Page 1 of 2

Gnome-keyring problems (with chromium) [solved]

Posted: 19 Jul 2019 18:59
by ilu
The Chromium/keyring bug is a really old one that bugs me for several years now (it keeps returning for whatever reason, but probably because our systems are missing some gnome integration). Proposed solutions:

1. Radical: uninstall gnome-keyring or sudo mv /usr/bin/gnome-keyring-daemon /usr/bin/gnome-keyring-daemon-old && sudo killall gnome-keyring-daemon

I'll rule out no 1 because some packages rely on gnome-keyring and will either fail on install or make the problem reappear.

2. provide an empty password to the keyring: https://www.ricksdailytips.com/prevent- ... th-ubuntu/

You don't bork security because of a misbehaving app.

3. edit the chromium desktop file to use basic password storage: https://ubuntuforums.org/showthread.php ... st13708937
--password-store=<basic|gnome|kwallet>
Set the password store to use. The default is to automatically detect based on the desktop environment. basic selects the built in, unencrypted password store. gnome selects Gnome keyring. kwallet selects (KDE) KWallet. (Note that KWallet may not work reliably outside KDE.)
No 2 and 3 work but are not desirable options if the user stores passwords in the browser. If we can't find another solution we should choose no 3 and investigate keepass/keepassxc.

4. Setting the keyring password to the login password - that way the keyring should be unlocked during login. But for some reason on our systems gnome-keyring doesn't get auto unlocked during login.

No 4 would be the best way to go but doesn't work on our systems because we are missing integral parts of gnome that might make this work.

Re: Gnome-keyring problems

Posted: 19 Jul 2019 19:00
by ilu
for XFCE Load ‘GNOME: password service’ (gnome-keyring-daemon --start components=secrets) at session start (session and startup GUI app?)
install ‘seahorse’ and set the same password as for your account for Chrome Safe Storage
SolydX9 settings have these entries but disabled. Testing now. SolydX10 doesn't have them.

Installing chromium in a VM resulted in a keyring popup on first start. I entered my user password. Upon restart the dreaded keyring popup appeared. I enabled gnome-keyring-daemon --start components=secrets and rebooted. Did not work.
I enabled gnome-keyring-daemon --start components=pkcs11 too for good measure, tried again, did not work.
Installed seahorse and still no change. But if I open seahorse I can see that there are 2 keyrings - login, which is open, and default, which is closed, although the keyring popup says that default is supposed to be opened with login.

The problem seems to be that lightdm doesn't use the default keyring but insists on it being called login. And that chromium decides to use the default keyring upon first start.
https://forum.manjaro.org/t/chromium-asks-to-sign-in-again-after-every-reboot/10907/17 wrote:I created a new [user] account and signed in there. On the next reboot, it signed in automatically. It was perfect.
So, I installed “seahorse” to check the keys in the gnome-keyring. In this new account, all passwords were stored in “Login” keyring. While in my current account, there is a default keyring whose password is [not] in login keyring. All my passwords are in this default keyring. This was the only difference in the gnome-keyring.
[...]
There are two possibilities: on the first start of chromium for a user
it will either ask you to create a keyring [and use default] or
it will not ask you to create a keyring [and use login].
My old SolydX9 install even had the password for default in login but it still did not work. So I went ahead and moved the default keyring file in ~/.local/share/ away and again started chromium. Voila! The chromium keys got added to the login keyring. And the solution survived reboot. You can move the default keyring back afterwards so you can still lookup the passwords stored in it.
I removed the gnome-keyring-daemon commands from startup and it still worked. Now, how to get chromium (and opera vivaldi whatever relying on chrome code) to behave like this from the get-go?

Since I've now "burnt" all my systems could somebody please try to create a file ~/.local/share/default with "login" as the only content?

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 19 Jul 2019 21:31
by ilu
I installed the 0705 ISO trying to do further testing but gnome-keyring was not installed. When I installed it, lightdm did not create the login keyring, it seems that some setup is missing. I'm not in the mood to debug this now. Most users probably wouldn't be able to do so anyway. I can't test the issue with any of the latest SolydX10 ISOs.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 23 Jul 2019 14:28
by ilu
Argh, the nag screen turned up again on SolydX9 out of nowhere. Chrome is really buggy. I'll have to move the default keyring out of the way again. I just need to save the passwords somewhere.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 23 Jul 2019 15:22
by Arjen Balfoort
Obviously, SolydK does not have gnome-keyring. I would like to remove it as well from SolydX if we release it.
If users need it, they can install it manually.
Do you agree?

