Skip to content

entering a wrong password in xfce4-screensaver-dialog causes a gnome keyring to be created with the wrong password hash if the keyring didn't yet exist

I'm not entirely sure, but this might be a bug in xfce4-screensaver, and I'm unsure where else to file it although I have some ideas.

Components involved: lightdm, pam, xfce4-screensaver, gnome-keyring-daemon

Problem:

I get a gnome-keyring-daemon password prompt every time I log on to the Xfce desktop.

(A workaround and steps to reproduce are described below.)

Troubleshooting the problem led to the following insights. I'll summarize the most important points here:

This seems related to PAM interaction between xfce4-screensaver and gnome-keyring-daemon.

The unexpected thing here is that a keyring gets created with the wrong password (hash) if we enter the wrong password at the xfce4-screensaver password prompt if and only if at that moment the user who is running gnome-keyring-daemon does NOT yet have the login.keyring and user.keystore files in their $HOME/.local/share/keyrings directory.

This might happen if you use the lightdm autologon feature. If you do NOT use it, then a keyring will get created with the correct password (hash) when you log on to the desktop. However, if you do use lightdm's autologon feature, the keyring files may not exist yet, and that's when you can reproduce this bug, by simply locking your desktop session and entering the wrong password in the Xfce screensaver password prompt. More details below.

Steps to reproduce the problem:

Environment:

Fedora 39, Xfce Desktop, lightdm session desktop manager, lightdm autologon enabled, xfce4-screensaver installed, gnome-keyring installed

The lightdm 'autologon' part is important to be able to reproduce the bug. More on that below.

Steps:

  1. Rename or remove the $HOME/.local/share/keyrings directory.

  2. Reboot the system, then log on to the desktop, and verify that the directory from step 1 has been re-created AND does NOT contain files.

  3. Lock the Xfce desktop session.

  4. Enter the WRONG password, like 'asdf'. Make sure you can remember it.

  5. Then enter the correct password.

  6. Now the directory $HOME/.local/share/keyrings should contain these 2 files:

    • login.keyring
    • user.keystore

    Their modification timestamp correlates with in /var/log/secure:

May 16 20:37:58 host unix_chkpwd[7582]: password check failed for user (USERNAME) May 16 20:37:58 host xfce4-screensaver-dialog[7539]: pam_unix(xfce4-screensaver:auth): authentication failure; logname=USERNAME uid=1000 euid=1000 tty=:0.0 ruser= rhost= user=USERNAME May 16 20:37:58 host xfce4-screensaver-dialog[7539]: gkr-pam: unlocked login keyring

... and these messages in /var/log/messages:

May 16 20:37:57 host systemd[1]: Starting fprintd.service - Fingerprint Authentication Daemon... May 16 20:37:57 host systemd[1]: Started fprintd.service - Fingerprint Authentication Daemon. May 16 20:37:57 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 16 20:37:58 host audit[7582]: USER_AUTH pid=7582 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 msg='op=PAM:unix_chkpwd acct="USERNAME" exe="/usr/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'

  1. If the log files did indeed look similar, you should now be able to reproduce the bug.

  2. Reboot the system. Now, the bug should present itself:

    After you log on to the desktop environment, you get a gnome-keyring-daemon password prompt.

    Entering your account's password does NOT work, gnome-keyring-daemon refuses to unlock the keyring. However, if you enter the "wrong" password that you remembered from step 4, the keyring is unlocked. Still, if you reboot the system, the password prompt will come back, and you can only unlock it if you enter the "wrong" password from step 4.

What's next:

Does this mean there's a bug in lightdm, or pam, or xfce4-screensaver, or gnome-keyring-daemon, or a combination?

I can only reproduce this bug if I have lightdm's autologon feature enabled. To be sure, I tested this scenario (steps):

  1. Disable lightdm's autologon feature.
  2. Remove the $HOME/.local/share/keyrings directory.
  3. Reboot.
  4. Then, enter the wrong password. You can't log on, as expected.
  5. However, now enter the right password.
  6. Re-enable lightdm's autologon feature.
  7. Reboot the system.
  8. Now observe the following: You will get a password prompt again, but this time you can only unlock it with the CORRECT password from step 5, as opposed to the WRONG password from step 4. That we get the password prompt at all is expected: because we have enabled autologon, gnome-keyring-daemon won't automatically unlock the keyring. But the fact that we can now unlock it with the CORRECT password means this scenario is different from the earlier scenario.

And that might lead to the following theory:

Perhaps this means that the bug is in xfce4-screensaver (in xfce4-screensaver-dialog)?

Workaround for now, until the bug is solved:

  1. Temporarily disable lightdm's autologon feature.
  2. Remove the $HOME/.local/share/keyrings directory.
  3. Reboot the system.
  4. Log on to the desktop by entering a password manually. This way the keyring files are created and can be unlocked with the proper password.
  5. Re-enable lightdm's autologin feature.
  6. Reboot again.
  7. Now the problem should be gone.