How to edit /etc/pam.d/sddm to unlock gnome-keyring at login

aliquo93 · 08-29-2021, 05:40 PM

Hi, I have Mailspring on Kubuntu 21.04, but every time I open it a popup appears asking the keyring password. After some research I found that the issue is that SDDM doesn't automatically unlock gnome-keyring at login (even with auto-login disabled), but it can be fixed by editing "/etc/pam.d/sddm" configuration file. I also know that editing that file wrongly can lock you out of your system, so I want to do it after being sure of what I am doing. This is the content of my sddm configuration file:

Code:

#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale and ~/.pam_environment
session required        pam_env.so envfile=/etc/default/locale user_readenv=1

I see that gnome-keyring is already mentioned in 2 lines:

Code:

-auth   optional        pam_gnome_keyring.so

and

Code:

-session optional       pam_gnome_keyring.so auto_start

How can I edit it to make it unlock gnome-keyring at login? I just have to remove the "-" before those 2 lines or there is something else I have to do? Thanks in advance!

ondoho · 08-30-2021, 02:28 PM

Quote:

Originally Posted by aliquo93

I found that the issue is that SDDM doesn't automatically unlock gnome-keyring at login (even with auto-login disabled), but it can be fixed by editing "/etc/pam.d/sddm" configuration file.

Please do not edit that file unless you know 100% what you're doing.

Anyway, I'm not so sure this would help much.
Even if SDDM doesn't unlock your keyring, you should only have to enter the password once per session, and not every time elevated privileges are required.