Difference between revisions of "GNOME/Keyring"

From ArchWiki
Jump to: navigation, search
m (Gnome Keyring and Git)
(When using i3 without display-manager, xinitrc method may require another step)
 
(95 intermediate revisions by 46 users not shown)
Line 1: Line 1:
 
[[Category:GNOME]]
 
[[Category:GNOME]]
From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]:
+
[[ja:GNOME Keyring]]
:''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.''
+
[https://wiki.gnome.org/Projects/GnomeKeyring GNOME Keyring] is "a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications."
{{Note| 1=Gnome Keyring does not support ECDSA keys. See [https://bugzilla.gnome.org/show_bug.cgi?id=641082 Bug 641082].}}
+
 
 +
{{Note|There are some [[#Known issues]].}}
 +
 
 +
== Installation ==
 +
 
 +
When using GNOME, {{Pkg|gnome-keyring}} is installed automatically as a part of the {{grp|gnome}} group. Otherwise [[install]] the {{Pkg|gnome-keyring}} package. Install {{Pkg|libsecret}} to allow applications to use your keyrings. {{Pkg|libgnome-keyring}} is deprecated.
 +
 
 +
Extra utilities related to GNOME keyring include:
 +
* {{App|secret-tool|Access the GNOME keyring (and any other service implementing the [http://standards.freedesktop.org/secret-service/ DBus Secret Service API]) from the command line.|https://wiki.gnome.org/Projects/Libsecret|{{Pkg|libsecret}}}}
 +
* {{App|gnome-keyring-query|Provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.|http://www.gentoo-wiki.info/HOWTO_Use_gnome-keyring_to_store_SSH_passphrases|{{AUR|gnome-keyring-query}}}}
 +
* {{App|gkeyring|Query passwords from the command line, the [[Git]] version can list all passwords without needing to know name or id of the item|https://github.com/kparal/gkeyring|{{AUR|gkeyring}}, {{AUR|gkeyring-git}}}}
 +
 
 
== Manage using GUI ==
 
== Manage using GUI ==
# pacman -S seahorse
 
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
 
  
== Use Without GNOME ==
+
You can manage the contents of GNOME Keyring using Seahorse. [[Install]] it with the package {{Pkg|seahorse}}.
It is possible to use GNOME Keyring without the rest of the GNOME desktop. To do this, add the following to your {{ic|~/.xinitrc}} file:
+
 
  # Start a D-Bus session
+
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" drop-down menu, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
source /etc/X11/xinit/xinitrc.d/30-dbus
+
 
# Start GNOME Keyring
+
== Using the keyring outside GNOME ==
eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)
+
 
# You probably need to do this too:
+
=== Without a display manager ===
export SSH_AUTH_SOCK
+
 
export GPG_AGENT_INFO
+
==== Automatic login ====
export GNOME_KEYRING_CONTROL
+
 
export GNOME_KEYRING_PID
+
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.
See {{bug|13986}} for more info.
+
{{Note| The passwords are stored unencrypted in this case.}}
 +
 
 +
==== Console login ====
 +
 
 +
When using console-based login, the keyring daemon can be started by either [[PAM]] or [[xinitrc]]. PAM can also unlock the keyring automatically at login.
 +
 
 +
===== PAM method =====
 +
 
 +
Start the gnome-keyring-daemon from {{ic|/etc/pam.d/login}}:
 +
 
 +
Add {{ic|auth optional pam_gnome_keyring.so}} at the end of the {{ic|auth}} section and {{ic|session optional pam_gnome_keyring.so auto_start}} at the end of the {{ic|session}} section.
 +
 
 +
{{hc|/etc/pam.d/login|
 +
#%PAM-1.0
 +
   
 +
auth      required    pam_securetty.so
 +
auth      requisite    pam_nologin.so
 +
auth      include      system-local-login
 +
'''auth      optional    pam_gnome_keyring.so'''
 +
account    include      system-local-login
 +
session    include      system-local-login
 +
'''session   optional    pam_gnome_keyring.so        auto_start'''}}
 +
 
 +
Next, add {{ic|password optional pam_gnome_keyring.so}} to the end of {{ic|/etc/pam.d/passwd}}.
 +
{{hc|/etc/pam.d/passwd|2=
 +
#%PAM-1.0
 +
 
