2011/07/07

GNOME Keyring & Auto-login

What the hell is GNOME Keyring, anyway?

GNOME Keyring is a service and API used by GNOME programs to securely store various secrets, such as email or WiFi passwords.

See the GnomeKeyring page on GNOME Live.

Why am I being asked to unlock a "keyring"?

When you login normally, the system gives the password you just entered to gnome-keyring, which then unlocks the login keyring.

When you have auto-login enabled, you don't enter any password, and gnome-keyring cannot unlock the keyring automatically. So it asks you to unlock it.

If you want to have auto-login and auto-unlock, you need to remove the keyring's password (set it to a blank one). This won't be a security risk, as you already have automatic login.

Changing the keyring password

Run the keyring manager seahorse (or Applications > Accessories > Passwords and Encryption keys if you use GNOME). Then open the Passwords tab. (Depending on Seahorse's version, it might be the first or the last tab.)


Now find the login keyring, right-click on it, and choose Change Password. Enter your old password into the Old password box, but leave the other two blank.


When asked about "unsafe storage", confirm.

Now the passwordless keyring will be unlocked automatically.
But I have autologin disabled and it still doesn't work!

First, make sure your login and keyring passwords are exactly the same.

Then check if PAM is configured correctly. Look for lines containing pam_gnome_keyring.so in /etc/pam.d/:

# snipped
auth optional pam_gnome_keyring.so
session optional pam_gnome_keyring.so auto_start

On most distros, those lines usually go to /etc/pam.d/gdm for GDM (graphical login), and /etc/pam.d/login for tty login. The GnomeKeyring/Pam page on GNOME Wiki has some more information.

Ubuntu and Debian will configure PAM automatically, and they put the module to /etc/pam.d/common-auth and /etc/pam.d/common-session, which are included by gdm/login and most other PAM configs. You can use this command to check all configurations at once:

grep -r gnome_keyring /etc/pam.d