Bug 453880 - pam_gnome_keyring.so doesn't initialize properly on != gnome
pam_gnome_keyring.so doesn't initialize properly on != gnome
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: gnome-keyring (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomáš Bžatek
Fedora Extras Quality Assurance
: Regression, Reopened, Triaged
: 526023 531345 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-02 20:14 EDT by Carl Roth
Modified: 2015-03-03 17:32 EST (History)
24 users (show)

See Also:
Fixed In Version: 2.28.2-2.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-12 18:40:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Carl Roth 2008-07-02 20:14:43 EDT
Description of problem:

The latest version of kdm (in kde-settings-kdm-4.0-24) turns on
pam_gnome_keyring by default.  kdm does not initialize pam_gnome_keyring and/or
gnome-keyring-daemon correctly, and as a result, SSH authentication does not
work properly.  SSH reports

  Agent admitted failure to sign using the key.

and the syslog for gnome-keyring-daemon reports

  gnome-keyring-daemon[29733]: missing dialog response from ask tool
  gnome-keyring-daemon[29733]: couldn't get private signing key

I did a little bit of diagnosis on this, by inserting a shell script at
/usr/libexec/gnome-keyring-ask (the hard-coded app launched by
gnome-keyring-daemon to get passwords).  I see that gnome-keyring-ask is started
with an empty environment, specifically lacking a $DISPLAY.  If I tweak the
shell script to

  1. set a $DISPLAY
  2. re-launch /usr/libexec/gnome-keyring-ask.MOVED

then the SSH logins work correctly (with private key unlocking and password
caching).

Previous versions of kde-settings-kdm didn't launch gnome-keyring-daemon
automatically; if I launched it myself in /etc/X11/xinit/xinitrc.d it would be
initialized correctly with a valid $DISPLAY.

I also tried setting

  ExportList=DISPLAY

in /etc/kde/kdm/kdmrc, but it didn't fix the issue.

I saw a similar report at

  https://bugs.launchpad.net/ubuntu/+source/gnome-keyring-manager/+bug/158345

and the workaround (kill GKD and restart it) works implicitly because the shell
that re-launched GKD has a proper $DISPLAY.  This isn't an ideal solution, of
course, and in particular it dumps the --login information that was passed in
from the PAM module, disabling the SSO features of pam_gnome_keyring.

Version-Release number of selected component (if applicable):

kde-settings-kdm-4.0-24.fc9.noarch
gnome-keyring-pam-2.22.1-1.fc9.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Kevin Kofler 2008-07-02 20:24:16 EDT
Other possible workarounds:
rpm -e gnome-keyring-pam
or remove the lines containing pam_gnome_keyring.so from /etc/pam.d/kdm.

See also:
https://bugzilla.redhat.com/show_bug.cgi?id=447245#c10

I'd be tempted to just unpush that update, but unpushing an update from stable 
is probably a bad idea, if Bodhi even still allows it. I guess we have to push 
another update reverting the broken change.
Comment 2 Carl Roth 2008-07-02 20:34:52 EDT
I would prefer of course to have SSO in some form or another
(gnome-keyring-daemon or otherwise) "just work" for KDE.
Comment 3 Kevin Kofler 2008-07-02 20:39:49 EDT
Me too, but as far as I can tell, what we have right now does NOT work.

(Grrr, why can't gnome-keyring simply accept passwordless keyrings like KWallet 
does?)
Comment 4 Rex Dieter 2008-07-02 21:55:12 EDT
For me, it worked only after resetting/removing the existing gnome-keyring
password.  (And afaik, this is what gdm/gnome users experience too when moving
from not using gnome-keyring to using it).
Comment 5 Carl Roth 2008-07-02 22:51:51 EDT
I tried that too, and it didn't work.

I started fresh, with an empty gnome-keyring (deleteing everything in
.gnome2/keyrings).  GKD did set me up with a new login keyring.  This system
isn't using NetworkManager, so I can verify that the SSO worked as advertised...

The first time I tried to use SSH (with an encrypted private key) it still tried
to launch gnome-keyring-ask (unsuccessfully) to fill in GKD's keyring.
Comment 6 Rex Dieter 2008-07-03 07:33:16 EDT
Shrug, dunno, never used ssh with gnome-keyring, I only use it with nm-applet,
and it does work there for me.

