Gnome-keyring - unlocked

[fehlix]

ps: I set to automatically login, this has something to do with asking for password?

Yes, with auto-login enabled you would need to manually unlock the login-keyring.

[michaelbr]

Yes, with auto-login enabled you would need to manually unlock the login-keyring.

Thanks so much for your patience and feedback.

[Duliwi]

I have made the following experiment. My question is: Is this the normal behaviour?

1. I use auto-login
2. I have one key-ring. It is default and has auto unlock when I log me in manually.

Now I have made this:
0. the default key-ring is unlocked.
1. Added an additional key-ring. Name "experiment", password: "123456"
2. in Seahorse: locked the key-ring "experiment"
3. unlocked the key-ring "experiment"
4. entered the password "123456"
5. checked the text: "Automatically unlock this key ring when logging in"
6. both key-rings are unlocked now
7. log out. log in. (NOT a new boot)
8. My expectation was, that now both key-rings are unlocked. But only the default key-ring is unlocked.

Is this as it should be?

9. Now I open Seahorse
10. try to unlock the key-ring "experiment"
11. -> This works without asking for any password


Is this the way it should work?

Thank you.

Edit: The behaviour is the same, after having added a new password entry into the key-ring "experiment".

[fehlix]

I have made the following experiment. My question is: Is this the normal behaviour?

1. I use auto-login
2. I have one key-ring. It is default and has auto unlock when I log me in manually.

Now I have made this:
0. the default key-ring is unlocked.
1. Added an additional key-ring. Name "experiment", password: "123456"
2. in Seahorse: locked the key-ring "experiment"
3. unlocked the key-ring "experiment"
4. entered the password "123456"
5. checked the text: "Automatically unlock this key ring when logging in"
6. both key-rings are unlocked now
7. log out. log in. (NOT a new boot)
8. My expectation was, that now both key-rings are unlocked. But only the default key-ring is unlocked.

Is this as it should be?

9. Now I open Seahorse
10. try to unlock the key-ring "experiment"
11. -> This works without asking for any password


Is this the way it should work?

Thank you.

Edit: The behaviour is the same, after having added a new password entry into the key-ring "experiment".

Yes, the one keyring which is a the "login" keyring (regardless of the names shown) will be unlocked at login.
The login-keyring can only be unlocked at login, when both user-login-password and the password of the login-kyring are identical. Now, the login keyinring can hold normal passwords but also passwords from other keyrings.
Liek in you example the "experiment" keyring it protected by it's own password. But you was prompted with the question "Automatically unlock this key ring when logging in", and by accepting it, the system stored the password of the experiment-keyring into the login-keyring. What happens: As soon as an application ( or you manually) try to access the "experiment"-keyring it checks whther this can be automtically unlocked. It can, as long as you have stored it password with the login-keyring. Try to remove the experiment-password from the login-keyring, and it will not unlock anymore without entering the correct experiment-password.

[Klare Sache und damit hopp!]

[Duliwi]

Thank you @fehlix

... you was prompted with the question "Automatically unlock this key ring when logging in", and by accepting it, the system stored the password of the experiment-keyring into the login-keyring.

Indeed. I did not realise that until now.

[LibertyLinux]

As far as I can tell this guide allows me to not have to enter my login password of the PC whenever I use Thunar to connect to my local nas. I still have to enter the login to the nas however so I'm not quite sure how exactly useful it really is at this time. I spent 20m trying to understand the 1st post, which btw should be upodated (libpam-gnome-keyring does not need to be installed anymore), and was trying to autologin to the nas with no success.

When I first unlocked the "Login" ring it added an entry for the nas and I hadn't even logged into it yet. VERY confusing.
I created a 2nd keyring to correspond to the nas but that is also confusing. Is the name the address because the only other option is the password?, and of course the "automatically log me in" option does nothing, because it simply doesn't.
Very confusing. 30 m later and now under the 'default' "Login" keyring I have 2 entries: one titled admin@mynas.local, and the other "Unlock password for: smb://admin@mynas.local/. Yet if I log out and back in (Login is unlocked) it prompts me to enter the nas login credentials. Seriously?

If it's unlocked does this mean it automatically stores passwords because automatically logging in isn't working. OR, do I have to create a send ring to incl. the nas that specifically states autologin (didn't work before???)
Like I said, networking is not my forte. I may as well delete what I did cause having to type my login and the nas credentials is simpler than spending 30m trying to figure out seahorse and getting nowhere.

After logging out and in 5 times, and after rebooting 5 times, all I can figure is to simply unlock the "Login" keyring, login to nas (this creates a key entry) and tell it to remember forvever, create a second keyring for nas titled admin@mynas.local and call it a day. I still have to login to the nas on reboots. Logging in and out is simply entering the password which I was trying NOT to do. On boot It STILL makes me login to the nas. USELESS OMG
Seahorse is more like an exercise (a futile one) in entering passwords and rebooting.
Back to square 1. Only difference is I'm logged in, I'm logged into nas, and the "Login" keyring is unlocked with zero entries. No matter what I try it asks me to login to the nas EVERY SINGLE TIME I reboot. I seriously cannot believe it won't allow thunar to login by itself. Who knows whatever

[fehlix]

It works here out of the box. Actually just tested with my NAS using with ftp or smb protocoll and on MX 19.4. LiveISO.
The easiest to test and find the culprit might be, boot from latest LiveISO/USB. As it defaults to autologin
do logout/login to have a login-keyring generated. The way I'm testing is just by booting VirtualBox with networkbridge and attached MX LiveISO. And it stores credentials for both NAS-ftp and NAS-smb.
To start from scratch just remove the existing keyrings ( rm ~/.local/share/keyrings/* )
and logout login again.
If still not working you might consider to give more details. Or if something not yet clear, do formulate it as a specific question, which I can understand and potentially find an answer.

