[RFC] Getting GnomeKeyring + PAM to work out of the box

Sun Jul 27 01:00:31 UTC 2008

On Thu, 17 Jul 2008 14:11:42 -0400, Joe Marcus Clarke wrote:

> On Thu, 2008-07-17 at 18:00 +0000, Marcin Wisnicki wrote:
>> I can provide patches if gnome@ agrees to the changes.
> 
> Yeah, please do.
> 

OK, sorry for delay. I've sent patches to PR:

* x11/gdm:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=125983

There is a problem that base system already contains pam configuration 
for gdm service which gets priority over /usr/local/etc/pam.d/gdm.

I shall request our PAM maintainer to remove /etc/pam.d/gdm and ideally 
reorganize pam configuration like it was done in NetBSD:
  http://cvsweb.netbsd.se/cgi-bin/bsdweb.cgi/src/etc/pam.d/
so there is a single "abstract" display_manager service configuration 
that can be included by real dm's config.

In the mean time however, and to support older base system, I've modified 
gdm startup script to remove /etc/pam.d/gdm. If this is not acceptable 
please share your ideas how to solve this better.

* x11/xscreensaver-gnome:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=125984

Add KEYRING option like in x11/gdm and enable it by default together with 
PAM (which is needed for this to work). I'm not sure how to handle 
dependency between options so in case of invalid configuration (KEYRING 
&& !PAM) I simply print a warning adn proceed without KEYRING.

* x11/gnome-screensaver:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=125994

Similar to above.
Note that PAM still does not work correctly:
  http://bugzilla.gnome.org/show_bug.cgi?id=370847

There should probably be some big warning when enabling pam or 
requirement to set some silly option in /etc/make.conf like 
GNOME_SCREENSAVER_WITH_BROKEN_PAM until this problem is fixed, and in the 
meantime we should consider switching to xscreensaver-gnome as default 
screensaver in Gnome.

* security/gnome-keyring:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=12596

Just a minor fix but a prerequisite to all other changes.

========

There is still one more thing to do which I'm not sure how to handle.
To keep system password and GnomeKeyring key in sync, a line like this 
must be appended to /etc/pam.d/passwd:

password        optional        %%LOCALBASE%%/pam_gnome_keyring.so

On a typical Linux distribution (I've tried Ubuntu) this is present by 
default, which is not a big deal for them because:
 (1) Default search path is known
 (2) LinuxPAM ignores missing modules, OpenPAM unfortunately fails (which
     is against XSSO/PAM spec, see section 5.6.3; I should raise that with
     PAM maintainer).

I see two possible solutions:
 A) Print a message dring install of security/gnome-keyring that if user
    wants it's keyring key updated automatically then he should append
    proper line to /etc/pam.d/passwd and make sure to remove it if he
    deinstalls gnome.
 B) Do it automatically in pkg-install/pkg-deinstall script.
    It's not nice to write to /etc but some other ports do it anyway and
    that's probably the only way to make it work like plug-n-play.
    There is also a question which port should have this logic:
    x11/gnome, security/gnome-keyring or maybe something else ?

Having said that, most people don't change their passwords all that often 
and updating keyring's key manually takes just 4 clicks, so I guess A) is 
enough.