Log in

No account? Create an account
Lock keyring on sleep? - Technical Blog of Richard Hughes

Richard Hughes
Date: 2007-03-26 17:01
Subject: Lock keyring on sleep?
Security: Public
I got a comment mentioning it was a bad idea to lock the GNOME keyring on suspend and hibernate.

In 2-18 there was code added to unconditionally lock the keyring when we sleep, for security. This has the unfortunate side-effect of NetworkManager asking you for your WEP password when you resume (and probably disconnecting any network shares mounted over gnome-vfs).
I'm going to add a gconf variable in trunk, and possibly a configure option for 2-18 (as I agree it's annoying), but what should the default be? Is there any possible attack vector for not locking gnome-keyring?
Should this be in the UI? Users shouldn't really be touching gconf-editor...

Thanks for any help.
Post A Comment | 19 Comments | | Link

User: (Anonymous)
Date: 2007-03-26 18:27 (UTC)
Subject: GDM?
Is there any way gnome-keyring could be integrated with GDM and gnome-screensaver? The ideal case would be that logging into GDM or gnome-screensaver automatically will try to unlock your keyring using your login password. I don't see a lot of reason to have separate login and keyring passwords for the vast majority of users, and I personally just always use the same password for both.
Reply | Thread | Link

Eugenia Loli-Queru
User: eugenia_loli
Date: 2007-03-26 18:31 (UTC)
Subject: keyring should not be locked
I made a bug report about this on ubuntu a few days ago. The keyring asks for its main password, not for the WEP password each time the laptop comes back from sleep. https://launchpad.net/ubuntu/+source/gnome-keyring/+bug/92436
Reply | Thread | Link

User: ext_29622
Date: 2007-03-26 18:45 (UTC)
Subject: pam_keyring!
Guess the problem you face here is lack of integration with PAM: Once PAM confirmed the user knows his password (either on logon or on resume), the keyring should be unlocked. Michael Petullo has a pretty PAM module called pam_keyring. IMHO key ring should ship and integrate this module by default.
Reply | Thread | Link

Scott Robinson
User: quadhome
Date: 2007-03-27 00:13 (UTC)
Subject: Re: pam_keyring!
pam_keyring doesn't work with the screensaver.

It spawns a new process with the conversation password as the unlocking keyphrase.
Reply | Parent | Thread | Link

Matthew Garrett
User: mjg59
Date: 2007-03-26 18:53 (UTC)
Subject: (no subject)
I think there's two cases here - one where the user selects screen locking, and one where they don't.

1) The screen is locked. In order to gain access to anything in gnome-keyring, the attacker has to know the user's password already. If they know that, they could simply log in and obtain the keyring password either through keyboard sniffing or popping up a fake dialogue.

2) The screen isn't logged. As above, except the attacker doesn't need to know the user's password.

Is there a case that I'm missing? I'm not clear on how locking the keyring actually provides any security...
Reply | Thread | Link

Richard Hughes
User: hughsient
Date: 2007-03-26 19:36 (UTC)
Subject: (no subject)
>Is there a case that I'm missing?

I don't think so, and I agree with you - but I thought I would be a bit careful as it might be a security hole.

Reply | Parent | Thread | Link

Will Woods, Fedora Testing Guy
User: qa_rockstar
Date: 2007-03-26 21:26 (UTC)
Subject: (no subject)

I'm not sure how it's a security hole - the user has chosen to disable the "lock screen on suspend" behavior, and therefore I think the risk is theirs.

Currently we have two options:

  1. Lock screen on suspend
    i.e. require a password for the machine to work after it wakes. A secure default.
  2. Don't lock screen on suspend
    i.e. "I don't care, I just want everything to magically work again after the machine wakes up." A convenient optional choice.
By force-locking the keyring, you break the second option - it's now impossible to have the machine conveniently Just Work after it resumes. If this option is used at all, it should (IMHO) be configurable and set to 'off' by default.
Reply | Parent | Thread | Link

Richard Hughes
User: hughsient
Date: 2007-03-26 21:31 (UTC)
Subject: (no subject)
>...it should (IMHO) be configurable and set to 'off' by default.

Yes, this is what I've committed to trunk and 2-18. Thanks for your comments.

