Главная » Linux

What is keyring password in linux

Содержание
  1. GNOME/Keyring
  2. Contents
  3. Installation
  4. Manage using GUI
  5. Using the keyring
  6. PAM step
  7. —start step
  8. Shell
  9. xinitrc
  10. Xfce only
  11. XDG autostart
  12. SSH keys
  13. Disable keyring daemon components
  14. Tips and tricks
  15. Integration with applications
  16. Flushing passphrases
  17. Git integration
  18. GnuPG integration
  19. Renaming a keyring
  20. Automatically change keyring password with user password
  21. Troubleshooting
  22. Passwords are not remembered
  23. Resetting the keyring
  24. Unable to locate daemon control file
  25. The Keyring Concept in Ubuntu: What is It and How to Use it?
  26. What is keyring in Linux and why is it used?
  27. Keyring is a security feature
  28. If this keyring always exited, why you never saw it?
  29. You can easily manage the keyring and passwords
  30. Change keyring password
  31. Disable keyring password

GNOME/Keyring

GNOME Keyring is «a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.»

Contents

Installation

gnome-keyring is a member of the gnome group is thus usually present on systems running GNOME. The package can otherwise be installed on its own. libsecret should also be installed to grant other applications access to your keyrings. Although libgnome-keyring is deprecated (and superseded by libsecret), it may still be required by certain applications.

Extra utilities related to GNOME Keyring include:

  • secret-tool — Access the GNOME Keyring (and any other service implementing the DBus Secret Service API) from the command line.

https://wiki.gnome.org/Projects/Libsecret || libsecret

  • lssecret — List all secret items using libsecret (e.g. GNOME Keyring).

https://gitlab.com/GrantMoyer/lssecret || lssecret-gitAUR

  • gnome-keyring-query — Provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.

https://gentoo-wiki.info/HOWTO_Use_gnome-keyring_to_store_SSH_passphrases (archived) || gnome-keyring-queryAUR

Manage using GUI

You can manage the contents of GNOME Keyring using Seahorse; install the seahorse package.

Passwords for keyrings (e.g., the default keyring, «Login») can be changed and even removed. See Create a new keyring and Update the keyring password in GNOME Help for more information.

Using the keyring

The PAM module pam_gnome_keyring.so initialises GNOME Keyring partially, unlocking the default login keyring in the process. It should be followed by a call to gnome-keyring-daemon with the —start option to complete initialisation and to set environment variables.

PAM step

When using a display manager, the keyring works out of the box for most cases. GDM, LightDM, LXDM, and SDDM already have the necessary PAM configuration. For a display manager that does not automatically unlock the keyring edit the appropriate file instead of /etc/pam.d/login as mentioned below.

When using console-based login, edit /etc/pam.d/login :

Add auth optional pam_gnome_keyring.so at the end of the auth section and session optional pam_gnome_keyring.so auto_start at the end of the session section.

If you are using GNOME, Unity, Cinnamon, or MATE, you are done. The initialisation is completed and environment variables are set automatically.

—start step

If you are not using GNOME, Unity, Mate, or Cinnamon as your desktop environment, initialisation will not complete automatically. You can fix this using various methods:

Shell

Add the following to your

/.zshenv , or similar:

xinitrc

Start the gnome-keyring-daemon from xinitrc:

Xfce only

See Xfce#SSH agents for use in Xfce.

XDG autostart

Copy gnome-keyring-ssh.desktop , gnome-keyring-pkcs11.desktop , and gnome-keyring-secrets.desktop from /etc/xdg/autostart/ to

/.config/autostart/ and delete the OnlyShowIn=GNOME;Unity;MATE;Cinnamon; lines from each file. Note however that this will not set SSH_AUTH_SOCK (and the other variables if the PAM step was skipped) environment variable.

SSH keys

gnome-keyring-daemon with the ssh component will start an SSH agent and automatically load all the keys in

/.ssh/ that have corresponding .pub files. There is no way to remove these keys from the agent.

To list all loaded keys:

When you connect to a server that uses a loaded key with a password, a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you log in. If you check this, you will not need to enter your passphrase again!

To permanently save the a passphrase in the keyring, use ssh-askpass from the seahorse package:

Читайте также:  Download from windows store png

To manually add an SSH key from another directory:

/.ssh/id_rsa.pub in the example). Also, make sure that the public key is the file name of the private key plus .pub (for example, my_key.pub ).

