You are viewing hughsient

Technical Blog of Richard Hughes - Lock keyring on sleep?

Richard Hughes
Date: 2007-03-26 17:01
Subject: Lock keyring on sleep?
Security: Public
I got a comment mentioning it was a bad idea to lock the GNOME keyring on suspend and hibernate.

In 2-18 there was code added to unconditionally lock the keyring when we sleep, for security. This has the unfortunate side-effect of NetworkManager asking you for your WEP password when you resume (and probably disconnecting any network shares mounted over gnome-vfs).
I'm going to add a gconf variable in trunk, and possibly a configure option for 2-18 (as I agree it's annoying), but what should the default be? Is there any possible attack vector for not locking gnome-keyring?
Should this be in the UI? Users shouldn't really be touching gconf-editor...

Thanks for any help.
Post A Comment | 19 Comments | Add to Memories | Share | Link



User: (Anonymous)
Date: 2007-03-26 18:27 (UTC)
Subject: GDM?
Is there any way gnome-keyring could be integrated with GDM and gnome-screensaver? The ideal case would be that logging into GDM or gnome-screensaver automatically will try to unlock your keyring using your login password. I don't see a lot of reason to have separate login and keyring passwords for the vast majority of users, and I personally just always use the same password for both.
Reply | Thread | Link



Eugenia Loli-Queru
User: eugenia_loli
Date: 2007-03-26 18:31 (UTC)
Subject: keyring should not be locked
I made a bug report about this on ubuntu a few days ago. The keyring asks for its main password, not for the WEP password each time the laptop comes back from sleep. https://launchpad.net/ubuntu/+source/gnome-keyring/+bug/92436
Reply | Thread | Link



User: Mathias Hasselmann [taschenorakel.de]
Date: 2007-03-26 18:45 (UTC)
Subject: pam_keyring!
Guess the problem you face here is lack of integration with PAM: Once PAM confirmed the user knows his password (either on logon or on resume), the keyring should be unlocked. Michael Petullo has a pretty PAM module called pam_keyring. IMHO key ring should ship and integrate this module by default.
Reply | Thread | Link



Scott Robinson
User: quadhome
Date: 2007-03-27 00:13 (UTC)
Subject: Re: pam_keyring!
pam_keyring doesn't work with the screensaver.

It spawns a new process with the conversation password as the unlocking keyphrase.
Reply | Parent | Thread | Link



Matthew Garrett
User: mjg59
Date: 2007-03-26 18:53 (UTC)
Subject: (no subject)
I think there's two cases here - one where the user selects screen locking, and one where they don't.

1) The screen is locked. In order to gain access to anything in gnome-keyring, the attacker has to know the user's password already. If they know that, they could simply log in and obtain the keyring password either through keyboard sniffing or popping up a fake dialogue.

2) The screen isn't logged. As above, except the attacker doesn't need to know the user's password.

Is there a case that I'm missing? I'm not clear on how locking the keyring actually provides any security...
Reply | Thread | Link



Richard Hughes
User: hughsient
Date: 2007-03-26 19:36 (UTC)
Subject: (no subject)
>Is there a case that I'm missing?

I don't think so, and I agree with you - but I thought I would be a bit careful as it might be a security hole.

Richard.
Reply | Parent | Thread | Link



Will Woods, Fedora Testing Guy
User: qa_rockstar
Date: 2007-03-26 21:26 (UTC)
Subject: (no subject)

I'm not sure how it's a security hole - the user has chosen to disable the "lock screen on suspend" behavior, and therefore I think the risk is theirs.

Currently we have two options:

  1. Lock screen on suspend
    i.e. require a password for the machine to work after it wakes. A secure default.
  2. Don't lock screen on suspend
    i.e. "I don't care, I just want everything to magically work again after the machine wakes up." A convenient optional choice.
By force-locking the keyring, you break the second option - it's now impossible to have the machine conveniently Just Work after it resumes. If this option is used at all, it should (IMHO) be configurable and set to 'off' by default.
Reply | Parent | Thread | Link



Richard Hughes
User: hughsient
Date: 2007-03-26 21:31 (UTC)
Subject: (no subject)
>...it should (IMHO) be configurable and set to 'off' by default.

Yes, this is what I've committed to trunk and 2-18. Thanks for your comments.

