Bug 186189

Summary: create a PAM policy for pam_keyring
Product: [openSUSE] openSUSE 10.3 Reporter: Stanislav Brabec <sbrabec>
Component: GNOMEAssignee: Chris Rivera <crivera>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: andreas.hanke, claes.backstrom, quentin.jackson, suse-beta
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 192400    

Description Stanislav Brabec 2006-06-19 13:03:15 UTC 
There is a new package - pam_keyring.

Wee need to decide, how to integrate required PAM configuration change to /etc/pam.d:
  * Using %post, %postun, %triggerin in the package.
  * Using YaST
  * Add it to the default of gdm (probably not possible for gdm-autologin).
  * Add it to the default of all DM PAM configs.
  * Create new common-xsession module and include it, where appropriate.

All solutions have a problem, how to provide not starting in KDE sessions.

Reference: Feature 300590
Comment 1 Stanislav Brabec 2006-09-01 11:52:33 UTC 
Lines to be added:

auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

But we should do this, only if GNOME session is selected (or improve pam_keyring.so to ask only for GNOME session).
Comment 2 JP Rosevear 2006-10-26 14:03:13 UTC 
We actually have separate pam configs for gdm and gnome-screensaver now, wouldn't this make it gnome specific?
Comment 3 Stanislav Brabec 2006-10-26 14:28:17 UTC 
There is a different problem:

It would be ideal to start GNOME keyring daemon in GNOME session, nod depending on display manager and not start it in other session types, wven if we are using gdm. 

I don't know, where there is a simple way to implement it.

pam_keyring is not intended for screensaver (maybe only if GNOME keyring will implement timed/idle key forgetting).
Comment 4 Stanislav Brabec 2006-10-31 18:18:27 UTC 
In 10.2, pam_keyring is not in the default installation. As a temporary solution, I am adding scriptlets, which add required lines to /etc/pam.d/gdm. It works well, but only in gdm and starts gnome-keyring for all session types.
Comment 5 Andreas Hanke 2006-11-24 16:11:33 UTC 
*** Bug 215595 has been marked as a duplicate of this bug. ***
Comment 6 Stanislav Brabec 2006-11-24 16:19:43 UTC 
Launch policy problems topic presented in GNOME desktop-devel-list:
http://mail.gnome.org/archives/desktop-devel-list/2006-November/msg00146.html
Comment 7 JP Rosevear 2007-02-09 21:31:06 UTC 
*** Bug 174720 has been marked as a duplicate of this bug. ***
Comment 8 JP Rosevear 2007-02-14 21:46:56 UTC 
*** Bug 168559 has been marked as a duplicate of this bug. ***
Comment 9 JP Rosevear 2007-08-02 21:50:11 UTC 
Time to resurrect this issue upstream with the inclusion of a pam module in gnome-keyring proper.
Comment 10 Stanislav Brabec 2007-08-03 10:11:26 UTC 
Maybe writing of desktop neutral backend would be a clean solution - both kwallet and gnome-keyring might use it and session would unlock this one.
Comment 11 JP Rosevear 2007-08-03 12:40:57 UTC 
That could be longer term, but right now we could use DESKTOP_SESSION or something similar to detect a gnome session or not.  This is a major usability issue, so I think really trying to have this in 10.3 is important.
Comment 12 Magnus Boman 2007-09-17 22:22:36 UTC 
Ping...
Comment 13 Chris Rivera 2007-09-18 17:29:26 UTC 
I checked in a patch to gnome-keyring that should avoid auto starting the daemon in KDE.