Description of problem: Hello, I've got Fedora 7 (x86 -Gnome) running on my laptop (IBM/Lenovo T60). 1) I took care of the annoying requests by the 'Gnome Keyring Manager' (accessing WAP key every boot) by installing pam_keyring and add a couple of lines in the /etc/pam.d/gdm #%PAM-1.0 auth required pam_env.so # Following keyring line added auth optional pam_keyring.so try_first_pass auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so # Following keyring line added session optional pam_keyring.so This worked in a rather lovely fashion and I had no further problems... until: 2) I use of the built in fingerprint reader, so I installed 'thinkfinger' module. # rpm -qa | grep think thinkfinger-0.3-2.fc7 thinkfinger-devel-0.3-2.fc7 The fingerprint reader works fine and I was able to aquire and verify fingerprints. I then made the following changes to my /etc/pam.d/system-auth ]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so # Following line added for fingerprint reader auth sufficient pam_thinkfinger.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so This kind of worked. At the login screen I could type in my username, but then it presented me with "Password:" though I could hit enter to null through, and it prompted "Enter password or swipe finger". So I could scan my finger and get in - but the keyring-manager demanded a password again. More concerned with the login method: Username >enter Password > "Enter password or scan finger" after I logging and keyring-manager don't ask a password. If I comment one of lines in the /etc/pam.d/gdm #%PAM-1.0 auth required pam_env.so # Following keyring line added #auth optional pam_keyring.so try_first_pass at the login screen I could type in my username, but then it presented me "Enter password or swipe finger". So I could scan my finger and get in - but the keyring-manager demanded a password again. Version-Release number of selected component (if applicable): # uname -r 2.6.22.1-41.fc7 # rpm -qa | grep pam_ pam_ccreds-4-2.fc7 pam_krb5-2.2.11-1 pam_smb-1.1.7-7.2.1 pam_passwdqc-1.0.2-1.2.2 pam_keyring-0.0.9-1.fc7 pam_pkcs11-0.5.3-24
There's very much the expected behavior. The gnome keyring manager DOES need your password in order to decrypt the default keyring. If you manage to log in without entering your password (using the fingerprint, but also for example, by configuring gdm to automatically log in as you), then you can't unlock the keyring automatically.