To disable all manually added keys:

Disable keyring daemon components

If you wish to run an alternative SSH agent (e.g. ssh-agent or gpg-agent), you need to disable the ssh component of GNOME Keyring. To do so in an account-local way, copy /etc/xdg/autostart/gnome-keyring-ssh.desktop to

/.config/autostart/ and then append the line Hidden=true to the copied file. Then log out.

Tips and tricks

Integration with applications

Flushing passphrases

This command starts gnome-keyring-daemon, shutting down previously running instances.

Git integration

The GNOME keyring is useful in conjunction with Git when you are pushing over HTTPS. The libsecret package needs to be installed for this functionality to be available.

Configure Git to use the libsecret helper:

The next time you run git push , you will be asked to unlock your keyring if it is not already unlocked.

GnuPG integration

Several applications which use GnuPG require a pinentry-program to be set. Set the following to use GNOME 3 pinentry for GNOME Keyring to manage passphrase prompts.

Another option is to force loopback for GPG which should allow the passphrase to be entered in the application.

Renaming a keyring

The display name for a keyring (i.e., the name that appears in Seahorse and from file ) can be changed by changing the value of display-name in the unencrypted keyring file. Keyrings will usually be stored in

/.local/share/keyrings/ with the .keyring file extension.

Automatically change keyring password with user password

Add password optional pam_gnome_keyring.so to the end of /etc/pam.d/passwd .

Troubleshooting

Passwords are not remembered

If you are prompted for a password after logging in and you find that your passwords are not saved, then you may need to create/set a default keyring. To do this using Seahorse (a.k.a. Passwords and Keys), see Create a new keyring and Change the default keyring in GNOME Help.

Resetting the keyring

You will need to change your login keyring password if you receive the following error message: «The password you use to login to your computer no longer matches that of your login keyring».

Alternatively, you can remove the login.keyring and user.keystore files from

/.local/share/keyrings/ . Be warned that this will permanently delete all saved keys. After removing the files, simply log out and log in again.

Unable to locate daemon control file

The following error may appear in the journal after logging in:

This message «can be safely ignored» if there are no other related issues [3].

Источник

The Keyring Concept in Ubuntu: What is It and How to Use it?

Last updated October 29, 2020 By Abhishek Prakash 75 Comments

If you use automatic login in Ubuntu or other Linux distributions, you might have come across a pop-up message of this sort:

Enter password to unlock your login keyring
The login keyring did not get unlocked when you logged into your computer.

It keeps on popping up several times before disappearing if you keep on clicking cancel. You may wonder why do you keep seeing this keyring message all the time?

Let me tell you something. It’s not an error. It’s a security feature.

Surprised? Let me explain the keyring concept in Linux.

What is keyring in Linux and why is it used?

Why do you use a keyring (also called keychain) in the real life? You use it to keep one or more keys grouped together so that they are easy to find and carry.

It’s the same concept in Linux. The keyring feature allows your system to group various passwords together and keep it one place.

Most desktop environments like GNOME, KDE, Xfce etc use an implementation of gnome-keyring to provide this keyring feature in Linux.

Читайте также:  Сниффер http трафика для windows

This keyring keeps your ssh keys, GPG keys and keys from applications that use this feature, like Chromium browser. By default, the keyring is locked with a master password which is often the login password of the account.

Every user on your system has its own keyring with (usually) the same password as that of the user account itself. When you login to your system with your password, your keyring is unlocked automatically with your account’s password.

The problem comes when you switch to auto-login in Ubuntu. This means that you login to the system without entering the password. In such case, your keyring is not unlocked automatically.

Keyring is a security feature

Remember I told you that the keyring was a security feature? Now imagine that on your Linux desktop, you are using auto-login. Anyone with access to your desktop can enter the system without password but you have no issues with that perhaps because you use it to browse internet only.

But if you use a browser like Chromium or Google Chrome in Ubuntu, and use it to save your login-password for various websites, you have an issue on your hand. Anyone can use the browser and login to the websites for which you have saved password in your browser. That’s risky, isn’t it?

This is why when you try to use Chrome, it will ask you to unlock the keyring repeatedly. This ensures that only the person who knows the keyring’s password (i.e. the account password) can use the saved password in browser for logging in to their respective websites.

If you keep on cancelling the prompt for keyring unlock, it will eventually go away and let you use the browser. However, the saved password won’t be unlocked and you’ll see ‘sync paused’ in Chromium/Chrome browsers.

