Automatically unlocking the 'login' keyring when the user changes their password outside of the passwd command

Hello! We use GNOME Keyring with automatic ‘login’ keyring unlocking when users log in. We also use SSSD for Active Directory integration.
The problem is that users change their AD passwords through third-party services (e.g., an ADFS web ui), which is the preferred method. They rarely, if ever, use passwd.
What is the best way to unlock the ‘login’ keyring when a user changes their password through a third-party service, or how can this be implemented?

1 Like

IIUC, if the login password is changed outside the scope of PAM / gnome-keyring etc, login keyring unlock would fail while logging in with new password.

I believe this is a generic question, and not specific to GNOME keyring.

How is this scenario handled in other keyring daemons / managers?

IIUC, if the login password is changed outside the scope of PAM / gnome-keyring etc, login keyring unlock would fail while logging in with new password.

Yes, that’s what I mean

I believe this is a generic question, and not specific to GNOME keyring.

I’m interested in GNOME Keyring. It’s not very usable for corporate environments right now, but we use GNOME as our primary desktop environment. After users change their passwords, they have to enter the previous one. However, since they change their passwords through a corporate web UI, there could be multiple previous passwords (yes, many users change their passwords multiple times at once). Users must enter the specific one that last unlocked the keyring, which is difficult for non-technical users.

The login message, “The password you use to log in to your computer no longer matches that of your login keyring”, doesn’t help users understand which password to enter.

Additionally, Seahorse sometimes fails to unlock the keyring, requiring users to run killall gnome-keyring-daemon in the terminal before they can unlock it with Seahorse.

How is this scenario handled in other keyring daemons / managers?

I haven’t tested any other solutions yet. It seems like we need something that can unlock a password manager once the user passes authentication

Appears there is already an open issue.