-
-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unlock the login keyring #438
Comments
Unfortunately this is unfixable at the moment, the keyring is secured with your password and without this password there is no way to unlock it. It's unfortunately a side effect of how the keyring works |
@boltgolt may I ask for your thoughts on the logic here? If this keyring is auto-unlocked when a user enters their login password from the login-screen, why can it not also be unlocked when a biometric login is provided? I assume the keyring password and the user password are one-and-the-same, else the same logic you state would also prevail? Is there is no configuration we can change to facilitate this? For example, enabling auto-login (IE logging in without a password) will also repreduce this exact behaviour in prompting the for the password. So, continuing this logic flow, we're basically saying that the howdy tool is a glorified auto-login, thats more secure than the default passwordless user auto-login? (Granted, IMO much more secure) In summary, are you saying that for a face login to unlock the keyring, then its the keyring tool that needs modifying? I'm prepared to look at it, so I'll take an educated guess as to whether its a configuration issue or hacking-come-code issue? |
Your first paragraph makes no sense to me. Your password is the encryption key to your keyring and you do not enter it when you log in with Howdy. There is no way around that specific issue. If you'd like you could set the keyring password to an empty string, but that does mean your keys are saved on disk in plain text. |
If this is the case, then howdy is pretty much useless. As @Nos78 mentioned, howdy is useless if it can not be used instead of entering a password. The readme begins with: After looking a little more closely at the issues, it seems that a high percentage have been about this fact. And they have been closed as duplicate of this one here. Seems that @Nos78 and me are not alone in expecting howdy to authenticate and authorize users. |
I agree, but there is no way howdy can unlock that. Keyring is encrypted using your password and it can't be decrypted differently than entering password. You could reconfigure your keyring tool to work somehow different so no password will be needed (you will have to think about replacement) or for example create a script that will unlock the keyring after login from saved somewhere password or something like that. The second solution is only a very not recommended and unsafe workaround. |
Oh wow this thread is a blast from the past! @boltgolt thanks for that answer—IIRC the password being used as the encryption key was the bit of the logic I'd overlooked; the first paragraph, in my original comment you responded to, that made no sense to you, was in reference to me being prompted for my Linux user password (or keyring password? I'm replying quickly here) when face recognition failed. And pondering the whole process, lead me to wonder why I could not "unlock" my keyring with a face recognition. I guess I'm not alone in wanting howdy to completely replace password entry. However, that doesn't make it (howdy) useless—it's only in accessing a keyring that it gets....messy... and I now understand why. The passwd is the encryption key. Therefore impossible. I do like blasts from the past! |
It's an issue basically all alternative single-factor PAM modules run into, if the keyring starts widely supporting TPMs then it would be a different story In its current state it's at least very useful to me personally, my laptop as of right now has 100+ days of uptime and I only had to type my password when I booted it. Since then Howdy has handled all my sudo prompts |
Totally agree... it was just that one area that it became, less than useful. A unique use case, otherwise like you, I only need to use password when my appearance changes significantly. Like when I grew a beard through total laziness. So much so, that when I needed to sign into my SMB share on a new PC. I almost content remember the darn password 😂 |
@boltgolt Sorry if this has been asked before. Is there a way to configure PAM to avoid using face authentication for login if the keyring is locked (i.e., during the first bootup), similar to how Android, with biometrics enabled, requires a PIN/password after a reboot? |
This is quite an issue for me - i tried using howdy, but due to keyring not getting unlocked, i have big issues:
It's quite the pain. I had to unfortunately uninstall howdy due to this issue :-( |
Hi.
Everything works smoothly in Howdy version 2.6.1 on Ubuntu 20.04.1.
The only thing is that when you log in to the system using Howdy for the first time, the OS prompts for your password because of the keyring.
I think solving it is a tough one because of OS security rules, but not prompting for a password improves the experience very much.
The text was updated successfully, but these errors were encountered: