Difference between revisions of "GNOME/Keyring"

From ArchWiki
Jump to: navigation, search
(Gnome Keyring dialog and SSH)
(45 intermediate revisions by 27 users not shown)
Line 1: Line 1:
[[Category:Daemons_and_system_services (English)]]
+
[[Category:GNOME]]
[[Category:Desktop environments (English)]]
+
From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]:
{{i18n|GNOME Keyring}}
+
:''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.''
 +
{{Note| 1=Gnome Keyring does not support ECDSA keys. See [https://bugzilla.gnome.org/show_bug.cgi?id=641082 Bug 641082].}}
 +
== Installation ==
 +
If you're using GNOME, gnome-keyring got installed automatically as a part of it. If you're using a different setup, install {{Pkg|gnome-keyring}} from the [[official repositories]].
  
{{stub}}
+
== Manage using GUI ==
 +
# pacman -S seahorse
 +
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
  
The GNOME Keyring stores passwords in an encrypted file that can be accessed by applications.
+
== Use Without GNOME, but with a display manager ==
 +
Both Slim and LightDM ship with {{ic|/etc/pam.d/slim}} or {{ic|/etc/pam.d/lightdm}} preconfigured to unlock keyring upon login. Users no longer need to modify the file.
 +
So the keyring will work out of the box for most cases. If you are using the keyring to unlock your ssh keys though, make sure to have {{ic|~/.zshenv}}
  
== Manage using GUI ==
+
  if [ -n "$DESKTOP_SESSION" ];then
pacman -S seahorse
+
    if [ -n "$GNOME_KEYRING_PID" ]; then
It is possible to leave the gnome keyring password blank. In seahorse, on the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
+
      eval $(gnome-keyring-daemon --start --components=ssh)
 +
      export SSH_AUTH_SOCK
 +
    fi
 +
  fi
  
== Use Without Gnome ==
+
== Use Without GNOME and a display manager ==
It is possible to use GNOME Keyring without the rest of the gnome desktop. This can be accomplished by adding to your .xinitrc:
+
It is possible to use GNOME Keyring without the rest of the GNOME desktop and a display manager. To do this, add the following to your {{ic|~/.xinitrc}} file:
  # Start a dbus-session
+
  # Start a D-Bus session
 +
# Source the below file only if you do not already use the default xinitrc skeleton.
 +
# Otherwise you will end up with multiple dbus sessions.
 
  source /etc/X11/xinit/xinitrc.d/30-dbus
 
  source /etc/X11/xinit/xinitrc.d/30-dbus
  # Start Gnome-Keyring
+
  # Start GNOME Keyring
 
  eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)
 
  eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)
 
  # You probably need to do this too:
 
  # You probably need to do this too:
export SSH_AUTH_SOCK
+
  export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK
export GPG_AGENT_INFO
+
See {{bug|13986}} for more info.
  export GNOME_KEYRING_CONTROL
+
 
export GNOME_KEYRING_PID
+
If you experience problems retrieving information from the keyring, make sure that the variables "DBUS_SESSION_BUS_ADDRESS" and "DBUS_SESSION_BUS_PID" are exported in the target environment.
See [https://bugs.archlinux.org/task/13986 Bug #13986] for more info.
+
 
 +
Instructions on how to use GNOME Keyring in Xfce are in the [[Xfce#SSH_Agents|SSH Agents section]] on that page.
  
 
== SSH Keys ==
 
== SSH Keys ==
Line 40: Line 53:
 
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!
 
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!
  