 +
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 +
#password required pam_unix.so sha512 shadow use_authtok
 +
password required pam_unix.so sha512 shadow nullok
 +
'''password optional pam_gnome_keyring.so'''}}
 +
 
 +
{{Note|
 +
* To use automatic unlocking, the same password for the user account and the keyring have to be set.
 +
* You will still need the code in {{ic|~/.xinitrc}} below in order to export the environment variables required.}}
 +
 
 +
===== xinitrc method =====
 +
 
 +
Start the gnome-keyring-daemon from [[xinitrc]]:
 +
 
 +
{{hc|~/.xinitrc|<nowiki>
 +
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
 +
export SSH_AUTH_SOCK
 +
</nowiki>}}
 +
 
 +
See [[Xfce#SSH agents]] for use in Xfce.
 +
 
 +
If you use [[I3]] and ssh is not showing the password prompt, giving the following error
  
If you experience problems retrieving information from the keyring, make sure that the variables "DBUS_SESSION_BUS_ADDRESS" and "DBUS_SESSION_BUS_PID" are exported in the target environment.
+
sign_and_send_pubkey: signing failed: agent refused operation
 +
Permission denied (publickey).
  
Instructions on how to use GNOME Keyring in Xfce are in the [[Xfce#SSH_Agents|SSH Agents section]] on that page.
+
you need to add the DISPLAY environment variable to dbus-daemon in your .xinitrc, like this:
 +
 
 +
{{hc|~/.xinitrc|<nowiki>
 +
dbus-update-activation-environment --systemd DISPLAY
 +
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
 +
export SSH_AUTH_SOCK
 +
 
 +
...
 +
exec i3
 +
</nowiki>}}
 +
 
 +
=== With a display manager ===
 +
 
 +
When using a display manager, the keyring works out of the box for most cases. The following display managers automatically unlock the keyring once you log in:
 +
* [[GDM]]
 +
* [[SLiM]]
 +
* [[LightDM]]
 +
* [[LXDM]]
 +
{{Note| You may need to install {{pkg|libgnome-keyring}} }}
 +
For GDM, note the keyring [https://wiki.gnome.org/Projects/GnomeKeyring/Pam must be] named ''login'' to be automatically unlocked.
 +
 
 +
For KDM, see [[KDM#KDM and Gnome-keyring]].
 +
 
 +
For [[SDDM]], follow the KDM guidelines, but modify {{ic|/etc/pam.d/sddm}} instead of {{ic|/etc/pam.d/kde}}.
 +
 
 +
For LightDM, uncomment or add the line {{ic|auth optional pam_gnome_keyring.so}} in {{ic|/etc/pam.d/lightdm}}.
 +
 
 +
To enable the keyring for applications run through the terminal, such as SSH, add the following to your {{ic|~/.bash_profile}}, {{ic|~/.zshenv}}, or similar:
 +
 
 +
{{hc|~/.zshenv|<nowiki>
 +
if [ -n "$DESKTOP_SESSION" ];then
 +
    eval $(gnome-keyring-daemon --start)
 +
    export SSH_AUTH_SOCK
 +
fi</nowiki>}}
 +
 
 +
{{Note| 1=The GNOME Keyring Daemon no longer exposes {{ic|GNOME_KEYRING_PID}}. See [https://mail.gnome.org/archives/commits-list/2014-March/msg03864.html commit].}}
 +
 
 +
== SSH keys ==
  
== SSH Keys ==
 
 
To add your SSH key:
 
To add your SSH key:
  
Line 38: Line 131:
 
  $ ssh-add -D
 
  $ ssh-add -D
  
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!
+
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!
 +
 
 +
Alternatively, to permanently save the a passphrase in the keyring, use seahorse-ssh-askpass from package {{pkg|seahorse}}:
 +
 
 +
/usr/lib/seahorse/seahorse-ssh-askpass my_key
  
== Integration with applications ==
+
{{Note|You have to have a have the corresponding {{ic|.pub}} file in the same directory as the private key ({{ic|~/.ssh/id_dsa.pub}} in the example). Also, make sure that the public key is the file name of the private key plus {{ic|.pub}} (for example, {{ic|my_key.pub}}).}}
 +
=== Start SSH and Secrets components of keyring daemon ===
  
* [[Firefox#GNOME_Keyring_integration]]
+
If you are starting Gnome Keyring with a display manager or the Pam method described above and you are NOT using Gnome, Unity or Mate as your desktop you may find that the SSH and Secrets components are not being started automatically.
 +
You can fix this by copying the desktop files gnome-keyring-ssh.desktop and gnome-keyring-secrets.desktop from /etc/xdg/autostart/ to ~/.config/autostart/ and deleting the OnlyShowIn line.
  
