Difference between revisions of "GNOME/Keyring"
(→Use Without GNOME) |
The Compiler (talk | contribs) (Add Installation section to avoid confusion) |
||
(17 intermediate revisions by 11 users not shown) | |||
Line 1: | Line 1: | ||
− | [[Category: | + | [[Category:GNOME]] |
From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]: | From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]: | ||
:''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.'' | :''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.'' | ||
{{Note| 1=Gnome Keyring does not support ECDSA keys. See [https://bugzilla.gnome.org/show_bug.cgi?id=641082 Bug 641082].}} | {{Note| 1=Gnome Keyring does not support ECDSA keys. See [https://bugzilla.gnome.org/show_bug.cgi?id=641082 Bug 641082].}} | ||
+ | == Installation == | ||
+ | If you're using GNOME, gnome-keyring got installed automatically as a part of it. If you're using a different setup, install {{Pkg|gnome-keyring}} from the [[official repositories]]. | ||
+ | |||
== Manage using GUI == | == Manage using GUI == | ||
− | pacman -S seahorse | + | # pacman -S seahorse |
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage." | It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage." | ||
Line 14: | Line 17: | ||
eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh) | eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh) | ||
# You probably need to do this too: | # You probably need to do this too: | ||
− | + | export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK | |
− | |||
− | export GNOME_KEYRING_CONTROL | ||
− | |||
See {{bug|13986}} for more info. | See {{bug|13986}} for more info. | ||
If you experience problems retrieving information from the keyring, make sure that the variables "DBUS_SESSION_BUS_ADDRESS" and "DBUS_SESSION_BUS_PID" are exported in the target environment. | If you experience problems retrieving information from the keyring, make sure that the variables "DBUS_SESSION_BUS_ADDRESS" and "DBUS_SESSION_BUS_PID" are exported in the target environment. | ||
− | + | Instructions on how to use GNOME Keyring in Xfce are in the [[Xfce#SSH_Agents|SSH Agents section]] on that page. | |
− | |||
== SSH Keys == | == SSH Keys == | ||
Line 43: | Line 42: | ||
== Integration with applications == | == Integration with applications == | ||
− | * [[Firefox# | + | * [[Firefox#GNOME_Keyring_integration]] |
== Gnome Keyring dialog and SSH == | == Gnome Keyring dialog and SSH == | ||
Line 59: | Line 58: | ||
Now you should add to your {{ic|~/.bashrc}}, according to the output of the previous command, for example: | Now you should add to your {{ic|~/.bashrc}}, according to the output of the previous command, for example: | ||
− | SSH_AUTH_SOCK=` | + | SSH_AUTH_SOCK=`ss -xl | grep -o '/run/user/1000/keyring-.*/ssh$'` |
[ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK | [ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK | ||
Line 71: | Line 70: | ||
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase" | Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase" | ||
+ | |||
+ | == Gnome Keyring and Git == | ||
+ | The Gnome keyring is useful in use with Git when you are pushing over https. | ||
+ | First compile the helper | ||
+ | $ cd /usr/share/git/credential/gnome-keyring | ||
+ | # make | ||
+ | Set Git up to use the helper | ||
+ | $ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring | ||
+ | Next time you do a git push, you'll be asked to unlock your keyring | ||
== Unlock at Startup == | == Unlock at Startup == | ||
Line 78: | Line 86: | ||
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this. | If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this. | ||
+ | |||
+ | If you use console based login, automatic unlocking of the keyring can be achieved by the following changes in {{ic|/etc/pam.d/login}}: | ||
+ | Add {{ic|auth optional pam_gnome_keyring.so}} at the end of the {{ic|auth}} section and {{ic|session optional pam_gnome_keyring.so auto_start}} at the end of the {{ic|session}} section. The result should look look similar to this: | ||
+ | #%PAM-1.0 | ||
+ | |||
+ | auth required pam_securetty.so | ||
+ | auth requisite pam_nologin.so | ||
+ | auth include system-local-login | ||
+ | auth optional pam_gnome_keyring.so | ||
+ | account include system-local-login | ||
+ | session include system-local-login | ||
+ | session optional pam_gnome_keyring.so auto_start | ||
+ | |||
+ | Next, add {{ic|password optional pam_gnome_keyring.so}} to the end of {{ic|/etc/pam.d/passwd}}. The file should look somewhat like this: | ||
+ | #%PAM-1.0 | ||
+ | #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 | ||
+ | #password required pam_unix.so sha512 shadow use_authtok | ||
+ | password required pam_unix.so sha512 shadow nullok | ||
+ | password optional pam_gnome_keyring.so | ||
+ | |||
+ | {{Note|To use automatic unlocking, the same password for the user account and the keyring have to be set.}} | ||
+ | |||
== Useful Tools == | == Useful Tools == | ||
=== gnome-keyring-query === | === gnome-keyring-query === | ||
{{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring. | {{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring. |
Revision as of 07:39, 9 August 2013
From GnomeKeyring:
- GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.
