Unix & Linux Asked by C0ldPlasma on November 26, 2021
I wanted to know whether the gnome keyring gets locked automatically when the screen gets locked, so I checked it with this command:
dbus-monitor --session "type='signal',interface='org.gnome.ScreenSaver'" |
while read x; do
case "$x" in
*"boolean true"*) sleep 1s;./gkey-check;;
*"boolean false"*) sleep 1s;./gkey-check;;
esac
done
gkey-check is a tiny C program from here Check if Gnome keyring is unlocked? that outputs the state of the keyring. Either ‘locked’ or ‘unlocked’. With the above code it gets executed once the screen is locked or unlocked.
When locking and then unlocking the screen I get ‘unlocked’ two times, which tells me the keyring is not automatically locked. In my opinion it should be default behavior to lock the keyring.
Interestingly when I lock the keyring manually before locking the screen, it automatically unlocks the keyring when unlocking the screen again. So it unlocks the keyring automatically, but is not locking it.
Why is it not the default behavior to lock the keyring when locking the screen? (Fedora 32 Gnome 3.36)
According to the gnome-keyring security philosophy, it aims to protect the user from "passive attacks", meaning attacks by the attacker who would not have access to user session. It is integrated with PAM so that, by default, the keyring is unlocked upon login and is locked on logout or when the computer hibernates or suspends. The last point is aimed against "cold boot" attacks. Though, such attacks are still possible if the computer is turned off abruptly, i.e. without the user logging out properly.
When the access to the computer system is no longer needed, the user can log out. Similarly, when the user locks the screen, the lock screen regulates immediate access to a device by requiring the user entering the password. What is different is that when the screen is locked, the applications which were started by that user in that user's session can continue to operate in the background. Those applications may need access to the gnome-keyring, so locking the keyring on locking the screen may be contrary to what the user intends with gnome-keyring standing in the user's way, which would be against its goals. By default, the keyring should become locked if the computer suspends or hibernates, which is consistent with gnome-keyring's goals because the applications do not run when the computer is suspended or hibernated and the machine is normally woke by the user, who logs into the desktop and so unlocks the keyring.
As to your observation that the keyring if unlocked on unlocking the screen, I think it is more related to how gnome-keyring is integrated with PAM. Some unlock routine for gnome-keyring is invoked in both cases: when the user logins and when the user unlocks the screen to make sure it is unlocked after suspension or hibernation. It might be that the same PAM routine is invoked, which doesn't make difference between login and screen unlocking.
Answered by Roman Riabenko on November 26, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP