Difference between revisions of "GNOME/Keyring"

From ArchWiki
Jump to: navigation, search
m (Disable Keyring daemon: Fix stale reference to GPG component.)
(add missing templates; fix grammar; fix capitalization issues in section headings)
Line 2: Line 2:
 
From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]:
 
From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]:
 
:''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.''
 
:''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.''
{{Note| 1=Gnome Keyring does not support ECDSA keys. See [https://bugzilla.gnome.org/show_bug.cgi?id=641082 Bug 641082].}}
+
{{Note| 1=GNOME Keyring does not support ECDSA keys. See [https://bugzilla.gnome.org/show_bug.cgi?id=641082 Bug 641082].}}
 
== Installation ==
 
== Installation ==
When using GNOME, gnome-keyring is installed automatically as a part of the gnome group. Otherwise install {{Pkg|gnome-keyring}} from the [[official repositories]].
+
When using GNOME, gnome-keyring is installed automatically as a part of the {{grp|gnome}} group. Otherwise install {{Pkg|gnome-keyring}} from the [[official repositories]].
  
 
== Manage using GUI ==
 
== Manage using GUI ==
 
  # pacman -S seahorse
 
  # pacman -S seahorse
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
+
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" drop-down menu, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."
  
 
== Use without GNOME, and without a display manager ==
 
== Use without GNOME, and without a display manager ==
=== automatic login ===
+
=== Automatic login ===
 
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.
 
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.
 
{{Note| The passwords are stored unencrypted in this case.}}
 
{{Note| The passwords are stored unencrypted in this case.}}
  
=== console login ===
+
=== Console login ===
When using console based login, the keyring daemon can be started by either [[Wikipedia:Pluggable authentication module|PAM]] or [[xinitrc]]. PAM can also unlock the keyring automatically at login.
+
When using console-based login, the keyring daemon can be started by either [[Wikipedia:Pluggable authentication module|PAM]] or [[xinitrc]]. PAM can also unlock the keyring automatically at login.
  
 
==== PAM method ====
 
==== PAM method ====
Line 70: Line 70:
 
* LightDM {{pkg|lightdm}}
 
* LightDM {{pkg|lightdm}}
  
For KDM see [[KDM#KDM_and_Gnome-keyring]].
+
For KDM, see [[KDM#KDM_and_Gnome-keyring]].
  
If you are using the keyring to unlock your ssh keys though, make sure to configure {{ic|~/.zshenv}} as shown below.
+
If you are using the keyring to unlock your SSH keys though, make sure to configure {{ic|~/.zshenv}} as shown below.
  
 
{{hc|~/.zshenv|<nowiki>
 
{{hc|~/.zshenv|<nowiki>
Line 82: Line 82:
 
{{Note| 1=The GNOME Keyring Daemon no longer exposes {{ic|GNOME_KEYRING_PID}}. See [https://mail.gnome.org/archives/commits-list/2014-March/msg03864.html commit].}}
 
{{Note| 1=The GNOME Keyring Daemon no longer exposes {{ic|GNOME_KEYRING_PID}}. See [https://mail.gnome.org/archives/commits-list/2014-March/msg03864.html commit].}}
  
== Disable Keyring daemon ==
+
== Disable keyring daemon ==
In case if you run your own version of the SSH agent (e.g. [[SSH keys#ssh-agent|ssh-agent]]) you need to disable the SSH component in Gnome keyring daemon:
+
In case if you run your own version of the SSH agent (e.g. [[SSH keys#ssh-agent|ssh-agent]]), you need to disable the SSH component in GNOME keyring daemon:
 
   ln -sf /dev/null /etc/xdg/autostart/gnome-keyring-ssh.desktop
 
   ln -sf /dev/null /etc/xdg/autostart/gnome-keyring-ssh.desktop
 
Then you need to logout to make the effect.
 
Then you need to logout to make the effect.
  