If this keyring always exited, why you never saw it?

That’s a valid question if you have never seen this keyring thing in your Linux system.

If you never used automatic login (or changed your account’s password), you might not even have realized that this feature exists.

This is because when you login to your system with your password, your keyring is unlocked automatically with your account’s password.

Ubuntu (and other distributions) asks for password for common admin tasks like modifying users, installing new software etc irrespective of whether you auto login or not. But for regular tasks like using a browser, it doesn’t ask for password because keyring is already unlocked.

When you switch to automatic login, you don’t enter the password for login anymore. This means that the keyring is not unlocked and hence when you try to use a browser which uses the keyring feature, it will ask to unlock the keyring.

You can easily manage the keyring and passwords

Where is this keyring located? At the core, it’s a daemon (a program that runs automatically in the background).

Don’t worry. You don’t have to ‘fight the daemon’ in the terminal. Most desktop environments come with a graphical application that interacts with this daemon. On KDE, there is KDE Wallet, on GNOME and others, it’s called Password and Keys (originally known as Seahorse).

Password And Keys App Ubuntu

You can use this GUI application to see what application use the keyring to manage/lock passwords.

As you can see, my system has the login keyring which is automatically created. There is also a keyrings for storing GPG and SSH keys. The Certificates is for keeping the certificates (like HTTPS certificates) issued by a certificate authority.

You can also use this application to manually store passwords for website. For example, I created a new password-protected keyring called ‘Test’ and stored a password in this keyring manually.

This is slightly better than keeping a list of passwords in a text file. At least in this case your passwords can be viewed only when you unlock the keyring with password.

Читайте также:  Как определить с какого диска грузится windows

Saving New Password Seahorse

One potential problem here is that if you format your system, the manually saved passwords are definitely lost. Normally, you make backup of personal files, not of all the user specific data such as keyring files.

There is way to handle that. The keyring data is usually stored in

/.local/share/keyrings directory. You can see all the keyrings here but you cannot see its content directly. If you remove the password of the keyring (I’ll show the steps in later section of this article), you can read the content of the keyring like a regular text file. You can copy this unlocked keyring file entirely and import it in the Password and Keys application on some other Linux computer (running this application).

So, let me summarize what you have learned so far:

  • Most Linux has this ‘keyring feature’ installed and activated by default
  • Each user on a system has its own keyring
  • The keyring is normally locked with the account’s password
  • Keyring is unlocked automatically when you login with your password
  • For auto-login, the keyring is not unlocked and hence you are asked to unlock it when you try to use an application that uses keyring
  • Not all browsers or application use the keyring feature
  • There is a GUI application installed to interact with keyring
  • You can use the keyring to manually store passwords in encrypted format
  • You can change the keyring password on your own
  • You can export (by unlocking the keyring first) and import it on some other computer to get your manually saved passwords

Change keyring password

Suppose you changed your account password. Now when you login, your system tries to unlock the keyring automatically using the new login password. But the keyring still uses the old login password.

In such a case, you can change the keyring password to the new login password so that the keyring gets unlocked automatically as soon as you login to your system.

Open the Password and Keys application from the menu:

Password And Keys App Ubuntu

Now, right click on the Login keyring and click on Change Password:

Change Keyring Password

You probably know that it is easy to reset forgotten password in Ubuntu. The problem comes with the keyring in such cases. You changed the account password but you don’t remember the old account password that is still used by the keyring.

Now you cannot change it because you don’t know the old password. What to do now?

In such a case, you’ll have to remove the entire keyring itself. You can do that from the Passwords and Keys application:

Delete Keyring Ubuntu

It will ask for your confirmation:

Alternatively, you may also manually delete the keyring files in

When the old keyring is removed and you try to use Chrome/Chromium, it will ask you to create new keyring.

You can use the new login password so that the keyring gets unlocked automatically.

Disable keyring password

In cases where you want to use automatic login but don’t want to unlockk keyring manually, you may choose to disable the keyring with a workaround. Keep in mind that you are disabling a security feature so think twice before doing so.

The process is similar to changing keyring password. Open Password and Keys application and go on to change the keyring password.

The trick is that when it asks to change the password, don’t enter a new password and hit Continue instead. This will remove any password from the keyring.

Disable Keyring Password Ubuntu

This way, the keyring will have no password and it remains unlocked all the time.

Like what you read? Please share it with others.

Источник

Оцените статью
© 2024 Советы по настройке компьютера