NM requires keyring password to connect to WEP/WPA network

Upstream is planning to implement global configuration (ie: no more gnome-keyring) for 0.7

this is not a dupe of bug #35225.
bug #35225 is about NM asking for the WEP key again if it failed to connect.
this bugs is about asking for the gnomekeyring password before making a connection.

This also applies to getting WPA-keys of course.
I'm guessing that 0.7 will not (unfortunately) be in Dapper, seing that 0.6 supposedly was a stretch.
Hoping for a patch then. Reason:
 if Network-manager is supposed to be more or less standard in Dapper, we should save users from having to punch in their password to let nm-applet connect. Network-manager is very good for laptops, and that means a lot of rebooting, which would make this problem *very* visible.

- Ketil

is gnome keyring scriptable? can something be made to unlock the keyring at log in.

at
http://www.hekanetworks.com/index.php/publisher/articleview/frmArticleID/25/staticId/31/
you can find a pam module that would unlock the default keyring
with the users login password during login.
the problem is that this plugin requires pam>=0.99
which is not in ubuntu right now. so its rather unlikely that
this will make it into dapper. i am sure this will be in dapper+1 though.

I just made a mess. I didn't see the link on the right side for the GNOME bug, and I couldn't find one on bugzilla, so I reported one, linked it here, and only then noticed the existing bug.

At this point, I marked this affecting upstream, so that the link is more centralized, and there are now two bugs linked on the right. I'd remove it if I knew how.

I guess it's just not my day. O_o

pam_keyring 0.0.8 now also compiles with PAM >=0.77. And it works fine here.

Confirmed in edgy.

I also have this problem in Edgy. I love Network Manager, but I do think there is some work to do before it is perfected. I'd like it to have a WEP key manager in the program so that one could edit/delete/add/prioritize wireless networks stored on the machine.

Hi

Some thoughts ... since festy will support network roaming, this could become a great pain... imagine everytime you roam having to enter your keyring key.

Yeah, this can definitely confuse users (first they have to enter a keyring password two times, then they have to enter a keyring password every time they want to connect to an encrypted network; just compare this with winxp).

Feisty should probably ship with a modified n-m version, which has an extra checkbox in the dialogue asking for the network encryption key if the user has admin privileges:

[x] System wide encryption key

This should be preselected so that the key is being saved in a safe location, which is not world readable.

If it is not being selected, the current behavior should be used.

Workaround: libpam-keyring ... isnt storing the key in a safe location (i.e gnome-keyring) a better idea than creating another key store. libpam-keyring should be standard, and the keyring should have a difinition (on a per-key basis) which keys can be opened without password and which need a special (i.e more complicated) password.

libpam-keyring works flawlessly (gutsy)
Once installed you have to manually edit the file below to activate it

From /etc/pam.d/gdm
auth requisite pam_nologin.so
auth required pam_env.so
@include common-auth
@include common-pamkeyring ------------ Insert this line
@include common-account

hey rick...
does this work if one would change the /etc/pam.d/login file instread? i don't use gdm (or xdm/kdm for that matter).

Having to enter my password for the gnome keyring annoyed me so much that I patched the gnome nm-applet to just store the key in gconf with the rest of the network parameters. Pamkeyring is not a solution for me since I use passwordless login with gdm (I am very lazy).

Obviously this is somewhat lacking in terms of security, but if someone untrusted has access to my gconf settings I have more to worry about than my network key...

This is fixed in Gutsy. libpam-gnome-keyring is a dependency of ubuntu-desktop, and fixes this problem. It works like a charm. Robert, perhaps that fixes your problem. Should this bug even remain open?

Hi Frank,

I'm guessing that libpam-gnome-keyring only works if you enter your password at the gdm login screen i.e. not if you configure gnome to do an autologin (I could be wrong -- don't have gutsy installed to check). Thus you will always have to enter at least one password before using encrypted wireless. This is a good thing in terms of security of course, and is probably appropriate for the default install.

On the other hand it doesn't really suit me, so I made a patch which gives more convenience at the expense of some security. Perhaps we could add an option to allow the applet to run in this less secure mode if the user requests it?

Thanks,

Robert

Robert,

You're correct that using autologin requires you to enter a password to unlock.

This bug then perhaps could stay open, to represent the idea that NM using gnome-keyring to store this information may be less than ideal (under the assumption that passwordless logon to a computer connected via wireless is a goal of this distro). I don't know if the better answer is further changing libpam-gnome-keyring to include autologin or just changing NM entirely.

The former seems like the road already taken, and seems more desirable. Creating a process in NM to store encrypted passwords goes against some fundamental GNU/Linux principles. Interoperability and calling specific programs to do specific work still seems the best option.

Perhaps someone should file a bug against libpam-gnome-keyring to correct autologin behavior.

I can confirm that it doesn't work with autologin. There's a bug already filled, bug #137247

And I too would like NM to work without the keyring. I can appreciate why the keyring is a nice idea, but in practice I've had so many problems with it I resorted to keeping all my network passwords in a plain-text file on my desktop... If it's safe enough to keep SSH's private keys in a permissions-protected file in my home directory, why isn't that good enough for NM?

I know this is for another bug report, but it would be even greater if NM worked even when I'm _not_ logged in in X. I'm always having lots of trouble connecting to the wireless network when I'm in single user mode (eg, if I need to get a package to fix my system). Is that in the works?

Also, pam-keyring can fail if user changes password. Generally speaking, pam-keyring is a hack solution. It could work, but it just adds unnecessary complication for a mostly trivial security gain. There are things I'd encrypt using a keyring system, a network password isn't one of them.

it works for me on gutsy! thanks for the improvement!

andrew

as the upstream bug points out, this will be fixed in network manager 0.7. Another option would be to automatically unlock the keyring during login ... but that should be dealt with in a nother place (not network manager).

Fixed in gutsy with improvements all over the place.

Using Gutsy as of three days ago.
I had automatic login set up, and had to enter password to connect to my wpa-secured network up to 10 times before it let me in. (That is, not the Gnome-keyring password, but the wpa-password) I know I used the right password, and the connection is strong. With autologin the network has not let me in without giving the password at least 5 times.
Disabling autologin gets me the same connection without other user input. Hasn't failed.
Rather weird.

I can confirm that there is something quite weird going on with autologin and network manger (gnome). I upgraded to gutsy from feisty and found I was prompted to enter the _keyring_ password (not network key) twice. Even after this there's no guarantee I'll have a network connection. Manually configuring the interface using iwconfig, wpa_supplicant and dhclient seems to work better.

The auto-login issues are bug #140755 or bug #137247.

I believe the original issue is this bug report is fixed, so I close it.

no luck, still this problem in the newest 9.10 release

Unbelievable. Will wait for version 10 to recheck.

On Fri, Oct 30, 2009 at 11:35 PM, poppyer <email address hidden> wrote:

> no luck, still this problem in the newest 9.10 release
>
> --
> Requires keyring password to connect to WEP/WPA network
> https://bugs.launchpad.net/bugs/34898
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Still present in 9.10
2.6.31-15-generic #50-Ubuntu SMP

Please open a new bug. This bug has been closed a long time ago. There is probably another reason for the issues seen in 9.10.

Four years later and this bug still exists. That is completely unacceptable.