== Gnome Keyring dialog and SSH ==
+
$ cp /etc/xdg/autostart/{gnome-keyring-secrets.desktop,gnome-keyring-ssh.desktop} ~/.config/autostart/
 +
$ sed -i '/^OnlyShowIn.*$/d' ~/.config/autostart/gnome-keyring-secrets.desktop
 +
$ sed -i '/^OnlyShowIn.*$/d' ~/.config/autostart/gnome-keyring-ssh.desktop
  
Run in a terminal, the following:
+
=== Disable keyring daemon components ===
  
$ gnome-keyring-daemon -s
+
If you wish to run an alternative SSH agent (e.g. [[SSH keys#ssh-agent|ssh-agent]] or [[GnuPG#gpg-agent|gpg-agent]], you need to disable the {{ic|ssh}} component of GNOME Keyring.
 +
To do so in an account-local way:
 +
{{bc|<nowiki>#!/bin/sh
  
Output will get a few lines, but in reality we are interested, {{ic|SSH_AUTH_SOCK}}, example:
+
mkdir ~/.config/autostart
 +
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/ &&
 +
printf '%s\n' 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop
 +
</nowiki>}}
  
GNOME_KEYRING_C.................
+
Then log out.
SSH_AUTH_SOCK=/run/user/1000/keyring-XXXXXX/ssh
 
GPG_AGENT_INF...................
 
  
Now you should add to your {{ic|~/.bashrc}}, according to the output of the previous command, for example:
+
== Tips and tricks ==
  
SSH_AUTH_SOCK=`ss -xl | grep -o '/run/user/1000/keyring-.*/ssh$'`
+
=== Integration with applications ===
[ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK
 
  
If you run on your terminal the following:
+
* [[Firefox#KDE.2FGNOME_integration|Firefox]]
  
$ echo $SSH_AUTH_SOCK
+
=== Flushing passphrases ===
  
will return something like the following:
+
gnome-keyring-daemon -r -d
  
/run/user/1000/keyring--XXXXXX/ssh
+
This command starts gnome-keyring-daemon, shutting down previously running instances.
  
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"
+
=== GNOME Keyring and Git ===
  
== Gnome Keyring and Git ==
+
The GNOME keyring is useful in conjuction with [[Git]] when you are pushing over HTTPS.
The Gnome keyring is useful in use with Git when you are pushing over https.
+
 
First compile the helper
+
First install the package {{pkg|libgnome-keyring}} from the [[official repositories]].
 +
 
 +
Next compile the helper:
 
  $ cd /usr/share/git/credential/gnome-keyring
 
  $ cd /usr/share/git/credential/gnome-keyring
 
  # make
 
  # make
Set Git up to use the helper
+
Set Git up to use the helper:
  $ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring
+
  $ git config --global credential.helper /usr/lib/git-core/git-credential-gnome-keyring
Next time you do a git push, you'll be asked to unlock your keyring
+
Next time you do a ''git push'', you are asked to unlock your keyring, if not unlocked already.
  
== Unlock at Startup ==
+
== Troubleshooting ==
GNOME's login manager ({{pkg|gdm}}) will automatically unlock the keyring once you log in; for others it is not so easy.
 
  
For SLiM, see [[SLiM#SLiM_and_Gnome_Keyring]], This method works for KDM as well, but you need to edit {{ic|/etc/pam.d/kde}} instead of {{ic|/etc/pam.d/slim}}.
+
=== Passwords are not remembered ===
  
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this.
+
If you get a password prompt every time you login, and you find that passwords are not saved, you might need to create/set a default keyring.
 
