English
Ask Your Question
0

Fingerprint to unlock keyring on login

asked 2013-08-16 19:42:19 +0000

heywhat gravatar image

updated 2014-12-29 00:39:20 +0000

mether gravatar image

I have enrolled my fingerprint on a Thinkpad with fingerprint scanner. I can now swipe a finger to sudo, su and login etc.

However, if I swipe to login, a password box pops up anyway because the keyring needs to be unlocked so that NetworkManager can log on to the wifi network. If I login with a password it is reused to unlock the keyring. Therefore it is quicker to login by typing a password once than to swipe and then also type a password.

Is there some way of also unlocking the keyring when I swipe to login? One swipe should log me in and also unlock the keyring.

Update:

Thanks to feedback, I guess what's needed is the following:

  • a laptop with a TPM chip (thinkpad, + any modern laptop, due to trusted boot?)
  • the package trousers to talk to the TPM (seems to be installed by default)
  • a pam session module which decrypts your password with TPM and unlocks keyring/ssh keys

Running a command like:

repoquery --whatrequires trousers

...I see a bunch of packages which make use of the TPM chip, none of which look like pam modules. I guess this doesn't exist in Fedora. Has anyone written this software? Does this all look right?

There also needs to be some kind of UI such that when you enrole your fingerprint you are also asked for your password, which is then encrypted with a key stored in the TPM.

All of the above also applies to other auth methods, such as the newly integrated for F20 external keys -- any way you authenticate that does not involve typing in your password immediately involves typing in your password anyway as access to the network, and therefore your keyring is a prerequisite for doing anything useful.

edit retag flag offensive close delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2013-08-24 19:34:44 +0000

hroncok gravatar image

The passwords in keyring are stored encrypted. Your keyring master password is used to encrypt them. Without the master password, nobody (or nothing) can read the passwords stored there. That's for security reasons, if the passswords were stored in plaintext, root might read them, or any app can read all passwords.

While it is technically possible to compare fingerprints and compare the fingerprint of the user who tries to log in with all fingerprints stored in the system, it is technically impossible to get your password from the print and use it to decrypt your passwords of the user who runs the app.

One solution is to decrypt your passwords with fingerprint, but that would mean that you cannot unlock the keyring with password anymore. Also it is almost impossible to generate something (number, string) from the fingerpint that's stays the same for every scan (and is uniqe enough to be used for encryption).

Other solution is to use empty/none password for keyring and let it be unlcoked without password. But that way, your password would be stored in plaintext (or other easily readable form). If you really want to do that, do that in seahorse, in the View dropdown, select By Keyring. On the Passwords tab, right click on Passwords: login and pick Change password. Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing Use Unsafe Storage. [The seahorse how-to is quoted from [ArchWiki](https://wiki.archlinux.org/index.php/GNOME_Keyring)]

Basically that means you have to choose between security and comfiness. As usual.

edit flag offensive delete publish link more

Your answer

Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

Add answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Stats

Asked: 2013-08-16 19:42:19 +0000

Seen: 871 times

Last updated: Aug 25 '13