Comment 0 for bug 137247

Binary package hint: libpam-keyring

This is on up-to-date Gutsy:

libpam-keyring doesn't work correctly when set-up together with gdm's autologin feature.

As expected, GDM logins automatically the correct user. However libpam-keyring fails to retrieve the user's password (probably because it wasn't entered) and instead displays a dialog box asking for it, which defeats the purpose of the plugin. Instead, if the password isn't available it should just do nothing (perhaps log a message somewhere) and allow the normal keyring unlocking to work (eg, let Network Manager ask for the password when it needs it).

Also, the dialog where libpam-keyring asks for the password does NOT mask the entered password (eg, with asterisks), making it visible on the screen. That's why I'm marking this as a (minor) security vulnerability.

It's likely that libpam cannot actually retrieve the password on autologins (I assume GDM just "su -"s into the username, so it doesn't actually know the password), in which case this should be attached as a "wishlist" bug for GDM or gnome-keyring. For instance, gnome-keyring might allow itself to be unlocked by the "root" user as an optional feature.

Here's my config:

$ cat /etc/pam.d/gdm-autologin
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
auth optional pam_keyring.so try_first_pass
@include common-account
session required pam_limits.so
session optional pam_keyring.so
@include common-session
@include common-password