Difference between revisions of "Using Gnome Keyring"
(Initial creation) |
m (→Step 4: Configuring Your Email Clients to Use the Keyring: stylistic changes) |
||
| Line 110: | Line 110: | ||
For '''mutt''', add the line | For '''mutt''', add the line | ||
| − | set imap_pass=`kr2mutt imaps://'''username'''@math.berkeley.edu@calmail.berkeley.edu` | + | set imap_pass=`kr2mutt imaps://'''''username'''''@math.berkeley.edu@calmail.berkeley.edu` |
| − | to your '''.muttrc''' file. Here '''username''' is your login name. | + | to your '''.muttrc''' file. Here '''''username''''' is your login name. |
Notes | Notes | ||
| Line 122: | Line 122: | ||
the gnome keyring natively, so no extra steps are necessary. However, you | the gnome keyring natively, so no extra steps are necessary. However, you | ||
will need to be sure that your .nailrc file refers to your CalMail account | will need to be sure that your .nailrc file refers to your CalMail account | ||
| − | as "imaps://'''username'''@math.berkeley.edu@calmail.berkeley.edu", not as | + | as "imaps://'''''username'''''@math.berkeley.edu@calmail.berkeley.edu", not as |
| − | "imap://'''username'''@math.berkeley.edu@calmail.berkeley.edu". | + | "imap://'''''username'''''@math.berkeley.edu@calmail.berkeley.edu". |
Notes | Notes | ||
Latest revision as of 16:46, 13 March 2010
In September, 2009, CalMail switched from having a separate CalMail password, to using the same passphrase as your CalNet ID. This change is problematical from the standpoint of security, since it is most convenient to put your CalMail password in startup files for your email clients, yet that same password also is used to access many other things, including management of your employee benefits. Because of this, we recommend that this passphrase not be stored in files in your home directory, unless those files are encrypted.
As one possible remedy for this situation, it is possible to store your Calmail password (i.e., your CalNet passphrase) on the gnome keyring, and then avoid having it present in your files in unencrypted form.
Once this has been set up, you would then be able to type a password once per login to unlock the keyring, and then can start up email clients many times without having to enter your password each time. This provides enhanced security, since it removes an incentive to make your CalNet passphrase shorter or simpler (and therefore less secure).
This method is supported only on the mutt and nail email clients, and only works when you are sitting in front of the actual workstation. When logging in remotely, you will still need to enter your CalMail passphrase every time you run these programs.
Contents
Setting Up the Gnome Keyring
Setting up the Gnome keyring takes five steps (some of which apply only to Solaris workstations). They are described below. If you have any questions about these steps, please ask Paul Vojta.
Step 1: Setting Up the Workstation
Linux machines are already set up to run the Gnome Keyring; they require no additional setup. This includes the thin clients in Room 744.
For Solaris machines, you need to run the following command, only once per workstation.
dbus-setup
Step 2: Setting up the Gnome Keyring Daemon
The gnome keyring requires that a program, called the "gnome keyring daemon," be run in the background when you are logged in at a workstation. Instructions for doing so vary based on the operating system (i.e., Linux or Solaris) and on the session type (gnome, KDE, CDE, etc.)
Linux
Gnome For Linux machines running the Gnome session, nothing needs to be done. Gnome automatically runs its keyring daemon already.
KDE For Linux machines running KDE, carry out the following steps. You should be in your home directory when following these steps.
Create directories as follows:
mkdir .kde/env .kde/shutdown
Create a file .kde/env/gnome-keyring.sh containing the lines
eval `gnome-keyring-daemon` export GNOME_KEYRING_PID GNOME_KEYRING_SOCKET
Create a file .kde/shutdown/gnome-keyring containing the lines
#! /bin/sh [ -n "$GNOME_KEYRING_PID" ] && kill "$GNOME_KEYRING_PID"
Make the latter file executable by running the following command:
chmod +x .kde/shutdown/gnome-keyring
The Gnome keyring should now run automatically the next time you log in to KDE.
Solaris
CDE For CDE, you need to make two changes.
First, there should be a file .dtprofile in your home directory. (If the file is not there, one will be created for you the first time you run CDE.) Once the file has been created, add the following lines to the end of the file:
eval `/opt/local/bin/gnome-keyring-daemon` export GNOME_KEYRING_PID GNOME_KEYRING_SOCKET
Be sure to enter the first line correctly: those are "backward apostrophes".
The second step is to create a file .dt/sessions/sessionexit . The file should contain the following lines:
#! /bin/ksh [ -n "$GNOME_KEYRING_PID" ] && kill "$GNOME_KEYRING_PID" exit 0
After creating it, you need to make it executable, by running the following command:
chmod +x .dt/sessions/sessionexit
Step 3: Setting up the Keyring Itself
The next step is to create the gnome keyring itself, choose a password to use when unlocking it, and add your CalNet passphrase to the keyring.
To do these steps, you should run the command
krsetup
It will ask you for a password for your keyring, and then allow you to enter a password that mutt or nail will use when accessing your CalMail account.
Step 4: Configuring Your Email Clients to Use the Keyring
The next step is to set up your email client to use the password that you have stored in the keyring. This step depends on which email client you use. Only mutt and nail are supported.
mutt
For mutt, add the line
set imap_pass=`kr2mutt imaps://username@math.berkeley.edu@calmail.berkeley.edu`
to your .muttrc file. Here username is your login name.
Notes
- mutt only allows one password to be set in the .muttrc file for all imap accounts that you may want to access, so if you have any other mail accounts, then they will also have to use your CalNet passphrase.
- If you run mutt in a remote login session, then it will still ask you for a password.
nail
The version of nail installed on the Math Department network supports the gnome keyring natively, so no extra steps are necessary. However, you will need to be sure that your .nailrc file refers to your CalMail account as "imaps://username@math.berkeley.edu@calmail.berkeley.edu", not as "imap://username@math.berkeley.edu@calmail.berkeley.edu".
Notes
- nail only supports the gnome keyring for IMAP accounts. For POP accounts, you will need to use other methods for storing the password.
- nail allows different passwords for different IMAP accounts.
- If you have other IMAP mail accounts that you wish to access using nail, you may also enter their passwords into the gnome keyring. To do this, run krsetup with the URL-like descriptions you use when accessing nail. For example, if you have a second CalMail account gauss@berkeley.edu, you would run
krsetup imaps://gauss@calmail.berkeley.edu
Step 5: Configuring a Screen Saver
Having your CalNet ID stored on a gnome keyring opens up a potential security issue if you are in the habit of leaving your office workstation logged in all the time. If you do this, then we recommend that you be sure to use a screensaver that locks the screen after a period of inactivity.
To ensure that you have a screensaver running, do the following (depending on your environment).
Linux
Gnome: Gnome automatically runs the screensaver already. To check the screensaver settings, click "Applications" at the top of the screen and in the menu that appears select "Preferences" followed by "Screensaver".
KDE: Click the right mouse button with the mouse over the screen background, and select "Configure Desktop...". In the left panel of the window that pops up, click on "Screen Saver". Choose your settings, being sure to select "Require password to stop". Click "OK".
Solaris
CDE: Click the arrow for "tools" at the bottom of your screen (fourth from the right) and click on "Desktop Controls". Scroll down to "Screen Style Manager" and double-click on it. Set the options for the screen saver (remember to turn on "Lock") and click OK. Use Alt-F4 to close the "Style Manager" and "Tools" windows.