See also:
http://fedoraunity.org/Members/thomasj/Gnome-keyring
for some tips.
Comment 7 Kevin Kofler 2008-07-03 08:26:18 EDT
The setup there tries first pam_keyring.so (the old (deprecated) pam_keyring) 
and only if that's not available pam_gnome_keyring.so (the new 
gnome-keyring-pam). The setup now in kde-settings only tries the new 
pam_gnome_keyring.so. Maybe that's the difference?
Comment 8 Rex Dieter 2008-09-06 14:04:31 EDT
I'm still of a mind that there's a subtle user-configuration issue here, related only to gnome-keyring, reassigning there in the hopes that the kind/insightful folks there can comment.
Comment 9 David Hull 2008-12-05 21:47:15 EST
I'm having a variation on this problem.  I'm using the WindowMaker window manager.  When I log in and attempt to use a program which wants to use gnome-keyring-daemon (such as evolution) it fails, and I get the following output in /var/log/messages:

  Dec  5 17:28:01 dale gnome-keyring-ask: Gtk: cannot open display: 
  Dec  5 17:28:01 dale gnome-keyring-daemon[10212]: couldn't write data to ask tool: Broken pipe
  Dec  5 17:28:01 dale gnome-keyring-ask: Gtk: cannot open display: 
  Dec  5 17:28:01 dale gnome-keyring-daemon[10212]: couldn't write data to ask tool: Broken pipe

Running "ps augxeww | egrep gnome-keyring-daemon" reveals that the DISPLAY environment variable is indeed not set.

In trying to figure out where gnome-keyring-daemon was getting started from, I put the following line into /etc/X11/xinit/Xsession:

  echo "gnome-keyring-daemon:" $(ps -ef | egrep gnome-keyring-daemon)

and found that multiple gnome-keyring-daemon instances were being started as I logged in, but only the first one (with a PPID of 1, which I'm guessing is the one started by PAM) ended up running once I was able to get a shell window open.

As a workaround for the problem, I put the following in my .xsession file to kill off the existing gnome-keyring-daemon and start a new one:

  if pkill -u $UID -f gnome-keyring-daemon; then
    echo "restarting gnome-keyring-daemon"
    eval $(gnome-keyring-daemon | perl -p -e '$_ = "declare -x ".$_;')
  fi

I wonder if, when logging in using gnome, gnome doesn't kill off any existing gnome-keyring-daemon process itself and restart it.  I speculate this because of the existence of the file /usr/share/gnome/autostart/gnome-keyring-daemon-wrapper.desktop.  However, I am not at all familiar with gnome, so I could be wrong.
Comment 10 Mary Ellen Foster 2009-01-02 15:57:52 EST
I'm seeing the problem described in comment #9 on F10, using KDM and KDE. Oddly, my husband (using basically the same configuration) is *not* seeing the issue -- his NetworkManager passwords are being remembered properly. The only real difference between his laptop and mine is that he installed with the installer and I installed from the LiveCD, but I can't imagine that would make a difference.
Comment 11 Rex Dieter 2009-01-02 16:43:03 EST
My suggestion to reset keyrings:
yum install gnome-keyring-manager
run it
menu: view -> keyrings
select 'login' keyring
menu: keyring -> delete
logout/login
Comment 12 Rex Dieter 2009-01-02 16:43:48 EST
oh, and:
yum install gnome-keyring-pam
(to ensure it is installed)
Comment 13 Rex Dieter 2009-01-22 10:10:59 EST
ping, any comment/feedback/hints-to-debug from a gnome-keyring maintainer (or other) would be appreciated.
Comment 14 Mike C 2009-02-05 10:47:47 EST
I have ssh working fine but I notice that every time I restart X I get the following in the log files:
--------------------- Connections (secure-log) Begin ------------------------ 

 Failed adding users:
    rpcuser: 1 Time(s)
    haldaemon: 1 Time(s)
 
 
 **Unmatched Entries**
    kdm: :0: gnome-keyring-daemon: couldn't lookup keyring component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details -  1: Not running within active session)gnome-keyring-daemon: couldn't lookup ssh component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details -  1: Not running within active session)gnome-keyring-daemon: couldn't lookup pkcs11 component setting: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://www.gnome.org/projects/gconf/ for information. (Details -  1: Not running within active session): 2 Time(s)
 
 ---------------------- Connections (secure-log) End ------------------------- 

I am running Gnome with KDM login manager.
The system is F10 fully up to date, and the hardware is:
http://www.smolts.org/client/show/pub_f0a3719e-b5d0-4662-897a-fbd0f5485b5d

Is this related?
Comment 15 Arkadi Shishlov 2009-02-07 14:42:38 EST
I see same problem with gnome-keyring:
1. Installed Fedora 10 with KDE
2. Connected to WPA protected wireless network
3. NetworkManager applet asked to initialize the keyring
4. Installed GNOME
5. KDM is a login manager
6. Now NetworkManager asks for WEP/WPA passwords every time

