[RFC] Getting GnomeKeyring + PAM to work out of the box
Marcin Wisnicki
mwisnicki+freebsd at gmail.com
Sun Jul 27 01:00:31 UTC 2008
On Thu, 17 Jul 2008 14:11:42 -0400, Joe Marcus Clarke wrote:
> On Thu, 2008-07-17 at 18:00 +0000, Marcin Wisnicki wrote:
>> I can provide patches if gnome@ agrees to the changes.
>
> Yeah, please do.
>
OK, sorry for delay. I've sent patches to PR:
* x11/gdm:
http://www.freebsd.org/cgi/query-pr.cgi?pr=125983
There is a problem that base system already contains pam configuration
for gdm service which gets priority over /usr/local/etc/pam.d/gdm.
I shall request our PAM maintainer to remove /etc/pam.d/gdm and ideally
reorganize pam configuration like it was done in NetBSD:
http://cvsweb.netbsd.se/cgi-bin/bsdweb.cgi/src/etc/pam.d/
so there is a single "abstract" display_manager service configuration
that can be included by real dm's config.
In the mean time however, and to support older base system, I've modified
gdm startup script to remove /etc/pam.d/gdm. If this is not acceptable
please share your ideas how to solve this better.
* x11/xscreensaver-gnome:
http://www.freebsd.org/cgi/query-pr.cgi?pr=125984
Add KEYRING option like in x11/gdm and enable it by default together with
PAM (which is needed for this to work). I'm not sure how to handle
dependency between options so in case of invalid configuration (KEYRING
&& !PAM) I simply print a warning adn proceed without KEYRING.
* x11/gnome-screensaver:
http://www.freebsd.org/cgi/query-pr.cgi?pr=125994
Similar to above.
Note that PAM still does not work correctly:
http://bugzilla.gnome.org/show_bug.cgi?id=370847
There should probably be some big warning when enabling pam or
requirement to set some silly option in /etc/make.conf like
GNOME_SCREENSAVER_WITH_BROKEN_PAM until this problem is fixed, and in the
meantime we should consider switching to xscreensaver-gnome as default
screensaver in Gnome.
* security/gnome-keyring:
http://www.freebsd.org/cgi/query-pr.cgi?pr=12596
Just a minor fix but a prerequisite to all other changes.
========
There is still one more thing to do which I'm not sure how to handle.
To keep system password and GnomeKeyring key in sync, a line like this
must be appended to /etc/pam.d/passwd:
password optional %%LOCALBASE%%/pam_gnome_keyring.so
On a typical Linux distribution (I've tried Ubuntu) this is present by
default, which is not a big deal for them because:
(1) Default search path is known
(2) LinuxPAM ignores missing modules, OpenPAM unfortunately fails (which
is against XSSO/PAM spec, see section 5.6.3; I should raise that with
PAM maintainer).
I see two possible solutions:
A) Print a message dring install of security/gnome-keyring that if user
wants it's keyring key updated automatically then he should append
proper line to /etc/pam.d/passwd and make sure to remove it if he
deinstalls gnome.
B) Do it automatically in pkg-install/pkg-deinstall script.
It's not nice to write to /etc but some other ports do it anyway and
that's probably the only way to make it work like plug-n-play.
There is also a question which port should have this logic:
x11/gnome, security/gnome-keyring or maybe something else ?
Having said that, most people don't change their passwords all that often
and updating keyring's key manually takes just 4 clicks, so I guess A) is
enough.
More information about the freebsd-gnome
mailing list