Bug 251844 - Problem with pam_keyring and thinkfinger module
Problem with pam_keyring and thinkfinger module
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam_keyring (Show other bugs)
7
i386 Linux
low Severity low
: ---
: ---
Assigned To: Denis Leroy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-12 06:49 EDT by Pakhom
Modified: 2007-12-02 18:59 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-02 18:59:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pakhom 2007-08-12 06:49:20 EDT
Description of problem:

Hello,

I've got Fedora 7 (x86 -Gnome) running on my laptop (IBM/Lenovo T60).

1) I took care of the annoying requests by the 'Gnome Keyring Manager'
(accessing WAP key every boot) by installing pam_keyring and add a couple of
lines in the /etc/pam.d/gdm

#%PAM-1.0
auth required pam_env.so
# Following keyring line added
auth optional pam_keyring.so try_first_pass
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# Following keyring line added
session optional pam_keyring.so

This worked in a rather lovely fashion and I had no further problems... until:

2) I use of the built in fingerprint reader, so I installed 'thinkfinger' module.

# rpm -qa | grep think
thinkfinger-0.3-2.fc7
thinkfinger-devel-0.3-2.fc7

The fingerprint reader works fine and I was able to aquire and verify
fingerprints. I then made the following changes to my /etc/pam.d/system-auth

]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
# Following line added for fingerprint reader
auth        sufficient    pam_thinkfinger.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session     required      pam_unix.so


This kind of worked. At the login screen I could type in my username, but then
it presented me with "Password:" though I could hit enter to null through, and
it prompted "Enter password or swipe finger". So I could scan my finger and get
in - but the keyring-manager demanded a password again.


More concerned with the login method:

Username >enter Password > "Enter password or scan finger" after I logging and
keyring-manager don't ask a password.

If I comment one of lines in the /etc/pam.d/gdm

#%PAM-1.0
auth required pam_env.so
# Following keyring line added
#auth optional pam_keyring.so try_first_pass

at the login screen I could type in my username, but then it presented me "Enter
password or swipe finger". So I could scan my finger and get in - but the
keyring-manager demanded a password again.



Version-Release number of selected component (if applicable):
# uname -r
2.6.22.1-41.fc7

# rpm -qa | grep pam_
pam_ccreds-4-2.fc7
pam_krb5-2.2.11-1
pam_smb-1.1.7-7.2.1
pam_passwdqc-1.0.2-1.2.2
pam_keyring-0.0.9-1.fc7
pam_pkcs11-0.5.3-24
Comment 1 Denis Leroy 2007-12-02 18:59:58 EST
There's very much the expected behavior. The gnome keyring manager DOES need
your password in order to decrypt the default keyring. If you manage to log in
without entering your password (using the fingerprint, but also for example, by
configuring gdm to automatically log in as you), then you can't unlock the
keyring automatically.

Note You need to log in before you can comment on or make changes to this bug.