Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Idea: use hmac-secret to hook into the keyrings and open them (like when using pw) #283

Open
My1 opened this issue Jan 22, 2023 · 3 comments

Comments

@My1
Copy link

My1 commented Jan 22, 2023

Is your feature request related to a problem?

when logging in with pam_u2f both kdewallet and gnome-keyring pop up and ask for password, as they obviously didnt get one from logging in.

usually when you login and the keyring passwords are the same as your login password the keyrings will just auto-unlock

Describe the solution that you'd like

Ideally a solution that could for example leverage hmac-secret to provide some values to aif in the decryption.

Describe the alternatives that you've considered

I honestly dont know enough about PAM to think of a way how this could work better, unless you go as far and set the keystore password equal to the pin and have the pin redirected to the keyring (which is a bad idea as I expect a PIN to generally be comparatively weak, so bad idea.

@LDVG
Copy link
Contributor

LDVG commented Jan 26, 2023

The login key ring appear to only support a single password (checked with GNOME keyring through seahorse), which means that we'd have to somehow unwrap the same secret for (the potential case of) multiple enrolled authenticators (e.g. if the user has a primary and backup device).

Additionally, allowing the user to also unlock the login key ring with their ordinary password means that the the value we unwrap would have to be the password itself, bringing even more complexity (e.g. handling password changes) and potential side-effects in the PAM stack. All in all, these factors would make this feature quite complicated and a low priority.

Or is there something I'm missing?

FWIW, there are some related projects unlocking the key ring through other methods, see for example https://github.com/recolic/gnome-keyring-yubikey-unlock which relies on GnuPG.

@kaoneko
Copy link

kaoneko commented Feb 6, 2023

EDIT: Never mind, I had probably locked my computer and unlocked it with the password at least once while messing around. I just tested it after a fresh reboot and while I don't get asked to unlock the keyring with my password immediately after logging in, it either silently unlocks the keyring when I lock my screen and unlock it with my password, or explicitly asks for the password to unlock the keyring when I do something it needs credentials from the keyring for (e.g. connect to my smartphone through FTP with saved credentials).


My keyring is simply accessible after logging in without a password, only YubiKey U2F. Am I missing something? I'm new to this.

I wanted to create single factor authentication using YubiKey FIDO, with optional fallback to my password.

I added this line to /etc/pam.d/common-auth before the other configuration lines:
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings pinverification=0 cue [cue_prompt=Touch the YubiKey to authenticate]

When I reboot, I'm able to login by touching the YubiKey (my home directory is not encrypted at the OS level, if that matters). When I run Passwords and Keys (/usr/bin/seahorse) it shows my keyring is unlocked.

I'm running Linux Mint 20.3. I compiled libpam-u2f from the source today.

@My1
Copy link
Author

My1 commented Feb 13, 2023

Or is there something I'm missing?

honestly, no idea but seems to be valid arguments, I just knew that the keyring can auto-unlock and that it doesnt with pam-u2f, and just got the idea. I dont have any deep knowledge of the keyrings for KDE, Gmone or otherwise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants