Gkr-pam: couldn't unlock the login keyring

Desktop
1

Using Ubuntu Plucky Puffin, but it seems since Gnome 48 there have been issues with unlocking the keyring, Debian Trixie has the same issues. Some update causing pam to not daemonize and not unlock the keyring, or find the default keyring (although it is defined):

Level 3 Message
gkr-pam: couldn’t unlock the login keyring

It does not help to delete all keyrings, storage, reboot and create a new default one, also it doesn’t help whether autologin is enabled or disabled.

for me the keyring password is configured blank

Symptom:

  1. After every reboot you have to login to all your apps, vpn, email, calendar, online accounts etc which isn’t ideal, because it can’t lookup the existing passwords in the existing keyring
  2. there is a popup for creating a new keyring after login or when using an app where username, password is entered and it is attempting to save that information
    image
    image810×543 53.7 KB

The Default keyring is already my default

image
image907×243 22.8 KB

I have been scoring the internet and have seen quite a few reports of this issue lately, so seems like a bug to me. Typically it was solved for users by deleting the keyring store, keyring files, reboot and create a new default keyring. For me that does not work.

/usr/bin/gnome-keyring-daemon --start --foreground --components=secrets
GNOME_KEYRING_CONTROL=/run/user/1000/keyring

Maybe similar to issue GNOME/gnome-control-center#2741

1 Like
2

Solved it. Apparently the Seahorse app does not create a new keyring with the proper permissions. Setting the file permissions in ~/.local/share/keyring keyfiles to allow the system to access read/write the files resolves the error.

Not sure why seahorse would not setup the correct file permissions.

3

I don’t think seahorse creates your login keyring. Surely that must be created somewhere else, maybe by gnome-keyring?

4

I have a bad feeling that the login keyring is probably created by gnome-keyring’s PAM configuration. PAM configuration varies considerably between distros, so it might be a downstream Ubuntu PAM stack bug. That would be unfortunate.

Anyway, the place to start is likely the gnome-keyring issue tracker. I think we need a gnome-keyring bug report for this. Login keyring having wrong permissions is really bad. Changing the permissions manually is a good workaround, but not a solution.

5

Thanks I will look at filing an issue, it might be a ubuntu PAM configuration issue as you mention.

Steps to repeat:

  1. delete all keyrings/passwords/default/keystore files
  2. go to seahorse add keyring with password the same as your user login
  3. add a “test” password entry in keyring created in 2.
  4. set keyring created in 2. as default
  5. Restart computer

Observe keyring isn’t opening/unlocked because it isn’t found due to permissions. Once you manually change the permissions, restart computer it shows up correctly (with correct popup prompt to unlock keyring)