Bug#987298: gdm3: Fails to unlock GNOME keyring when multiple attempts were needed to unlock LUKS

Simon McVittie smcv at debian.org
Fri Apr 30 11:28:26 BST 2021 

Control: tags -1 + moreinfo

On Thu, 22 Apr 2021 at 09:37:19 +0100, Simon McVittie wrote:
> On Wed, 21 Apr 2021 at 08:33:01 +0200, intrigeri at debian.org wrote:
> > On LUKS-encrypted systems, by default the GNOME keyring is encrypted
> > using the LUKS passphrase typed on boot. pam_gdm unlocks the keyring
> > using that passphrase. So far, so good.
> 
> Does testing this require any particular system configuration, for example
> enabling autologin in gdm, or having the logging-in user's Unix password
> be the same as the LUKS passphrase, or having LUKS v2 rather than LUKS v1?

Sorry, I can't work out how to get a system where the bug you reported
would even be relevant. At this stage in the release process I am reluctant
to apply changes that I can't test - please could you describe how I can?

Here are some attempts that I made to reproduce your setup:

- Configure a new VM in virt-manager
- Boot from firmware-bullseye-DI-rc1-amd64-netinst.iso
- Create uid 1000 named 'user' with password 'user'
- Use guided partitioning with encrypted LVM, setting passphrase 'luks'
- Install GNOME
- Reboot to installed system
- Power off without logging in
- Copy the disk image

- Restore copied disk image
- Log in to gdm as 'user' with password 'user'
- Run seahorse
- Lock login keyring
- Unlock login keyring
    - Password 'luks' does not unlock it, as expected
    - Password 'user' unlocks it, as expected

- Restore copied disk image
- Log in on console as root
- vi /etc/gdm3/daemon.conf, configure like this:
    [daemon]
    AutomaticLoginEnable = true
    AutomaticLogin = user
- Reboot
- Run seahorse
    - No login keyring was created at all

- Restore copied disk image
- Log in on console as root
- vi /etc/gdm3/daemon.conf, configure like this:
    [daemon]
    TimedLoginEnable = true
    TimedLogin = user
    TimedLoginDelay = 5
- Reboot
- Run seahorse
    - No login keyring was created at all

... and none of them seem to be using the LUKS passphrase to create a
gnome-keyring login keyring.

How do I get to a system configuration where pam_gdm matters?

Thanks,
    smcv

More information about the pkg-gnome-maintainers mailing list