Removing /lib/security/pam_gnome_keyring.so restored NetworkManager functionality

Feb  7 16:10:15 smarty gnome-keyring-ask: Gtk: cannot open display:
Feb  7 16:10:15 smarty gnome-keyring-daemon[3107]: missing dialog response from ask tool
Feb  7 16:10:15 smarty gnome-keyring-daemon[3107]: the gnome-keyring-daemon process may not have been initialized properly, as its environment is missing the
 'DISPLAY' variable.
Feb  7 16:10:16 smarty gnome-keyring-ask: Gtk: cannot open display:
Feb  7 16:10:16 smarty gnome-keyring-daemon[3107]: couldn't write data to ask tool: Broken pipe
Feb  7 16:10:16 smarty gnome-keyring-ask: Gtk: cannot open display:
Feb  7 16:10:16 smarty gnome-keyring-daemon[3107]: couldn't write data to ask tool: Broken pipe
Feb  7 16:10:16 smarty gnome-keyring-ask: Gtk: cannot open display:
Feb  7 16:10:16 smarty gnome-keyring-daemon[3107]: couldn't write data to ask tool: Broken pipe
Comment 16 Rex Dieter 2009-02-07 14:50:22 EST
resetting needinfo to pkg maintainer for feedback to comment #13
Comment 17 Milos Jakubicek 2009-02-16 14:00:29 EST
(In reply to comment #11)
> My suggestion to reset keyrings:
> yum install gnome-keyring-manager
> run it
> menu: view -> keyrings
> select 'login' keyring
> menu: keyring -> delete
> logout/login

I tried this today on one of the /all:)/ affected machines, but unfortunately it didn't help anyway :(
Comment 18 Orion Poplawski 2009-02-27 18:13:43 EST
*some* of my users ended up in this state.  Others did not.
Comment 19 Rex Dieter 2009-03-13 13:55:29 EDT
*ping* gnome-keyring maintainers, comment please.  It's been quite awhile, with no input.
Comment 20 Egon Kastelijn 2009-04-10 02:08:48 EDT
I am having the exact same problem as mentioned in Comment #15.

Apr 10 07:41:19 lap0001 gnome-keyring-ask: Gtk: cannot open display:                                              
Apr 10 07:41:19 lap0001 gnome-keyring-daemon[6224]: missing dialog response from ask tool                         
Apr 10 07:41:19 lap0001 gnome-keyring-daemon[6224]: the gnome-keyring-daemon process may not have been initialized properly, as its environment is missing the 'DISPLAY' variable.

I 'solved' the problem using Comment #11

I think the problem was related to the fact that my keyring was protected by a password.
Comment 21 Jithin Emmanuel 2009-05-25 11:38:42 EDT
(In reply to comment #11)
> My suggestion to reset keyrings:
> yum install gnome-keyring-manager
> run it
> menu: view -> keyrings
> select 'login' keyring
> menu: keyring -> delete
> logout/login  

This helped me. Though I am using kubuntu jaunty. There was no help from and ubuntu documentation regarding to this issue. The key was in deleting the existing default keyring. Under the presence of default keyring pam was not able to create login keyring. 
Also I borrowed pam kdm settings from http://svn.fedorahosted.org/svn/kde-settings/trunk/etc/pam.d/kdm
removing system-auth and pam_console did the trock for me in ubuntu.
Comment 22 Bug Zapper 2009-06-09 21:53:42 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 23 Bug Zapper 2009-07-14 14:23:36 EDT
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 24 Arkadi Shishlov 2009-07-14 14:30:42 EDT
I can't reopen the bug, but it surely applies to Fedora 10 as well.
Comment 25 Kevin Kofler 2009-07-16 14:39:02 EDT
Reopening and retargeting to F10 based on comment #24.
Comment 26 Kevin Kofler 2009-07-16 18:04:45 EDT
Resetting needinfo, Rex Dieter's ping from almost 6 months ago (comment #13):
> ping, any comment/feedback/hints-to-debug from a gnome-keyring maintainer (or
> other) would be appreciated.
has still not been answered.
Comment 27 Mike C 2009-07-17 03:46:32 EDT
Is this still an issue in F11? I don't remember seeing the same messages I had in comment #14 once I installed F11 but I will check.
Comment 28 Tomáš Bžatek 2009-07-21 08:12:23 EDT
Before I forward this bug upstream, can you please check the issue is reproducible on F11 with gnome-keyring-2.26.3-1.fc11?
Comment 29 Arkadi Shishlov 2009-07-29 15:15:36 EDT
Both F11 and F10 with the latest available gnome-keyring and gnome-keyring-pam packages installed have this issue.
The workaround is to uninstall gnome-keyring-pam package and comment out pam_gnome_keyring entries in pam.d/kdm.

