Ask Your Question
0

Fingerprint to unlock keyring on login

asked 2013-08-16 14:42:19 -0600

heywhat gravatar image

updated 2014-12-28 18:39:20 -0600

mether gravatar image

I have enrolled my fingerprint on a Thinkpad with fingerprint scanner. I can now swipe a finger to sudo, su and login etc.

However, if I swipe to login, a password box pops up anyway because the keyring needs to be unlocked so that NetworkManager can log on to the wifi network. If I login with a password it is reused to unlock the keyring. Therefore it is quicker to login by typing a password once than to swipe and then also type a password.

Is there some way of also unlocking the keyring when I swipe to login? One swipe should log me in and also unlock the keyring.

Update:

Thanks to feedback, I guess what's needed is the following:

  • a laptop with a TPM chip (thinkpad, + any modern laptop, due to trusted boot?)
  • the package trousers to talk to the TPM (seems to be installed by default)
  • a pam session module which decrypts your password with TPM and unlocks keyring/ssh keys

Running a command like:

repoquery --whatrequires trousers

...I see a bunch of packages which make use of the TPM chip, none of which look like pam modules. I guess this doesn't exist in Fedora. Has anyone written this software? Does this all look right?

There also needs to be some kind of UI such that when you enrole your fingerprint you are also asked for your password, which is then encrypted with a key stored in the TPM.

All of the above also applies to other auth methods, such as the newly integrated for F20 external keys -- any way you authenticate that does not involve typing in your password immediately involves typing in your password anyway as access to the network, and therefore your keyring is a prerequisite for doing anything useful.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2013-08-24 14:34:44 -0600

hroncok gravatar image

The passwords in keyring are stored encrypted. Your keyring master password is used to encrypt them. Without the master password, nobody (or nothing) can read the passwords stored there. That's for security reasons, if the passswords were stored in plaintext, root might read them, or any app can read all passwords.

While it is technically possible to compare fingerprints and compare the fingerprint of the user who tries to log in with all fingerprints stored in the system, it is technically impossible to get your password from the print and use it to decrypt your passwords of the user who runs the app.

One solution is to decrypt your passwords with fingerprint, but that would mean that you cannot unlock the keyring with password anymore. Also it is almost impossible to generate something (number, string) from the fingerpint that's stays the same for every scan (and is uniqe enough to be used for encryption).

Other solution is to use empty/none password for keyring and let it be unlcoked without password. But that way, your password would be stored in plaintext (or other easily readable form). If you really want to do that, do that in seahorse, in the View dropdown, select By Keyring. On the Passwords tab, right click on Passwords: login and pick Change password. Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing Use Unsafe Storage. [The seahorse how-to is quoted from [ArchWiki](https://wiki.archlinux.org/index.php/GNOME_Keyring)]

Basically that means you have to choose between security and comfiness. As usual.

edit flag offensive delete link more
add a comment

Question Tools

subscribe to rss feed

Stats

Asked: 2013-08-16 14:42:19 -0600

Seen: 3,392 times

Last updated: Aug 25 '13

Related questions

How do I get proper ssh-agent functionality in GNOME?

How can I unlock my login keyring using my fingerprint?

Error communicating with gnome-keyring-daemon in SSH session

xscreensaver Authentication failed Ad user pam_winbond.

Google Chrome import passwords from Gnome Keyring

GNOME Keyring isn't automatically loading/unlocking my SSH keys

Which PAM module to use to allow/deny user/group login: pam_listfile.so oo pam_access.so?

Auto unlock Gnome Keyring on login

BCM5880 fingerprint Fedora 21

How to use finger print sensor in thinpad E480?

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2