Reply | Parent | Thread | Link

User: (Anonymous)
Date: 2007-03-28 01:33 (UTC)
Subject: (no subject)
gnome-keyring should follow the screen locking configuration option.
Reply | Parent | Thread | Link

User: (Anonymous)
Date: 2007-03-28 03:49 (UTC)
Subject: (no subject)
So you have to type your password twice when you resume?
Reply | Parent | Thread | Link

User: (Anonymous)
Date: 2007-03-26 18:59 (UTC)
Subject: lock ?
Is there really a security risk, considering the screen is locked when you resume ?
Reply | Thread | Link

User: (Anonymous)
Date: 2007-03-26 20:04 (UTC)
Subject: Keyring can be a pain
Sometimes I use GDM sometimes I auto login. It's a pain that I then have to type in my password to unlock keyring. Even pam_keyring doesn't help in the case where I use GDM autologin. What's more annoying is that my WEP key is stored in the network config - NM only needs to do "ifup eth1" but instead it has to do the networking itself. The reason I find this strange is because when NM brings up my wired network (at work) it uses the static IP info from network settings.

As for the suspend/resume I think the default should be that the keyring stays open but the screen is locked if the user has passworded screensaver enabled. This is because suspend if used on a timer is essentially the same as a screensaver, and suspend when used on purpose will probably mean the user is carry the computer somewhere and will be there to unsuspend.

Reply | Thread | Link

User: ext_38436
Date: 2007-03-26 21:21 (UTC)
Subject: keyring unlocking
If the keyring is being locked on sleep, shouldn't the screen also be locked? If the screensaver kicks in and asks you to unlock when you resume, your password could then unlock the keyring. This assumes your keyring and login password are the same, and that you have pam_keyring. If not, your life is just hard anyway.

Another option is to store things like WEP passwords in a separate keyring with the same password and leave that keyring unlocked.
Reply | Thread | Link

Adam Petaccia
User: mighmos
Date: 2007-03-26 23:56 (UTC)
Subject: (no subject)
Could one cludge be to have an extra perameter, "never lock" for some keys (like network manager)? Which can always be accessed once the keyring is initially unlocked?
Reply | Thread | Link

User: (Anonymous)
Date: 2007-03-27 01:47 (UTC)
Subject: (no subject)
Some sensible way to manage passwords globally on a desktop system would be nice. Perhaps something can be done with PAM or PolicyKit to alleviate the situation.

Right now I have to keep track of:
- My password for login/GDM/screensaver
- My root password (It's arguable that a root account is even necessary...hopefully PolicyKit will fix this)
- Firefox's custom password manager for websites (I don't use it, but for completeness)
- Thunderbird's password manager (or Evolution)
- gpg-agent and ssh-agent (currently managed by keychain)
- gnome-keyring to for Network Manager/Samba, and
- gpass (for everything else)

It would be nice if there was some intelligent way for these to work together. Once I authenticate, I should be able to do any of the above for a certain time without having to re-authenticate.
Reply | Thread | Link

User: (Anonymous)
Date: 2007-03-27 07:12 (UTC)
Subject: System-wide Configuration in NM
That's a limitation of NetworkManager. System-wide Configuration is planned for NM 0.7

See http://live.gnome.org/NetworkManagerToDo
Reply | Thread | Link

User: (Anonymous)
Date: 2007-03-27 14:08 (UTC)
Subject: Attacked retrieving credentials stored on disk when hibernating...
Copy/paste of a comment I added on bugzilla #375681:

Actually, it would maybe make sense to _clear_ the keyring instead of locking
it, so that no credentials are stored in RAM anymore when we suspend/hibernate.

Else, I would expect it possible to somebody stealing the laptop to retrieve
credentials by directly harvesting the raw disk data (in the partitions used to
store what was in RAM when hibernating).

But gnome keyring may not be the only app needing such a cleanup : ssh-agent,
thunderbird, firefox, Evolution (when not using gnome keyring), and probably
others may want to be able to do this (think VPN application, encrypted
filesystem...). Maybe having a generic hook mechanism would be nice (e.g.
g-p-m could run all scripts present in /etc/g-pm/keycleanup and
~/.gnome/g-p-m/keycleanup/, or something similar) when doing a suspend or

Reply | Thread | Link

User: zdzichu.openid.pl
Date: 2007-03-27 15:48 (UTC)
Subject: deliberate?
So this locking is on purpose? I thought that was some bug in Feisty. Good to know you've fixed that, thanks.
Reply | Thread | Link

Paul Crowley
User: ciphergoth
Date: 2007-10-12 07:23 (UTC)
Subject: (no subject)


gnome-screensaver can be configured via PAM to use the unlock passphrase to unlock the gnome keyring at the same time. This should be the default on eg new Ubuntu installs.
Reply | Thread | Link

my journal
April 2008