<div dir="ltr"><div dir="ltr">On Tue, Jun 11, 2019 at 1:08 PM Josef Moellers <<a href="mailto:jmoellers@suse.de">jmoellers@suse.de</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
We have seen this problem: when you open a gnome-terminal, then the<br>
shell in that terminal will not have the same keyring (created by<br>
pam_keyinit.so) as the one eg in an xterm. This is due to the fact that<br>
the xterm ist started by the standard fork/exec mechanism which passes<br>
the keyring down to the children and the gnome-teminal (actually<br>
gnome-terminal-server) is started by sending a dbus message to some<br>
instance which the starts the terminal process.<br>
<br>
AAMOF the gnome-terminal does not even have a keyring, so if one asks<br>
for it ("keyctl show @s"), it is created on the fly. This causes the<br>
kernel to create a keyring as a "user session keyring" while the GNOME<br>
session (and thus the xterm) has a "session keyring".<br>
<br>
Has anyone seen this and/or, most important question, does anyone have<br>
an idea how to solve this?<br>
<br>
I know that, strictly speaking, this is not a systemd question, but<br>
we're trying to probe many sources to see if anyone has a solution.<br>
<br></blockquote><div><br></div><div>IIRC the usual advice by Lennart is to use the user-wide @u keyring instead of session keyrings. (Programs searching in @s should automatically find credentials added to @u, as pam_keyinit creates the link by default.)</div><div><br></div><div>A few years ago I have asked one affected kernel subsystem (cifs) to allow using @u. They had no interest in doing so. I have since then decided to just give up on being able to use cifs -o multiuser. (See also: GitHub issue regarding AFS PAGs.)</div></div><div><br></div>You could probably alter pam_keyinit.so to allow joining an existing session keyring (which is IIRC possible in the API). That way your graphical sessions Ipam.d/gdm) would join the same @s created by systemd --user instance (pam.d/systemd-user), which is the same one used by dbus-daemon.<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Mantas Mikulėnas</div></div></div>