Contents
Installation
If you're using GNOME, gnome-keyring got installed automatically as a part of it. If you're using a different setup, install gnome-keyring from the official repositories.
Manage using GUI
# pacman -S seahorse
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
Use Without GNOME
It is possible to use GNOME Keyring without the rest of the GNOME desktop. To do this, add the following to your ~/.xinitrc
file:
# Start a D-Bus session source /etc/X11/xinit/xinitrc.d/30-dbus # Start GNOME Keyring eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh) # You probably need to do this too: export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK
See FS#13986 for more info.
If you experience problems retrieving information from the keyring, make sure that the variables "DBUS_SESSION_BUS_ADDRESS" and "DBUS_SESSION_BUS_PID" are exported in the target environment.
Instructions on how to use GNOME Keyring in Xfce are in the SSH Agents section on that page.
SSH Keys
To add your SSH key:
$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/mith/.ssh/id_dsa:
To list automatically loaded keys:
$ ssh-add -L
To disable all keys;
$ ssh-add -D
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!
Integration with applications
Gnome Keyring dialog and SSH
Run in a terminal, the following:
$ gnome-keyring-daemon -s
Output will get a few lines, but in reality we are interested, SSH_AUTH_SOCK
, example:
GNOME_KEYRING_C................. SSH_AUTH_SOCK=/run/user/1000/keyring-XXXXXX/ssh GPG_AGENT_INF...................
Now you should add to your ~/.bashrc
, according to the output of the previous command, for example:
SSH_AUTH_SOCK=`ss -xl | grep -o '/run/user/1000/keyring-.*/ssh$'` [ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK
If you run on your terminal the following:
$ echo $SSH_AUTH_SOCK
will return something like the following:
/run/user/1000/keyring--XXXXXX/ssh
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"
Gnome Keyring and Git
The Gnome keyring is useful in use with Git when you are pushing over https. First compile the helper
$ cd /usr/share/git/credential/gnome-keyring # make
Set Git up to use the helper
$ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring
Next time you do a git push, you'll be asked to unlock your keyring
Unlock at Startup
GNOME's login manager (gdm) will automatically unlock the keyring once you log in; for others it is not so easy.
For SLiM, see SLiM#SLiM_and_Gnome_Keyring, This method works for KDM as well, but you need to edit /etc/pam.d/kde
instead of /etc/pam.d/slim
.
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. Note: your passwords will be stored unencrypted if you do this.
If you use console based login, automatic unlocking of the keyring can be achieved by the following changes in /etc/pam.d/login
:
Add auth optional pam_gnome_keyring.so
at the end of the auth
section and session optional pam_gnome_keyring.so auto_start
at the end of the session
section. The result should look look similar to this:
#%PAM-1.0 auth required pam_securetty.so auth requisite pam_nologin.so auth include system-local-login auth optional pam_gnome_keyring.so account include system-local-login session include system-local-login session optional pam_gnome_keyring.so auto_start
Next, add password optional pam_gnome_keyring.so
to the end of /etc/pam.d/passwd
. The file should look somewhat like this:
#%PAM-1.0 #password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 #password required pam_unix.so sha512 shadow use_authtok password required pam_unix.so sha512 shadow nullok password optional pam_gnome_keyring.so
Useful Tools
gnome-keyring-query
gnome-keyring-queryAUR from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.