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 23 Jul 2019 16:28
by ilu
No, I don't agree. If you remove the keyring chromium will silently save passwords in plain text and that's a no-go for obvious security reasons. Also some programs might reinstall gnome-keyring as a dependency and then the problem is back.

The problems cause is non-cooperation between chromium, lightdm and keyring. lightdm refusing to open the default keyring might be the root cause, actually. That's why it works on KDE. We need to setup the keyring correctly under xfce.

Edit: OK, I think I've got it. We need to setup the system like it was in SolydX9. Then we would have 4 files in ~/.local/share/keyrings/ : default, <localized-name-of-default>.keyring, user.keyring and login.keyring. We only need 2 of them: login.keyring and default. The only content of the file named "default" is the word login (instead of previously <localized-name-of-default>). This works on my SolydX9 system but it has changed too much over the years to be sure.

To test this on Solydx10 I need a SolydX10 ISO with gnome-keyring installed and configured the way it previously was. In the last 3 ISOs you have already removed gnome-keyring and I can't get it configured correctly. So please upload the next ISO with gnome-keyring back in and configured for lightdm.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 23 Jul 2019 17:43
by Arjen Balfoort
OK.
Install gnome-keyring
/etc/skel/.local/share/keyrings/default ("login" in it)
/etc/skel/.local/share/keyrings/login.keyring (any content?)

[EDIT]
gnome-keyring was installed from the beginning but I never configured it.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 24 Jul 2019 18:47
by ilu
I created the login.keyring with seahorse. Later chromium put its keys in there.

It was empty but probably not an empty file? I forgot to check. :facepalm: I created a new keyfile to check, and no - the file is not empty. It starts with GnomeKeyring and then some binary stuff. So it needs to be created as keyring. And you need to set a password which must be identical with the users login password. On SolydX9 the keyring file with the correct password was created upon install but I have no idea how.

And include seahorse in standard install please. Makes it easier for users to see passwords and for us to debug problems. The EE already has it.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 26 Jul 2019 13:26
by Arjen Balfoort
I think I solved it by adding these files to solydx-system-adjustments-10:
/etc/skel/.local/share/keyrings/default

Code: Select all

login
/etc/skel/.local/share/keyrings/login.keyring

Code: Select all

[keyring]
display-name=login
ctime=1564139432
mtime=0
lock-on-idle=false
lock-after=false
I built an ISO, installed Chromium and Chromium didn't ask for a keyring password (keys were written in login.keyring).
Of course, this password-less configuration is not safe, but if people are concerned about that they can use Seahorse to change this behavior.

I'll post back if the ISOs are done uploading.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 26 Jul 2019 15:22
by ilu
This problem really bugs me. It should work with password and I'd like to test it.

Is solydxk-contructor still working like this viewtopic.php?f=9&t=774? It says "adapted ...2015" but still ...

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 26 Jul 2019 15:32
by Arjen Balfoort
ilu wrote:
26 Jul 2019 15:22
Is solydxk-contructor still working like this viewtopic.php?f=9&t=774? It says "adapted ...2015" but still ...
No, it is less manual action (only installing software is done manually). I'll put that on my todo-list too.

I have tried to generate a keyring using secret-tool (libsecret-tools), python3-secretstorage and python3-keyring. Piping the login password to generate the keyring as I intended during installation does not prevent that a window for the password is opened. I found that too confusing: providing your password for login and again during installation (after the system has been copied to the target system). That's why I kept it with a password-less setup.

The ISOs just finished uploading: https://downloads.solydxk.com/nightly/

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 26 Jul 2019 17:54
by Arjen Balfoort
ilu wrote:
26 Jul 2019 15:22
Is solydxk-contructor still working like this viewtopic.php?f=9&t=774? It says "adapted ...2015" but still ...
Done.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 30 Jul 2019 21:08
by grizzler
This lot is confusing. ilu wrote:
We need to setup the system like it was in SolydX9.
But initially that was no different in SolydX 10, was it? There are no /etc/skel/.local/share/keyrings directories in any of the local build structures I have here (which includes unpacked 'stable' ISOs). Not in 9, not in 10 and not in the EEs (they just popped up there after the last update/upgrade run and I'm uncomfortable with it...).

Why would we need them now? Obviously something creates the keyrings directory plus contents on installation. How has whatever is doing that changed? It still worked the same way the last time I installed an EE (which was before .skel was changed).

I can't shake the feeling we're making matters worse/more complicated by adding /etc/skel/.local/share/keyrings.

