TECH

Recover password in Linux in three easy steps

There it is. Your Linux system just booted and you’re presented with a GDM screen asking you to provide an username and password. That’s fine. You really want only authorized users on your machine.

Steps to recover password in linux

You enter your username and password and your GNOME desktop loads. NetworkManager starts, seeing there are some wireless networks on the air, tries to access them, but to do that it needs to access wireless keys. These are stored in your keyring, which in turn is protected with a keyring password. You are presented with a keyring unlocking dialog asking for your keyring password.

Next you need to access files on a remote site. This is accessible via SSH protocol and you use SSH keys authentication. The keys are protected from unauthorized access with a key passwords. You’re presented with an SSH key unlocking dialog asking for your key password.

Some minutes later you want to send an email. Evolution is configured to automatically GPG sign your emails. To do this it needs to access your GPG, which is password protected. You’re presented with an GPG key unlocking dialog asking for your key password.

Sounds familiar?

Protecting your keyring and your keys with passwords is a GoodThing(TM). Under no circumstances you shouldn’t use empty passwords to make your life easier. You will loose all passwords (and all accesses) if someone gets access to your files. This really could happen by accident. You really do not want this.

But you were authenticated during GDM login, so is there a way to just use the keys you own without all the password hassle? Well… There luckily is.

The solution consists of two things. First is pam_keyring module, that uses your login password to unlock your keyring during login. Second is the Seahorse application, that handles all your SSH and GPG keys, unlocks them as needed and stores the key passwords in… the GNOME keyring.

So, let’s install it. Under Ubuntu this is:

sudo apt-get install libpam-keyring seahorse

You will get the file /etc/pam.d/common-pamkeyring which says that you need to add a line @include common-pamkeyring to a PAM file of a service you want to use pam_keyring module. So let’s edit /etc/pam.d/gdm.

sudo gedit /etc/pam.d/gdm

It should contain something like this:

#%PAM-1.0
auth    requisite    pam_nologin.so
auth    required    pam_env.so
@include common-auth
@include common-account
session    required    pam_limits.so
@include common-session
@include common-password
# added for libpam-keyring
@include common-pamkeyring

And you’re done. Please notice, that the line should be last, and you shouldn’t have any sufficient lines.

One more thing is that you need to have your keyring password the same as your login password. There is no way to change it, so if it is different you need to delete ~/.gnome2/keyrings/default.keyring and recreate it after login (giving your login password).

Seahorse configured itself to autostart automatically, so you do not need to edit anything. You may launch Encryption Preferences though and check if you have an GPG key configured and SSH key loading enabled.

Now reboot your system, relogin and enjoy.