== The gnome-keyring dialog does not appear in some terminals when connecting with SSH ==
+
== Integration with applications ==
Solution:
+
  
Add the following lines to your {{ic|~/.bashrc}}
+
* [[Firefox#GNOME_Keyring_integration]]
  
  SSH_AUTH_SOCK=`netstat -xl | grep -o '/tmp/keyring-.*/ssh$'`
+
== Gnome Keyring dialog and SSH ==
 +
 
 +
Run in a terminal, the following:
 +
 
 +
$ gnome-keyring-daemon -s
 +
 
 +
Output will get a few lines, but in reality we are interested, {{ic|SSH_AUTH_SOCK}}, example:
 +
 
 +
GNOME_KEYRING_C.................
 +
SSH_AUTH_SOCK=/run/user/1000/keyring-XXXXXX/ssh
 +
GPG_AGENT_INF...................
 +
 
 +
Now you should add to your {{ic|~/.bashrc}}, according to the output of the previous command, for example:
 +
 
 +
  SSH_AUTH_SOCK=`ss -xl | grep -o '/run/user/1000/keyring-.*/ssh'`
 
  [ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK
 
  [ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK
  
 
If you run on your terminal the following:
 
If you run on your terminal the following:
  
  echo $SSH_AUTH_SOCK
+
  $ echo $SSH_AUTH_SOCK
  
 
will return something like the following:
 
will return something like the following:
  
  /tmp/keyring-ABCDEF/ssh
+
  /run/user/1000/keyring--XXXXXX/ssh
  
 
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"
 
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"
 +
 +
== Flushing passphrases ==
 +
 +
    gnome-keyring-daemon -r -d
 +
 +
will start gnome-keyring-daemon and shut down previously running daemons. Note: if there is no previously running daemons, it'll still start up.
 +
 +
: What's a good way of checking whether it's already running?
 +
 +
== Gnome Keyring and Git ==
 +
The Gnome keyring is useful in use with Git when you are pushing over https.
 +
First compile the helper
 +
$ cd /usr/share/git/credential/gnome-keyring
 +
# make
 +
Set Git up to use the helper
 +
$ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring
 +
Next time you do a git push, you'll be asked to unlock your keyring
  
 
== Unlock at Startup ==
 
== Unlock at Startup ==
GNOME's login manager (gdm) will automatically unlock the keyring once you login, for others it is not so easy.
+
GNOME's login manager ({{pkg|gdm}}) will automatically unlock the keyring once you log in; for others it is not so easy.
  
For SLiM, see [[SLiM#SLiM_and_Gnome_Keyring]]
+
For SLiM, see [[SLiM#SLiM_and_Gnome_Keyring]]; For KDM see [[KDM#KDM_and_Gnome-keyring]]
  
 
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this.
 
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this.
 +
 +
If you use console based login, automatic unlocking of the keyring can be achieved by the following changes in {{ic|/etc/pam.d/login}}:
 +
Add {{ic|auth      optional    pam_gnome_keyring.so}} at the end of the {{ic|auth}} section and {{ic|session    optional    pam_gnome_keyring.so        auto_start}} at the end of the {{ic|session}} section. The result should look similar to this:
 +
#%PAM-1.0
 +
 +
auth      required    pam_securetty.so
 +
auth      requisite    pam_nologin.so
 +
auth      include      system-local-login
 +
auth      optional    pam_gnome_keyring.so
 +
account    include      system-local-login
 +
session    include      system-local-login
 +
session    optional    pam_gnome_keyring.so        auto_start
 +
 +
Next, add {{ic|password optional pam_gnome_keyring.so}} to the end of {{ic|/etc/pam.d/passwd}}. The file should look somewhat like this:
 +
#%PAM-1.0
 +
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 +
#password required pam_unix.so sha512 shadow use_authtok
 +
password required pam_unix.so sha512 shadow nullok
 +
password optional pam_gnome_keyring.so
 +
 +
{{Note|To use automatic unlocking, the same password for the user account and the keyring have to be set.}}
  
 
== Useful Tools ==
 
== Useful Tools ==
=== gnome-keyring-query ==
+
=== gnome-keyring-query ===
{{ic|gnome-keyring-query}} from the AUR provides a simple command-line-tool for querying passwords from the password store of the Gnome Keyring.
+
{{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.

Revision as of 16:26, 18 March 2014

From GnomeKeyring:

GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.
Note: Gnome Keyring does not support ECDSA keys. See Bug 641082.