== SSH Keys ==
+
== SSH keys ==
 
To add your SSH key:
 
To add your SSH key:
  
Line 101: Line 101:
 
  $ ssh-add -D
 
  $ ssh-add -D
  
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!
+
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!
  
Alternatively, to permanently save the passphrase a passphrase in the keyring, use seahorse-ssh-askpass from package seahorse:
+
Alternatively, to permanently save the a passphrase in the keyring, use seahorse-ssh-askpass from package {{pkg|seahorse}}:
  
 
  /usr/lib/seahorse/seahorse-ssh-askpass my_key
 
  /usr/lib/seahorse/seahorse-ssh-askpass my_key
  
{{Note|You have to have a have the corresponding {{ic|.pub}} file in the same directory as the private key ({{ic|~/.ssh/id_dsa.pub}} in the example). Also,mMake sure that the public key is the filename of the private key plus {{ic|.pub}}, for example {{ic|my_key.pub}}.}}
+
{{Note|You have to have a have the corresponding {{ic|.pub}} file in the same directory as the private key ({{ic|~/.ssh/id_dsa.pub}} in the example). Also, make sure that the public key is the file name of the private key plus {{ic|.pub}} (for example, {{ic|my_key.pub}}).}}
  
 
== Integration with applications ==
 
== Integration with applications ==
Line 113: Line 113:
 
* [[Firefox#GNOME_Keyring_integration]]
 
* [[Firefox#GNOME_Keyring_integration]]
  
== Gnome Keyring dialog and SSH ==
+
== GNOME Keyring dialog and SSH ==
  
 
Run in a terminal, the following:
 
Run in a terminal, the following:
Line 146: Line 146:
 
This command starts gnome-keyring-daemon, shutting down previously running instances.
 
This command starts gnome-keyring-daemon, shutting down previously running instances.
  
== Gnome Keyring and Git ==
+
== GNOME Keyring and Git ==
The Gnome keyring is useful in use with [[Git]] when you are pushing over HTTPS.
+
The GNOME keyring is useful in conjuction with [[Git]] when you are pushing over HTTPS.
  
First install libgnome-keyring:
+
First install the package {{pkg|libgnome-keyring}} from the [[official repositories]].
# pacman -S libgnome-keyring
 
  
 
Next compile the helper:
 
Next compile the helper:
Line 157: Line 156:
 
Set Git up to use the helper:
 
Set Git up to use the helper:
 
  $ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring
 
  $ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring
Next time you do a ''git'' push, you are asked to unlock your keyring, if not unlocked already.
+
Next time you do a ''git push'', you are asked to unlock your keyring, if not unlocked already.
  
== Useful Tools ==
+
== Useful tools ==
 
=== gnome-keyring-query ===
 
=== gnome-keyring-query ===
 
{{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.
 
{{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.

Revision as of 02:26, 9 December 2014

From GnomeKeyring:

GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.
Note: GNOME Keyring does not support ECDSA keys. See Bug 641082.

Installation

When using GNOME, gnome-keyring is installed automatically as a part of the gnome group. Otherwise install gnome-keyring from the official repositories.

Manage using GUI

# pacman -S seahorse

It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" drop-down menu, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."

Use without GNOME, and without a display manager

Automatic login

If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring.

Note: The passwords are stored unencrypted in this case.

Console login

When using console-based login, the keyring daemon can be started by either PAM or xinitrc. PAM can also unlock the keyring automatically at login.

PAM method

Start the gnome-keyring-daemon from/etc/pam.d/login:

Add auth optional pam_gnome_keyring.so at the end of the auth section and session optional pam_gnome_keyring.so auto_start at the end of the session section.

/etc/pam.d/login
#%PAM-1.0
 
 auth       required     pam_securetty.so
 auth       requisite    pam_nologin.so
 auth       include      system-local-login
 auth       optional     pam_gnome_keyring.so
 account    include      system-local-login
 session    include      system-local-login
 session    optional     pam_gnome_keyring.so        auto_start

Next, add password optional pam_gnome_keyring.so to the end of /etc/pam.d/passwd.

