want to connect to an encrypted network; just compare this with winxp).

Feisty should probably ship with a modified n-m version, which has an extra checkbox in the dialogue asking for the network encryption key if the user has admin privileges:

[x] System wide encryption key

This should be preselected so that the key is being saved in a safe location, which is not world readable.

If it is not being selected, the current behavior should be used.

Workaround: libpam-keyring ... isnt storing the key in a safe location (i.e gnome-keyring) a better idea than creating another key store. libpam-keyring should be standard, and the keyring should have a difinition (on a per-key basis) which keys can be opened without password and which need a special (i.e more complicated) password.

libpam-keyring works flawlessly (gutsy)
Once installed you have to manually edit the file below to activate it

From /etc/pam.d/gdm
auth requisite pam_nologin.so
auth required pam_env.so
@include common-auth
@include common-pamkeyring ------------ Insert this line
@include common-account

Bryan Moore (moore-bryan) wrote :

hey rick...
does this work if one would change the /etc/pam.d/login file instread? i don't use gdm (or xdm/kdm for that matter).

Robert (ubuntu-10-rmn30) wrote :

Having to enter my password for the gnome keyring annoyed me so much that I patched the gnome nm-applet to just store the key in gconf with the rest of the network parameters. Pamkeyring is not a solution for me since I use passwordless login with gdm (I am very lazy).

Obviously this is somewhat lacking in terms of security, but if someone untrusted has access to my gconf settings I have more to worry about than my network key...

Franklin Bynum (frabyn) wrote :

This is fixed in Gutsy. libpam-gnome-keyring is a dependency of ubuntu-desktop, and fixes this problem. It works like a charm. Robert, perhaps that fixes your problem. Should this bug even remain open?

Robert (ubuntu-10-rmn30) wrote :

Hi Frank,

I'm guessing that libpam-gnome-keyring only works if you enter your password at the gdm login screen i.e. not if you configure gnome to do an autologin (I could be wrong -- don't have gutsy installed to check). Thus you will always have to enter at least one password before using encrypted wireless. This is a good thing in terms of security of course, and is probably appropriate for the default install.

On the other hand it doesn't really suit me, so I made a patch which gives more convenience at the expense of some security. Perhaps we could add an option to allow the applet to run in this less secure mode if the user requests it?



Franklin Bynum (frabyn) wrote :


You're correct that using autologin requires you to enter a password to unlock.

This bug then perhaps could stay open, to represent the idea that NM using gnome-keyring to store this information may be less than ideal (under the assumption that passwordless logon to a computer connected via wireless is a goal of this distro). I don't know if the better answer is further changing libpam-gnome-keyring to include autologin or just changing NM entirely.

The former seems like the road already taken, and seems more desirable. Creating a process in NM to store encrypted passwords goes against some fundamental GNU/Linux principles. Interoperability and calling specific programs to do specific work still seems the best option.

Perhaps someone should file a bug against libpam-gnome-keyring to correct autologin behavior.

Bogdan Butnaru (bogdanb) wrote :

I can confirm that it doesn't work with autologin. There's a bug already filled, bug #137247

And I too would like NM to work without the keyring. I can appreciate why the keyring is a nice idea, but in practice I've had so many problems with it I resorted to keeping all my network passwords in a plain-text file on my desktop... If it's safe enough to keep SSH's private keys in a permissions-protected file in my home directory, why isn't that good enough for NM?

I know this is for another bug report, but it would be even greater if NM worked even when I'm _not_ logged in in X. I'm always having lots of trouble connecting to the wireless network when I'm in single user mode (eg, if I need to get a package to fix my system). Is that in the works?

Noam Samuel (noamsml) wrote :

Also, pam-keyring can fail if user changes password. Generally speaking, pam-keyring is a hack solution. It could work, but it just adds unnecessary complication for a mostly trivial security gain. There are things I'd encrypt using a keyring system, a network password isn't one of them.

it works for me on gutsy! thanks for the improvement!


as the upstream bug points out, this will be fixed in network manager 0.7. Another option would be to automatically unlock the keyring during login ... but that should be dealt with in a nother place (not network manager).

Changed in network-manager:
status: Confirmed → In Progress
Scott Robinson (scott-ubuntu) wrote :

Fixed in gutsy with improvements all over the place.

Using Gutsy as of three days ago.
I had automatic login set up, and had to enter password to connect to my wpa-secured network up to 10 times before it let me in. (That is, not the Gnome-keyring password, but the wpa-password) I know I used the right password, and the connection is strong. With autologin the network has not let me in without giving the password at least 5 times.
Disabling autologin gets me the same connection without other user input. Hasn't failed.
Rather weird.

Robert (ubuntu-10-rmn30) wrote :

I can confirm that there is something quite weird going on with autologin and network manger (gnome). I upgraded to gutsy from feisty and found I was prompted to enter the _keyring_ password (not network key) twice. Even after this there's no guarantee I'll have a network connection. Manually configuring the interface using iwconfig, wpa_supplicant and dhclient seems to work better.

Tormod Volden (tormodvolden) wrote :

The auto-login issues are bug #140755 or bug #137247.

I believe the original issue is this bug report is fixed, so I close it.

Changed in network-manager:
status: In Progress → Fix Released
Changed in network-manager:
status: In Progress → Fix Released
poppyer (gaofeng) wrote :

no luck, still this problem in the newest 9.10 release

Unbelievable. Will wait for version 10 to recheck.

On Fri, Oct 30, 2009 at 11:35 PM, poppyer <email address hidden> wrote:

> no luck, still this problem in the newest 9.10 release
> --
> Requires keyring password to connect to WEP/WPA network
> https://bugs.launchpad.net/bugs/34898
> You received this bug notification because you are a direct subscriber
> of the bug.

Still present in 9.10
2.6.31-15-generic #50-Ubuntu SMP

Tormod Volden (tormodvolden) wrote :

Please open a new bug. This bug has been closed a long time ago. There is probably another reason for the issues seen in 9.10.

Andrew (andrew-craucamp) wrote :

Four years later and this bug still exists. That is completely unacceptable.

Changed in network-manager:
importance: Unknown → Wishlist
summary: - Requires keyring password to connect to WEP/WPA network
+ NM Requires keyring password to connect to WEP/WPA network
summary: - NM Requires keyring password to connect to WEP/WPA network
+ NM requires keyring password to connect to WEP/WPA network
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.