Richard.
Reply | Parent | Thread | Link



User: (Anonymous)
Date: 2007-03-28 01:33 (UTC)
Subject: (no subject)
gnome-keyring should follow the screen locking configuration option.
Reply | Parent | Thread | Link



User: (Anonymous)
Date: 2007-03-28 03:49 (UTC)
Subject: (no subject)
So you have to type your password twice when you resume?
Reply | Parent | Thread | Link



User: (Anonymous)
Date: 2007-03-26 18:59 (UTC)
Subject: lock ?
Is there really a security risk, considering the screen is locked when you resume ?
Reply | Thread | Link



User: (Anonymous)
Date: 2007-03-26 20:04 (UTC)
Subject: Keyring can be a pain
Sometimes I use GDM sometimes I auto login. It's a pain that I then have to type in my password to unlock keyring. Even pam_keyring doesn't help in the case where I use GDM autologin. What's more annoying is that my WEP key is stored in the network config - NM only needs to do "ifup eth1" but instead it has to do the networking itself. The reason I find this strange is because when NM brings up my wired network (at work) it uses the static IP info from network settings.

As for the suspend/resume I think the default should be that the keyring stays open but the screen is locked if the user has passworded screensaver enabled. This is because suspend if used on a timer is essentially the same as a screensaver, and suspend when used on purpose will probably mean the user is carry the computer somewhere and will be there to unsuspend.

Philip
Reply | Thread | Link



User: joeshaw.org
Date: 2007-03-26 21:21 (UTC)
Subject: keyring unlocking
If the keyring is being locked on sleep, shouldn't the screen also be locked? If the screensaver kicks in and asks you to unlock when you resume, your password could then unlock the keyring. This assumes your keyring and login password are the same, and that you have pam_keyring. If not, your life is just hard anyway.

Another option is to store things like WEP passwords in a separate keyring with the same password and leave that keyring unlocked.
Reply | Thread | Link



Adam Petaccia
User: mighmos
Date: 2007-03-26 23:56 (UTC)
Subject: (no subject)
Could one cludge be to have an extra perameter, "never lock" for some keys (like network manager)? Which can always be accessed once the keyring is initially unlocked?
Reply | Thread | Link



User: (Anonymous)
Date: 2007-03-27 01:47 (UTC)
Subject: (no subject)
Some sensible way to manage passwords globally on a desktop system would be nice. Perhaps something can be done with PAM or PolicyKit to alleviate the situation.

Right now I have to keep track of:
- My password for login/GDM/screensaver
- My root password (It's arguable that a root account is even necessary...hopefully PolicyKit will fix this)
- Firefox's custom password manager for websites (I don't use it, but for completeness)
- Thunderbird's password manager (or Evolution)
- gpg-agent and ssh-agent (currently managed by keychain)
- gnome-keyring to for Network Manager/Samba, and
- gpass (for everything else)

It would be nice if there was some intelligent way for these to work together. Once I authenticate, I should be able to do any of the above for a certain time without having to re-authenticate.
Reply | Thread | Link



User: (Anonymous)
Date: 2007-03-27 07:12 (UTC)
Subject: System-wide Configuration in NM
That's a limitation of NetworkManager. System-wide Configuration is planned for NM 0.7

See http://live.gnome.org/NetworkManagerToDo
Reply | Thread | Link



User: (Anonymous)
Date: 2007-03-27 14:08 (UTC)
Subject: Attacked retrieving credentials stored on disk when hibernating...
Copy/paste of a comment I added on bugzilla #375681:

Actually, it would maybe make sense to _clear_ the keyring instead of locking
it, so that no credentials are stored in RAM anymore when we suspend/hibernate.

Else, I would expect it possible to somebody stealing the laptop to retrieve
credentials by directly harvesting the raw disk data (in the partitions used to
store what was in RAM when hibernating).

But gnome keyring may not be the only app needing such a cleanup : ssh-agent,
thunderbird, firefox, Evolution (when not using gnome keyring), and probably
others may want to be able to do this (think VPN application, encrypted
filesystem...). Maybe having a generic hook mechanism would be nice (e.g.
g-p-m could run all scripts present in /etc/g-pm/keycleanup and
~/.gnome/g-p-m/keycleanup/, or something similar) when doing a suspend or
hibernate.




Reply | Thread | Link



User: zdzichu.openid.pl
Date: 2007-03-27 15:48 (UTC)
Subject: deliberate?
So this locking is on purpose? I thought that was some bug in Feisty. Good to know you've fixed that, thanks.
Reply | Thread | Link



Paul Crowley
User: ciphergoth
Date: 2007-10-12 07:23 (UTC)
Subject: (no subject)
See

http://live.gnome.org/GnomeKeyring/Pam

gnome-screensaver can be configured via PAM to use the unlock passphrase to unlock the gnome keyring at the same time. This should be the default on eg new Ubuntu installs.
Reply | Thread | Link



browse
my journal
April 2008