Am I to understand that this login.keyring file, with those six plain text lines, will create a keyring that stores things unencrypted? If so, I will definitely need to find a way to remove this from the EEs (I haven't had time to build one yet and check - crazy busy right now...).

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 31 Jul 2019 06:31
by Arjen Balfoort
I'd be happy to remove file:///home/arjen/dev/solydx-system-adjustments-11/srcetc/skel/.local/share/keyrings from solydx-system-adjustments-10 and 11 but users wanting to use Chromium (and other packages) will have to configure gnome-keyring manually.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 31 Jul 2019 16:12
by Arjen Balfoort
Looing into it further.

Code: Select all

grep -r gnome_keyring /etc/pam.d
shows that gnome-keyring is configured in lightdm:
/etc/pam.d/lightdm:-auth optional pam_gnome_keyring.so
/etc/pam.d/lightdm:-session optional pam_gnome_keyring.so auto_start
/etc/pam.d/common-password:password optional pam_gnome_keyring.so

Code: Select all

dpkg -S pam_gnome_keyring.so
returns:
libpam-gnome-keyring:amd64: /lib/x86_64-linux-gnu/security/pam_gnome_keyring.so

After installing and starting Chromium, Chromium asks for a keyring password (gave the same as login).
It creates a protected file: ~/.local/share/keyrings/Default_keyring.keyring

Logout and login - start Chromium. Chromium does not ask for a password.

I think this is designed behavior and not intended to be pre-generated.

Shall I remove the unprotected keyring from solydx-system-adjustments-10?

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 31 Jul 2019 17:48
by grizzler
Arjen Balfoort wrote:
31 Jul 2019 16:12
I think this is designed behavior and not intended to be pre-generated.

Shall I remove the unprotected keyring from solydx-system-adjustments-10?
Well, I would. Ilu?

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 31 Jul 2019 22:25
by ilu
The default file with "login" is definitely needed because of a lightdm quirk: lightdm expects the keyring be named "login" while chrome expects "default". The default file is just a kind of symbolic link (which is usually used for localization - a standard symbolic link might also work, I don't know.). So that file is ok, chrome then uses the login.keyring which is what we want. The annoying "ask-every-time-bug " only happens if you have both keyrings separately.

But the "default" file should be the only content of the keyring directory delivered by the skeleton. The login keyring should be created on installation by pam. Our Arch users tell me it does that. And it must have done so at some point. I just can't get it to work. Although the configuration looks right, I checked the same lightdm stuff you did Arjen. The problem is not chrome but somewhere in pam and lightdm which for some reason do not create the login.keyring as they should.

And to test further I'd have to look into modifying the ISO and I just did not find the time yet.

But yes, I think pre-installing an unprotected keyring is not ok. Maybe try just with the default file and no keyring? Worst case the user has to enter the correct password on first chromium usage, It would then setup the login.keyring (instead of default.keyring) and from then on things should work.

Although sometimes lightdm forgets to unlock the login.keyring on SolydX9 login :evil: - something's fishy with lightdm, especially after relog or wakeup. I haven't done enough testing to say whether that happens on SolydX10 too.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 01 Aug 2019 05:55
by Arjen Balfoort
Just for the heck of it, I tried your suggestion: I removed the default keyring and only left a plain text file called "default" and in it the word "login".

After I started Chromium, these binary files were created and no password was asked:
~/.local/share/keyrings/login.keyring
~/.local/share/keyrings/user.keystore

I am going to change solydx-system-adjustments-10 and build a new ISO to see if that works live as well.

[EDIT]
On reboot I could see in Seahorse that the Login keyring was open. Chromium did not ask for a password.

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 01 Aug 2019 07:31
by Arjen Balfoort
I created an ISO with the new adjustments package.
I booted the live ISO and verified that only ~/.local/share/keyrings/default existed and had "login" as contents.
Then I installed and started Chromium.
It asked for a password and created a default keyring overwriting ~/.local/share/keyrings/default

I then installed the new ISO and booted into the new system.
I verified that only ~/.local/share/keyrings/default existed and had "login" as contents.
Then I installed and started Chromium.
It asked for a password and created a default keyring overwriting ~/.local/share/keyrings/default

I think we can assume that any pre-configuration is useless at the moment.
I will remove the keyring configuration and upload the new adjustments packages (10 and 11).

Re: Gnome-keyring problems (with chromium) [partly solved]

Posted: 01 Aug 2019 19:40
by ilu
Yeah there is no logic in it. It sometimes orks sometimes not. Could you please upload the ISO with just the default file somewhere for me?