Installation

If you're using GNOME, gnome-keyring got installed automatically as a part of it. If you're using a different setup, install gnome-keyring from the official repositories.

Manage using GUI

# pacman -S seahorse

It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."

Use Without GNOME, but with a display manager

Both Slim and LightDM ship with /etc/pam.d/slim or /etc/pam.d/lightdm preconfigured to unlock keyring upon login. Users no longer need to modify the file. So the keyring will work out of the box for most cases. If you are using the keyring to unlock your ssh keys though, make sure to have ~/.zshenv

 if [ -n "$DESKTOP_SESSION" ];then
   if [ -n "$GNOME_KEYRING_PID" ]; then
     eval $(gnome-keyring-daemon --start --components=ssh)
     export SSH_AUTH_SOCK
   fi
 fi

Use Without GNOME and a display manager

It is possible to use GNOME Keyring without the rest of the GNOME desktop and a display manager. To do this, add the following to your ~/.xinitrc file:

# Start a D-Bus session
# Source the below file only if you do not already use the default xinitrc skeleton. 
# Otherwise you will end up with multiple dbus sessions.
source /etc/X11/xinit/xinitrc.d/30-dbus
# Start GNOME Keyring
eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)
# You probably need to do this too:
export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK

See FS#13986 for more info.

If you experience problems retrieving information from the keyring, make sure that the variables "DBUS_SESSION_BUS_ADDRESS" and "DBUS_SESSION_BUS_PID" are exported in the target environment.

Instructions on how to use GNOME Keyring in Xfce are in the SSH Agents section on that page.

SSH Keys

To add your SSH key:

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/mith/.ssh/id_dsa:

To list automatically loaded keys:

$ ssh-add -L

To disable all keys;

$ ssh-add -D

Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!

Integration with applications

Gnome Keyring dialog and SSH

Run in a terminal, the following:

$ gnome-keyring-daemon -s

Output will get a few lines, but in reality we are interested, SSH_AUTH_SOCK, example:

GNOME_KEYRING_C.................
SSH_AUTH_SOCK=/run/user/1000/keyring-XXXXXX/ssh
GPG_AGENT_INF...................

Now you should add to your ~/.bashrc, according to the output of the previous command, for example:

SSH_AUTH_SOCK=`ss -xl | grep -o '/run/user/1000/keyring-.*/ssh'`
[ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK

If you run on your terminal the following:

$ echo $SSH_AUTH_SOCK

will return something like the following:

/run/user/1000/keyring--XXXXXX/ssh

Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"

Flushing passphrases

   gnome-keyring-daemon -r -d

will start gnome-keyring-daemon and shut down previously running daemons. Note: if there is no previously running daemons, it'll still start up.

What's a good way of checking whether it's already running?

Gnome Keyring and Git

The Gnome keyring is useful in use with Git when you are pushing over https. First compile the helper

$ cd /usr/share/git/credential/gnome-keyring
# make

Set Git up to use the helper

$ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring

Next time you do a git push, you'll be asked to unlock your keyring

Unlock at Startup

GNOME's login manager (gdm) will automatically unlock the keyring once you log in; for others it is not so easy.

For SLiM, see SLiM#SLiM_and_Gnome_Keyring; For KDM see KDM#KDM_and_Gnome-keyring

If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. Note: your passwords will be stored unencrypted if you do this.

If you use console based login, automatic unlocking of the keyring can be achieved by the following changes in /etc/pam.d/login: Add auth optional pam_gnome_keyring.so at the end of the auth section and session optional pam_gnome_keyring.so auto_start at the end of the session section. The result should look similar to this:

#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_gnome_keyring.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_gnome_keyring.so        auto_start

Next, add password optional pam_gnome_keyring.so to the end of /etc/pam.d/passwd. The file should look somewhat like this:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so sha512 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok
password	optional	pam_gnome_keyring.so
Note: To use automatic unlocking, the same password for the user account and the keyring have to be set.

Useful Tools

gnome-keyring-query

gnome-keyring-queryAUR from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.