Gnome-keyring problems (with chromium) [partly solved]

Post your bugs here.
User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 19 Jul 2019 18:59

The Chromium/keyring bug is a really old one that bugs me for several years now (it keeps returning for whatever reason, but probably because our systems are missing some gnome integration). Proposed solutions:

1. Radical: uninstall gnome-keyring or sudo mv /usr/bin/gnome-keyring-daemon /usr/bin/gnome-keyring-daemon-old && sudo killall gnome-keyring-daemon

I'll rule out no 1 because some packages rely on gnome-keyring and will either fail on install or make the problem reappear.

2. provide an empty password to the keyring: https://www.ricksdailytips.com/prevent- ... th-ubuntu/

You don't bork security because of a misbehaving app.

3. edit the chromium desktop file to use basic password storage: https://ubuntuforums.org/showthread.php ... st13708937
--password-store=<basic|gnome|kwallet>
Set the password store to use. The default is to automatically detect based on the desktop environment. basic selects the built in, unencrypted password store. gnome selects Gnome keyring. kwallet selects (KDE) KWallet. (Note that KWallet may not work reliably outside KDE.)
No 2 and 3 work but are not desirable options if the user stores passwords in the browser. If we can't find another solution we should choose no 3 and investigate keepass/keepassxc.

4. Setting the keyring password to the login password - that way the keyring should be unlocked during login. But for some reason on our systems gnome-keyring doesn't get auto unlocked during login.

No 4 would be the best way to go but doesn't work on our systems because we are missing integral parts of gnome that might make this work.

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems

Postby ilu » 19 Jul 2019 19:00

for XFCE Load ‘GNOME: password service’ (gnome-keyring-daemon --start components=secrets) at session start (session and startup GUI app?)
install ‘seahorse’ and set the same password as for your account for Chrome Safe Storage
SolydX9 settings have these entries but disabled. Testing now. SolydX10 doesn't have them.

Installing chromium in a VM resulted in a keyring popup on first start. I entered my user password. Upon restart the dreaded keyring popup appeared. I enabled gnome-keyring-daemon --start components=secrets and rebooted. Did not work.
I enabled gnome-keyring-daemon --start components=pkcs11 too for good measure, tried again, did not work.
Installed seahorse and still no change. But if I open seahorse I can see that there are 2 keyrings - login, which is open, and default, which is closed, although the keyring popup says that default is supposed to be opened with login.

The problem seems to be that lightdm doesn't use the default keyring but insists on it being called login. And that chromium decides to use the default keyring upon first start.
https://forum.manjaro.org/t/chromium-asks-to-sign-in-again-after-every-reboot/10907/17 wrote:I created a new [user] account and signed in there. On the next reboot, it signed in automatically. It was perfect.
So, I installed “seahorse” to check the keys in the gnome-keyring. In this new account, all passwords were stored in “Login” keyring. While in my current account, there is a default keyring whose password is [not] in login keyring. All my passwords are in this default keyring. This was the only difference in the gnome-keyring.
[...]
There are two possibilities: on the first start of chromium for a user
it will either ask you to create a keyring [and use default] or
it will not ask you to create a keyring [and use login].
My old SolydX9 install even had the password for default in login but it still did not work. So I went ahead and moved the default keyring file in ~/.local/share/ away and again started chromium. Voila! The chromium keys got added to the login keyring. And the solution survived reboot. You can move the default keyring back afterwards so you can still lookup the passwords stored in it.
I removed the gnome-keyring-daemon commands from startup and it still worked. Now, how to get chromium (and opera vivaldi whatever relying on chrome code) to behave like this from the get-go?

Since I've now "burnt" all my systems could somebody please try to create a file ~/.local/share/default with "login" as the only content?

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 19 Jul 2019 21:31

I installed the 0705 ISO trying to do further testing but gnome-keyring was not installed. When I installed it, lightdm did not create the login keyring, it seems that some setup is missing. I'm not in the mood to debug this now. Most users probably wouldn't be able to do so anyway. I can't test the issue with any of the latest SolydX10 ISOs.

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 23 Jul 2019 14:28

Argh, the nag screen turned up again on SolydX9 out of nowhere. Chrome is really buggy. I'll have to move the default keyring out of the way again. I just need to save the passwords somewhere.

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 23 Jul 2019 15:22

Obviously, SolydK does not have gnome-keyring. I would like to remove it as well from SolydX if we release it.
If users need it, they can install it manually.
Do you agree?