[LibertyLinux]

Thanks. I remember, not even sure exactly when, but I had checked a gnome-keyring? box in the boot/sessions dialog one time and then on reboot it asked for a keyring password (3rd password?) you enter only once per session, I think, I really don't remember. I did not have a nas or network then. If I check the last box in sessions, some keyring thing, I do not get any prompts after booting that anything has changed. I'm aware of having a keyring password but do not want to have an arbitrary time at which it pops up. If I need to, or it's useful to use it, I want it to be the very next thing I do after I login to password safe when booting. Shoots I don't really know what the keyring does (for me) at this point. I can't quite figure out the seahorse nonsense.

I literally had 2 "login" keyrings going at once when I checked seahorse yesterday and deleted one. I did not mess with seahorse at all as I had 'reset' it and it just created a 2nd entry all on it's own. Could be my network config. I'm running a wireguard vpn but I generally connect to the same ap using the same browser, thunar, or DC, though either works (the nas has it's own AP). The nas does use a website cert but I'm not sure that has anything to do with seahorse stuff lol.
Once your login keyring creates entries do you lock it, reboot, and are then prompted for the keyring password? As far as I know I have never created one on this device. I was running it unlocked. Please excuse me if It's confusing because it really is. A simple one time per session entry to NOT have to constantly enter a network login would be great. And why if I hadn't even connected to my nas would editing the blank login keyring automatically populate it with my nas entry? That makes no sense at all. Unless the data is hidden of course.

[fehlix]

Thanks. I remember, not even sure exactly when, but I had checked a gnome-keyring? box in the boot/sessions dialog one time and then on reboot it asked for a keyring password (3rd password?) you enter only once per session, I think, I really don't remember. I did not have a nas or network then. If I check the last box in sessions, some keyring thing, I do not get any prompts after booting that anything has changed. I'm aware of having a keyring password but do not want to have an arbitrary time at which it pops up. If I need to, or it's useful to use it, I want it to be the very next thing I do after I login to password safe when booting. Shoots I don't really know what the keyring does (for me) at this point. I can't quite figure out the seahorse nonsense.

I literally had 2 "login" keyrings going at once when I checked seahorse yesterday and deleted one. I did not mess with seahorse at all as I had 'reset' it and it just created a 2nd entry all on it's own. Could be my network config. I'm running a wireguard vpn but I generally connect to the same ap using the same browser, thunar, or DC, though either works (the nas has it's own AP). The nas does use a website cert but I'm not sure that has anything to do with seahorse stuff lol.
Once your login keyring creates entries do you lock it, reboot, and are then prompted for the keyring password? As far as I know I have never created one on this device. I was running it unlocked. Please excuse me if It's confusing because it really is. A simple one time per session entry to NOT have to constantly enter a network login would be great. And why if I hadn't even connected to my nas would editing the blank login keyring automatically populate it with my nas entry? That makes no sense at all. Unless the data is hidden of course.

OK, I may see some confusion.
Note Seahorse is just a tool for viewing/accessing all kinds of keyrings like pgp/gpg and also gnome-keyrings and some more.
You can even uninstall seahorse, it would not change the functionality of the login-keyring mechanism.
Further, to make auto-unlock gnome-keyring working: not the user but the pam-authentication plugin will create a login-keyring at first login, when no login-keying is available. A user cannot create a "login"-keying only PAM can do.

Please do this, to make/check login-keyring mechanism works:
-> Close "all" apps.
-> Remove all keyrings/files under ~/.local/share/keyrings
-> logout and login from the X-session.
Check pam has create a new keyring:

Code: Select all

ls -l  ~/.local/share/keyrings

Now open any app, which is known to use the login keyring.
E.g. some chromium based browser, like vivaldi, chrome/chromium do save a "master" key into gnome-keyring.
check with seahorse those app#s just created an entry

Code: Select all

seahorse

In case you auto-login, no login keyring would have been created or opened/unlocked, and the app trying save something into a keyring would trigger to create a new keyring, which you might now have to always enter a password to get opened.

[LibertyLinux]

I believe that did the trick. I deleted the default "Login" ring (it then listed 12 keyrings when before it was 16), logged out & in. When I went to login to my nas it wanted to create a new keyring password. If you can believe this, I'd been using my actual login every time it would ask for a password (it never asked to create a new keyring password for some reason-maybe I missed it), so deleting everything worked. Finally. At least now my 3 passwords are working as they should be and most importantly I'm not using my login password as the keyring password.
Thank you so much sir.
MX ROXS! as usual