Using Gnome Keyring

From UCB Math Wiki
Revision as of 14:04, 11 March 2010 by Vojta (talk | contribs) (Initial creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

In September, 2009, CalMail switched from having a separate CalMail password, to using the same passphrase as your CalNet ID. This change is problematical from the standpoint of security, since it is most convenient to put your CalMail password in startup files for your email clients, yet that same password also is used to access many other things, including management of your employee benefits. Because of this, we recommend that this passphrase not be stored in files in your home directory, unless those files are encrypted.

As one possible remedy for this situation, it is possible to store your Calmail password (i.e., your CalNet passphrase) on the gnome keyring, and then avoid having it present in your files in unencrypted form.

Once this has been set up, you would then be able to type a password once per login to unlock the keyring, and then can start up email clients many times without having to enter your password each time. This provides enhanced security, since it removes an incentive to make your CalNet passphrase shorter or simpler (and therefore less secure).

This method is supported only on the mutt and nail email clients, and only works when you are sitting in front of the actual workstation. When logging in remotely, you will still need to enter your CalMail passphrase every time you run these programs.

Setting Up the Gnome Keyring

Setting up the Gnome keyring takes five steps (some of which apply only to Solaris workstations). They are described below. If you have any questions about these steps, please ask Paul Vojta.

Step 1: Setting Up the Workstation

Linux machines are already set up to run the Gnome Keyring; they require no additional setup. This includes the thin clients in Room 744.

For Solaris machines, you need to run the following command, only once per workstation.

dbus-setup

Step 2: Setting up the Gnome Keyring Daemon

The gnome keyring requires that a program, called the "gnome keyring daemon," be run in the background when you are logged in at a workstation. Instructions for doing so vary based on the operating system (i.e., Linux or Solaris) and on the session type (gnome, KDE, CDE, etc.)

Linux

Gnome For Linux machines running the Gnome session, nothing needs to be done. Gnome automatically runs its keyring daemon already.

KDE For Linux machines running KDE, carry out the following steps. You should be in your home directory when following these steps.

Create directories as follows:

mkdir .kde/env .kde/shutdown

Create a file .kde/env/gnome-keyring.sh containing the lines

eval `gnome-keyring-daemon`
export GNOME_KEYRING_PID GNOME_KEYRING_SOCKET

Create a file .kde/shutdown/gnome-keyring containing the lines

#! /bin/sh
[ -n "$GNOME_KEYRING_PID" ] && kill "$GNOME_KEYRING_PID"

Make the latter file executable by running the following command:

chmod +x .kde/shutdown/gnome-keyring

The Gnome keyring should now run automatically the next time you log in to KDE.

Solaris

CDE For CDE, you need to make two changes.

First, there should be a file .dtprofile in your home directory. (If the file is not there, one will be created for you the first time you run CDE.) Once the file has been created, add the following lines to the end of the file:

eval `/opt/local/bin/gnome-keyring-daemon`
export GNOME_KEYRING_PID GNOME_KEYRING_SOCKET

Be sure to enter the first line correctly: those are "backward apostrophes".

The second step is to create a file .dt/sessions/sessionexit . The file should contain the following lines:

#! /bin/ksh

[ -n "$GNOME_KEYRING_PID" ] && kill "$GNOME_KEYRING_PID"

exit 0

After creating it, you need to make it executable, by running the following command:

chmod +x .dt/sessions/sessionexit

Step 3: Setting up the Keyring Itself

The next step is to create the gnome keyring itself, choose a password to use when unlocking it, and add your CalNet passphrase to the keyring.

To do these steps, you should run the command

krsetup

It will ask you for a password for your keyring, and then allow you to enter a password that mutt or nail will use when accessing your CalMail account.

Step 4: Configuring Your Email Clients to Use the Keyring

The next step is to set up your email client to use the password that you have stored in the keyring. This step depends on which email client you use. Only mutt and nail are supported.

mutt

For mutt, add the line

set imap_pass=`kr2mutt imaps://username@math.berkeley.edu@calmail.berkeley.edu`

to your .muttrc file. Here username is your login name.

Notes

  • mutt only allows one password to be set in the .muttrc file for all imap accounts that you may want to access, so if you have any other mail accounts, then they will also have to use your CalNet passphrase.
  • If you run mutt in a remote login session, then it will still ask you for a password.

nail

The version of nail installed on the Math Department network supports the gnome keyring natively, so no extra steps are necessary. However, you will need to be sure that your .nailrc file refers to your CalMail account as "imaps://username@math.berkeley.edu@calmail.berkeley.edu", not as "imap://username@math.berkeley.edu@calmail.berkeley.edu".

Notes

  • nail only supports the gnome keyring for IMAP accounts. For POP accounts, you will need to use other methods for storing the password.
  • nail allows different passwords for different IMAP accounts.
  • If you have other IMAP mail accounts that you wish to access using nail, you may also enter their passwords into the gnome keyring. To do this, run krsetup with the URL-like descriptions you use when accessing nail. For example, if you have a second CalMail account gauss@berkeley.edu, you would run
krsetup imaps://gauss@calmail.berkeley.edu

Step 5: Configuring a Screen Saver

Having your CalNet ID stored on a gnome keyring opens up a potential security issue if you are in the habit of leaving your office workstation logged in all the time. If you do this, then we recommend that you be sure to use a screensaver that locks the screen after a period of inactivity.

To ensure that you have a screensaver running, do the following (depending on your environment).

Linux

Gnome: Gnome automatically runs the screensaver already. To check the screensaver settings, click "Applications" at the top of the screen and in the menu that appears select "Preferences" followed by "Screensaver".

KDE: Click the right mouse button with the mouse over the screen background, and select "Configure Desktop...". In the left panel of the window that pops up, click on "Screen Saver". Choose your settings, being sure to select "Require password to stop". Click "OK".

Solaris

CDE: Click the arrow for "tools" at the bottom of your screen (fourth from the right) and click on "Desktop Controls". Scroll down to "Screen Style Manager" and double-click on it. Set the options for the screen saver (remember to turn on "Lock") and click OK. Use Alt-F4 to close the "Style Manager" and "Tools" windows.