Bug#532088: libpam-gnome-keyring: Dont be selfish unlock gnome-keyring for other auth methods.

[Mateusz Kaduk]

2009/6/7 Josselin Mouette <joss at debian.org>:
> You seem to be completely unaware of how gnome-keyring works. To unlock
> the keyring, which is stored encrypted on disk, you need a master
> password; this password is your login password. Being able to unlock the
> keyring without a password would mean it wouldn’t be encrypted, which
> would be completely idiotic.

Typing password over and over each time you log in with i.e using
finger reader is that less idiotic ?

I have read how gnome-keyring works before. Maybe its wrong design ?
I think it shouldn't use login password to unlock keyring but custom
generated key, which could be stored that way so only
pam-gnome-keyring module can access it. Then if previous module
succeeded just unlock database with that key.

That would solve conflict with all authentication modules and the
future one that are going to be implemented in PAM platform. Also
gnome-keyring password don't have to be the same as login.

> For some of the authentication schemes, like USB dongles, it would be
> possible to unlock the keyring, but given how PAM works, you’d have to
> implement it in pam_gnome_keyring as well. For them, patches are welcome
> of course. For others, like fingerprints or bluetooth, it would be
> stupid so it won’t be implemented.

All mentioned authentication modules do the same job and have the same
problem when used with pam-gnome-keyring. Its not stupid to suggest
other solution that fixes most of problems with pam-gnome-keyring
module.