 
If you use console based login, automatic unlocking of the keyring can be achieved by the following changes in {{ic|/etc/pam.d/login}}:
 
Add {{ic|auth      optional    pam_gnome_keyring.so}} at the end of the {{ic|auth}} section and {{ic|session    optional    pam_gnome_keyring.so        auto_start}} at the end of the {{ic|session}} section. The result should look look similar to this:
 
#%PAM-1.0
 
 
auth      required    pam_securetty.so
 
auth      requisite    pam_nologin.so
 
auth      include      system-local-login
 
auth      optional    pam_gnome_keyring.so
 
account    include      system-local-login
 
session    include      system-local-login
 
session    optional    pam_gnome_keyring.so        auto_start
 
  
Next, add {{ic|password optional pam_gnome_keyring.so}} to the end of {{ic|/etc/pam.d/passwd}}. The file should look somewhat like this:
+
Ensure that the {{pkg|seahorse}} package is installed, open it ("Passwords and Keys" in system settings) and select ''View'' > ''By Keyring''
#%PAM-1.0
+
If there is no keyring in the left column (it will be marked with a lock icon), go to ''File'' > ''New'' > ''Password Keyring'' and give it a name. You will be asked to enter a password. If you do not give the keyring a password it will be unlocked automatically, even when using autologin, but passwords will not be stored securely. Finally, right-click on the keyring you just created and select "Set as default".
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 
#password required pam_unix.so sha512 shadow use_authtok
 
password required pam_unix.so sha512 shadow nullok
 
password optional pam_gnome_keyring.so
 
  
{{Note|To use automatic unlocking, the same password for the user account and the keyring have to be set.}}
+
== Known issues ==
  
 +
=== Cannot handle ECDSA and Ed25519 keys ===
  
== Useful Tools ==
+
As of April, 2017, GNOME Keyring doesn't handle ECDSA[https://bugzilla.gnome.org/show_bug.cgi?id=641082] nor Ed25519[https://bugzilla.gnome.org/show_bug.cgi?id=723274] keys. You can turn to other [[SSH_keys#SSH_agents|SSH agents]] if you need support for those.
=== gnome-keyring-query ===
 
{{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.
 

Latest revision as of 19:53, 17 May 2017

GNOME Keyring is "a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications."

Note: There are some #Known issues.

Installation

When using GNOME, gnome-keyring is installed automatically as a part of the gnome group. Otherwise install the gnome-keyring package. Install libsecret to allow applications to use your keyrings. libgnome-keyring is deprecated.

Extra utilities related to GNOME keyring include:

  • secret-tool — Access the GNOME keyring (and any other service implementing the DBus Secret Service API) from the command line.
https://wiki.gnome.org/Projects/Libsecret || libsecret
  • gnome-keyring-query — Provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.
http://www.gentoo-wiki.info/HOWTO_Use_gnome-keyring_to_store_SSH_passphrases || gnome-keyring-queryAUR
  • gkeyring — Query passwords from the command line, the Git version can list all passwords without needing to know name or id of the item
https://github.com/kparal/gkeyring || gkeyringAUR, gkeyring-gitAUR

Manage using GUI

You can manage the contents of GNOME Keyring using Seahorse. Install it with the package seahorse.

It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" drop-down menu, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."

Using the keyring outside GNOME

Without a display manager

Automatic login

If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.

Note: The passwords are stored unencrypted in this case.

Console login

When using console-based login, the keyring daemon can be started by either PAM or xinitrc. PAM can also unlock the keyring automatically at login.

PAM method

Start the gnome-keyring-daemon from /etc/pam.d/login:

Add auth optional pam_gnome_keyring.so at the end of the auth section and session optional pam_gnome_keyring.so auto_start at the end of the session section.

/etc/pam.d/login
#%PAM-1.0
 
auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
auth       optional     pam_gnome_keyring.so
account    include      system-local-login
session    include      system-local-login
session    optional     pam_gnome_keyring.so        auto_start

Next, add password optional pam_gnome_keyring.so to the end of /etc/pam.d/passwd.

/etc/pam.d/passwd
#%PAM-1.0

#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so sha512 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok
password	optional	pam_gnome_keyring.so
Note:
  • To use automatic unlocking, the same password for the user account and the keyring have to be set.
  • You will still need the code in ~/.xinitrc below in order to export the environment variables required.
xinitrc method

Start the gnome-keyring-daemon from xinitrc:

~/.xinitrc
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

See Xfce#SSH agents for use in Xfce.