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 23 Jul 2019 16:28

No, I don't agree. If you remove the keyring chromium will silently save passwords in plain text and that's a no-go for obvious security reasons. Also some programs might reinstall gnome-keyring as a dependency and then the problem is back.

The problems cause is non-cooperation between chromium, lightdm and keyring. lightdm refusing to open the default keyring might be the root cause, actually. That's why it works on KDE. We need to setup the keyring correctly under xfce.

Edit: OK, I think I've got it. We need to setup the system like it was in SolydX9. Then we would have 4 files in ~/.local/share/keyrings/ : default, <localized-name-of-default>.keyring, user.keyring and login.keyring. We only need 2 of them: login.keyring and default. The only content of the file named "default" is the word login (instead of previously <localized-name-of-default>). This works on my SolydX9 system but it has changed too much over the years to be sure.

To test this on Solydx10 I need a SolydX10 ISO with gnome-keyring installed and configured the way it previously was. In the last 3 ISOs you have already removed gnome-keyring and I can't get it configured correctly. So please upload the next ISO with gnome-keyring back in and configured for lightdm.

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 23 Jul 2019 17:43

OK.
Install gnome-keyring
/etc/skel/.local/share/keyrings/default ("login" in it)
/etc/skel/.local/share/keyrings/login.keyring (any content?)

[EDIT]
gnome-keyring was installed from the beginning but I never configured it.


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 24 Jul 2019 18:47

I created the login.keyring with seahorse. Later chromium put its keys in there.

It was empty but probably not an empty file? I forgot to check. :facepalm: I created a new keyfile to check, and no - the file is not empty. It starts with GnomeKeyring and then some binary stuff. So it needs to be created as keyring. And you need to set a password which must be identical with the users login password. On SolydX9 the keyring file with the correct password was created upon install but I have no idea how.

And include seahorse in standard install please. Makes it easier for users to see passwords and for us to debug problems. The EE already has it.

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 26 Jul 2019 13:26

I think I solved it by adding these files to solydx-system-adjustments-10:
/etc/skel/.local/share/keyrings/default

Code: Select all

login
/etc/skel/.local/share/keyrings/login.keyring

Code: Select all

[keyring]
display-name=login
ctime=1564139432
mtime=0
lock-on-idle=false
lock-after=false
I built an ISO, installed Chromium and Chromium didn't ask for a keyring password (keys were written in login.keyring).
Of course, this password-less configuration is not safe, but if people are concerned about that they can use Seahorse to change this behavior.

I'll post back if the ISOs are done uploading.


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 26 Jul 2019 15:22

This problem really bugs me. It should work with password and I'd like to test it.

Is solydxk-contructor still working like this viewtopic.php?f=9&t=774? It says "adapted ...2015" but still ...

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 26 Jul 2019 15:32

ilu wrote:
26 Jul 2019 15:22
Is solydxk-contructor still working like this viewtopic.php?f=9&t=774? It says "adapted ...2015" but still ...
No, it is less manual action (only installing software is done manually). I'll put that on my todo-list too.

I have tried to generate a keyring using secret-tool (libsecret-tools), python3-secretstorage and python3-keyring. Piping the login password to generate the keyring as I intended during installation does not prevent that a window for the password is opened. I found that too confusing: providing your password for login and again during installation (after the system has been copied to the target system). That's why I kept it with a password-less setup.

The ISOs just finished uploading: https://downloads.solydxk.com/nightly/


SolydXK needs you!
Development | Testing | Translations

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 26 Jul 2019 17:54

ilu wrote:
26 Jul 2019 15:22
Is solydxk-contructor still working like this viewtopic.php?f=9&t=774? It says "adapted ...2015" but still ...
Done.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2139
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby grizzler » 30 Jul 2019 21:08

This lot is confusing. ilu wrote:
We need to setup the system like it was in SolydX9.
But initially that was no different in SolydX 10, was it? There are no /etc/skel/.local/share/keyrings directories in any of the local build structures I have here (which includes unpacked 'stable' ISOs). Not in 9, not in 10 and not in the EEs (they just popped up there after the last update/upgrade run and I'm uncomfortable with it...).

Why would we need them now? Obviously something creates the keyrings directory plus contents on installation. How has whatever is doing that changed? It still worked the same way the last time I installed an EE (which was before .skel was changed).

I can't shake the feeling we're making matters worse/more complicated by adding /etc/skel/.local/share/keyrings.