I also tried pam_keyring and it spawns the keyring daemon which is not used by NetworkManager applet, but also does not harm or influence anything. NetworkManager applet starts its own keyring daemon.
Comment 30 Vladimir Ermakov 2009-08-25 02:47:20 EDT
this bag have in F12 (rawhide)
Comment 31 Enygma 2009-10-04 18:09:48 EDT
*** Bug 526023 has been marked as a duplicate of this bug. ***
Comment 32 Bug Zapper 2009-11-18 05:14:00 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 33 Rex Dieter 2009-11-21 23:09:56 EST
Rebasing to F-12, based on comment #30
Comment 34 Matthias Clasen 2009-12-06 20:54:50 EST
This comment from gkr-daemon.c explains some of what is going on here:

        /* 
         * The gnome-keyring startup is not as simple as I wish it could be. 
         * 
         * It's often started in the primidoral stages of a session, where 
         * there's no DBus, no GConf, and no proper X display. This is the 
         * strange world of PAM.
         * 
         * When started with the --login option, we do as little initialization
         * as possible. We expect a login password on the stdin, and unlock
         * or create the login keyring.
         * 
         * Then later we expect gnome-keyring-dameon to be run again with the 
         * --start option. This second gnome-keyring-daemon will hook the
         * original daemon up with environment variables necessary to initialize
         * itself and bring it into the session. This second daemon usually exits.
Comment 35 Ian Pilcher 2009-12-08 09:49:19 EST
Matthias seems to have broken the code.  I created
~/.kde/Autostart/gnome-keyring-daemon.sh:

  #!/bin/bash
  exec /usr/bin/gnome-keyring-daemon --start

Rebooted and I was prompted for my keyring password when nm-applet tried to
connect to my wireless network.  I selected the option to remember/not prompt
for my password, rebooted again, and was automatically connected to the wire-
less network when I logged in.
Comment 36 Matthias Clasen 2009-12-08 12:42:34 EST
> Matthias seems to have broken the code.

Thats nice for a change. Usually, I fix the code :)
Comment 37 Rex Dieter 2009-12-12 21:05:35 EST
If gnome-keyring-daemon is expected to be (re)started for the session, why does
/etc/xdg/autostart/gnome-keyring-daemon.desktop
contain,
OnlyShowIn=GNOME;
?

Or am I missing something?
Comment 38 Rex Dieter 2009-12-30 14:26:39 EST
So, let's take the non-denial of comment #37 as a tacet approval.

Anyone still experiencing this, mind removing 
OnlyShowIn=GNOME;
from
/etc/xdg/autostart/gnome-keyring-daemon.desktop
to see if that helps any?
Comment 39 mckieolov 2010-01-01 15:42:42 EST
I just hit this bug, on a fully updated F12 64bit. (installed from a F11 KDE livecd, then updated to F12 with preupgrade) 

I added GNOME (yum groupinstall "GNOME Desktop Environment" ), and after that NetworkManager in KDE no longer used gnome keyring to remember my wireless passwords. 

So i removed OnlyShowIn=GNOME as suggested in comment #38, now it works again!

Thank you!
Comment 40 Fedora Update System 2010-01-05 07:43:54 EST
gnome-keyring-2.26.3-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gnome-keyring-2.26.3-2.fc11
Comment 41 Fedora Update System 2010-01-05 07:45:08 EST
gnome-keyring-2.28.2-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gnome-keyring-2.28.2-2.fc12
Comment 42 Matthias Clasen 2010-01-05 10:14:25 EST
Fwiw, sounds fine to me. Thanks for looking into this, Rex.
Comment 43 Fedora Update System 2010-01-05 17:53:49 EST
gnome-keyring-2.26.3-2.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gnome-keyring'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0191
Comment 44 Fedora Update System 2010-01-05 17:55:14 EST
gnome-keyring-2.28.2-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update gnome-keyring'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0195
Comment 45 Fedora Update System 2010-01-12 18:40:37 EST
gnome-keyring-2.26.3-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 46 Fedora Update System 2010-01-12 18:40:56 EST
gnome-keyring-2.28.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 47 Rex Dieter 2010-05-03 11:22:00 EDT
*** Bug 531345 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.