If you use I3 and ssh is not showing the password prompt, giving the following error

sign_and_send_pubkey: signing failed: agent refused operation
Permission denied (publickey).

you need to add the DISPLAY environment variable to dbus-daemon in your .xinitrc, like this:

~/.xinitrc
dbus-update-activation-environment --systemd DISPLAY
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

...
exec i3

With a display manager

When using a display manager, the keyring works out of the box for most cases. The following display managers automatically unlock the keyring once you log in:

Note: You may need to install libgnome-keyring

For GDM, note the keyring must be named login to be automatically unlocked.

For KDM, see KDM#KDM and Gnome-keyring.

For SDDM, follow the KDM guidelines, but modify /etc/pam.d/sddm instead of /etc/pam.d/kde.

For LightDM, uncomment or add the line auth optional pam_gnome_keyring.so in /etc/pam.d/lightdm.

To enable the keyring for applications run through the terminal, such as SSH, add the following to your ~/.bash_profile, ~/.zshenv, or similar:

~/.zshenv
if [ -n "$DESKTOP_SESSION" ];then
    eval $(gnome-keyring-daemon --start)
    export SSH_AUTH_SOCK
fi
Note: The GNOME Keyring Daemon no longer exposes GNOME_KEYRING_PID. See commit.

SSH keys

To add your SSH key:

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/mith/.ssh/id_dsa:

To list automatically loaded keys:

$ ssh-add -L

To disable all keys;

$ ssh-add -D

Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!

Alternatively, to permanently save the a passphrase in the keyring, use seahorse-ssh-askpass from package seahorse:

/usr/lib/seahorse/seahorse-ssh-askpass my_key
Note: You have to have a have the corresponding .pub file in the same directory as the private key (~/.ssh/id_dsa.pub in the example). Also, make sure that the public key is the file name of the private key plus .pub (for example, my_key.pub).

Start SSH and Secrets components of keyring daemon

If you are starting Gnome Keyring with a display manager or the Pam method described above and you are NOT using Gnome, Unity or Mate as your desktop you may find that the SSH and Secrets components are not being started automatically. You can fix this by copying the desktop files gnome-keyring-ssh.desktop and gnome-keyring-secrets.desktop from /etc/xdg/autostart/ to ~/.config/autostart/ and deleting the OnlyShowIn line.

$ cp /etc/xdg/autostart/{gnome-keyring-secrets.desktop,gnome-keyring-ssh.desktop} ~/.config/autostart/
$ sed -i '/^OnlyShowIn.*$/d' ~/.config/autostart/gnome-keyring-secrets.desktop
$ sed -i '/^OnlyShowIn.*$/d' ~/.config/autostart/gnome-keyring-ssh.desktop

Disable keyring daemon components

If you wish to run an alternative SSH agent (e.g. ssh-agent or gpg-agent, you need to disable the ssh component of GNOME Keyring. To do so in an account-local way:

#!/bin/sh

mkdir ~/.config/autostart
cp /etc/xdg/autostart/gnome-keyring-ssh.desktop ~/.config/autostart/ &&
printf '%s\n' 'Hidden=true' >> ~/.config/autostart/gnome-keyring-ssh.desktop 

Then log out.

Tips and tricks

Integration with applications

Flushing passphrases

gnome-keyring-daemon -r -d

This command starts gnome-keyring-daemon, shutting down previously running instances.

GNOME Keyring and Git

The GNOME keyring is useful in conjuction with Git when you are pushing over HTTPS.

First install the package libgnome-keyring from the official repositories.

Next compile the helper:

$ cd /usr/share/git/credential/gnome-keyring
# make

Set Git up to use the helper:

$ git config --global credential.helper /usr/lib/git-core/git-credential-gnome-keyring

Next time you do a git push, you are asked to unlock your keyring, if not unlocked already.

Troubleshooting

Passwords are not remembered

If you get a password prompt every time you login, and you find that passwords are not saved, you might need to create/set a default keyring.

Ensure that the seahorse package is installed, open it ("Passwords and Keys" in system settings) and select View > By Keyring If there is no keyring in the left column (it will be marked with a lock icon), go to File > New > Password Keyring and give it a name. You will be asked to enter a password. If you do not give the keyring a password it will be unlocked automatically, even when using autologin, but passwords will not be stored securely. Finally, right-click on the keyring you just created and select "Set as default".

Known issues

Cannot handle ECDSA and Ed25519 keys

As of April, 2017, GNOME Keyring doesn't handle ECDSA[1] nor Ed25519[2] keys. You can turn to other SSH agents if you need support for those.