Am I to understand that this login.keyring file, with those six plain text lines, will create a keyring that stores things unencrypted? If so, I will definitely need to find a way to remove this from the EEs (I haven't had time to build one yet and check - crazy busy right now...).
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 31 Jul 2019 06:31

I'd be happy to remove file:///home/arjen/dev/solydx-system-adjustments-11/srcetc/skel/.local/share/keyrings from solydx-system-adjustments-10 and 11 but users wanting to use Chromium (and other packages) will have to configure gnome-keyring manually.


SolydXK needs you!
Development | Testing | Translations

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 31 Jul 2019 16:12

Looing into it further.

Code: Select all

grep -r gnome_keyring /etc/pam.d
shows that gnome-keyring is configured in lightdm:
/etc/pam.d/lightdm:-auth optional pam_gnome_keyring.so
/etc/pam.d/lightdm:-session optional pam_gnome_keyring.so auto_start
/etc/pam.d/common-password:password optional pam_gnome_keyring.so

Code: Select all

dpkg -S pam_gnome_keyring.so
returns:
libpam-gnome-keyring:amd64: /lib/x86_64-linux-gnu/security/pam_gnome_keyring.so

After installing and starting Chromium, Chromium asks for a keyring password (gave the same as login).
It creates a protected file: ~/.local/share/keyrings/Default_keyring.keyring

Logout and login - start Chromium. Chromium does not ask for a password.

I think this is designed behavior and not intended to be pre-generated.

Shall I remove the unprotected keyring from solydx-system-adjustments-10?


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 2139
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby grizzler » 31 Jul 2019 17:48

Arjen Balfoort wrote:
31 Jul 2019 16:12
I think this is designed behavior and not intended to be pre-generated.

Shall I remove the unprotected keyring from solydx-system-adjustments-10?
Well, I would. Ilu?
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 31 Jul 2019 22:25

The default file with "login" is definitely needed because of a lightdm quirk: lightdm expects the keyring be named "login" while chrome expects "default". The default file is just a kind of symbolic link (which is usually used for localization - a standard symbolic link might also work, I don't know.). So that file is ok, chrome then uses the login.keyring which is what we want. The annoying "ask-every-time-bug " only happens if you have both keyrings separately.

But the "default" file should be the only content of the keyring directory delivered by the skeleton. The login keyring should be created on installation by pam. Our Arch users tell me it does that. And it must have done so at some point. I just can't get it to work. Although the configuration looks right, I checked the same lightdm stuff you did Arjen. The problem is not chrome but somewhere in pam and lightdm which for some reason do not create the login.keyring as they should.

And to test further I'd have to look into modifying the ISO and I just did not find the time yet.

But yes, I think pre-installing an unprotected keyring is not ok. Maybe try just with the default file and no keyring? Worst case the user has to enter the correct password on first chromium usage, It would then setup the login.keyring (instead of default.keyring) and from then on things should work.

Although sometimes lightdm forgets to unlock the login.keyring on SolydX9 login :evil: - something's fishy with lightdm, especially after relog or wakeup. I haven't done enough testing to say whether that happens on SolydX10 too.

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 01 Aug 2019 05:55

Just for the heck of it, I tried your suggestion: I removed the default keyring and only left a plain text file called "default" and in it the word "login".

After I started Chromium, these binary files were created and no password was asked:
~/.local/share/keyrings/login.keyring
~/.local/share/keyrings/user.keystore

I am going to change solydx-system-adjustments-10 and build a new ISO to see if that works live as well.

[EDIT]
On reboot I could see in Seahorse that the Login keyring was open. Chromium did not ask for a password.


SolydXK needs you!
Development | Testing | Translations

User avatar
Arjen Balfoort
Site Admin
Posts: 9223
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby Arjen Balfoort » 01 Aug 2019 07:31

I created an ISO with the new adjustments package.
I booted the live ISO and verified that only ~/.local/share/keyrings/default existed and had "login" as contents.
Then I installed and started Chromium.
It asked for a password and created a default keyring overwriting ~/.local/share/keyrings/default

I then installed the new ISO and booted into the new system.
I verified that only ~/.local/share/keyrings/default existed and had "login" as contents.
Then I installed and started Chromium.
It asked for a password and created a default keyring overwriting ~/.local/share/keyrings/default

I think we can assume that any pre-configuration is useless at the moment.
I will remove the keyring configuration and upload the new adjustments packages (10 and 11).


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2424
Joined: 09 Oct 2013 12:45

Re: Gnome-keyring problems (with chromium) [partly solved]

Postby ilu » 01 Aug 2019 19:40

Yeah there is no logic in it. It sometimes orks sometimes not. Could you please upload the ISO with just the default file somewhere for me?


Return to “Bug Control”

Who is online

Users browsing this forum: No registered users and 3 guests