/etc/pam.d/passwd
#%PAM-1.0

 #password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 #password	required	pam_unix.so sha512 shadow use_authtok
 password	required	pam_unix.so sha512 shadow nullok
 password	optional	pam_gnome_keyring.so
Note: To use automatic unlocking, the same password for the user account and the keyring have to be set.
Note: You will still need the code in ~/.xinitrc below in order to export the environment variables required.

xinitrc method

Start the gnome-keyring-daemon from Xinit:

~/.xinitrc
eval $(/usr/bin/gnome-keyring-daemon --start --components=pkcs11,secrets,ssh)
export SSH_AUTH_SOCK

The skeleton .xinitrc will start a D-Bus session. See FS#13986 for more info.

Note: GNOME_KEYRING_PID has been removed, and GNOME_KEYRING_CONTROL is not written if XDG_RUNTIME_DIR is set. See [1]

If you experience problems retrieving information from the keyring, make sure that the variables DBUS_SESSION_BUS_ADDRESS is exported in the target environment. (DBUS_SESSION_BUS_PID is no longer exported)

See SSH Agents for use in Xfce.

Use without GNOME, but with a display manager

When using a display manager, the keyring works out of the box for most cases. The following display managers automatically unlock the keyring once you log in:

For KDM, see KDM#KDM_and_Gnome-keyring.

If you are using the keyring to unlock your SSH keys though, make sure to configure ~/.zshenv as shown below.

~/.zshenv
if [ -n "$DESKTOP_SESSION" ];then
    eval $(gnome-keyring-daemon --start --components=ssh)
    export SSH_AUTH_SOCK
fi
Note: The GNOME Keyring Daemon no longer exposes GNOME_KEYRING_PID. See commit.

Disable keyring daemon

In case if you run your own version of the SSH agent (e.g. ssh-agent), you need to disable the SSH component in GNOME keyring daemon:

 ln -sf /dev/null /etc/xdg/autostart/gnome-keyring-ssh.desktop

Then you need to logout to make the effect.

SSH keys

To add your SSH key:

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/mith/.ssh/id_dsa:

To list automatically loaded keys:

$ ssh-add -L

To disable all keys;

$ ssh-add -D

Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!

Alternatively, to permanently save the a passphrase in the keyring, use seahorse-ssh-askpass from package seahorse:

/usr/lib/seahorse/seahorse-ssh-askpass my_key
Note: You have to have a have the corresponding .pub file in the same directory as the private key (~/.ssh/id_dsa.pub in the example). Also, make sure that the public key is the file name of the private key plus .pub (for example, my_key.pub).

Integration with applications

GNOME Keyring dialog and SSH

Run in a terminal, the following:

$ gnome-keyring-daemon -s

Output will get a few lines, but in reality we are interested, SSH_AUTH_SOCK, example:

GNOME_KEYRING_C.................
SSH_AUTH_SOCK=/run/user/1000/keyring-XXXXXX/ssh
GPG_AGENT_INF...................

Now you should add to your ~/.bashrc, according to the output of the previous command, for example:

SSH_AUTH_SOCK=`ss -xl | grep -o '/run/user/1000/keyring.*/ssh'`
[ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK

If you run on your terminal the following:

$ echo $SSH_AUTH_SOCK

will return something like the following:

/run/user/1000/keyringXXXXXX/ssh

Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"

Flushing passphrases

gnome-keyring-daemon -r -d

This command starts gnome-keyring-daemon, shutting down previously running instances.

GNOME Keyring and Git

The GNOME keyring is useful in conjuction with Git when you are pushing over HTTPS.

First install the package libgnome-keyring from the official repositories.

Next compile the helper:

$ cd /usr/share/git/credential/gnome-keyring
# make

Set Git up to use the helper:

$ git config --global credential.helper /usr/share/git/credential/gnome-keyring/git-credential-gnome-keyring

Next time you do a git push, you are asked to unlock your keyring, if not unlocked already.

Useful tools

gnome-keyring-query

gnome-keyring-queryAUR from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.