Use cases for gnome-keyring

xaos52 · 2016-02-10 09:21:42

1. Let gnome-keyring store your WPA keyphrase.
See this post

2. Let gnome-keyring store your iceweasel(firefox) passwords.
See this post

3. Let gnome-keyring store your SSH passphrase.
See this post

4. Let gnome-keyring store passwords for your scripts.
See this post

5. Let gnome keyring store your git password.
See this post

johnraff · 2016-02-12 08:02:23

4. Let gnome-keyring store passwords for your scripts.

EDIT: There is a package libsecret-tools which provides the utility secret-tool. This is simpler to install and use. See 'man secret-tool'.

---
You need the python script gkeyring from GitHub. Download the zip file from https://github.com/kparal/gkeyring/archive/master.zip
Unpack the archive, make a symlink from your bin directory to the python file gkeyring.py, wherever you put it, make sure it's executable.

ln -s /path/to/gkeyring.py $HOME/bin/gkeyring
chmod +x /path/to/gkeyring.py

Install the packages python-gnomekeyring and seahorse.
Seahorse isn't needed for running your scripts, but it makes setting things up easier.

See the output of 'gkeyring --help' for a full list of options, but here is a simple setup:

To store a new password in your login keyring, under the name newkey, try this

gkeyring --set -n newkey --keyring login

You'll be asked to enter the password to be stored in "newkey".
You can retrieve it with

gkeyring -n newkey --keyring login

Often in scripts you'll want the password only, with no trailing newline. The option '-1' will give you that, so you might have code like:

password=$(gkeyring -n newkey --keyring login -1)

If login is your "default" keyring it can be dropped from the command.

If you make a new keyring, different from "login" it won't be opened automatically when you start your session, but the first time a script uses it a password window will come up to open the keyring - with the keyring's password. After that the keyring will be open (unless you lock it again) and scripts will be able to get newkey's password freely.
I haven't discovered a way to create a new keyring with gkeyring (xaos52?) but you can do it with seahorse. Then, to store in a new keyring called "test":

gkeyring --set -n anotherkey --keyring test

and

password=$(gkeyring -n anotherkey --keyring test -1)

There are other ways to access stored keys, but I'll leave that for you to research.

Last edited by johnraff (2018-09-17 06:48:28)

xaos52 · 2016-02-12 08:57:22

Thx John,

Tools like gkeyring allow you to view all "secrets" in the clear, hence the advice:

******* Protect all your keyrings with a password *********

This still leaves you with some passwords to memorize - or store in a gpg encrypted file.

When using passwords from a script, remember to open the keyring before launching the script.

xaos52 · 2016-02-12 10:52:53

5. Let gnome keyring store your git password

When you install git, it comes with the source code for a C program in
/usr/share/doc/git/contrib/credential/gnome-keyring.git-credential-gnome-keyring.c
This is a helper program that can be used to make git retrieve your password from gnome keyring.

To install the program:

mkdir -p $HOME/tmp/today/git-credential
cd $_
cp /usr/share/doc/git/contrib/credential/gnome-keyring/* .
sudo apt-get install libgnome-keyring-dev
make
sudo cp git-credential-gnome-keyring /usr/local/bin/

I installed to /usr/local/bin. If you want it for your user only use $HOME/bin.

Now set up git to use the git-credential-gnome-keyring helper:

git config --global credential.helper /usr/local/bin/git-credential-gnome-keyring

The first time you push something to github you will be prompted for your git password (if your default keyring has a password - and it should! - and it is not open) and it will be stored in your default keyring. Subsequent pushes to github will not ask for your git password no more if your default keyring is open.

xaos52 · 2016-02-12 17:46:57

The git repo for gkeyring contains a nice little shell script - moz-sec-get.sh - to copy site passwords to the clipboard for 16s, and then clears the clipboard:

#!/bin/sh
# Looks up a mozilla-gnome-keyring password and copies it to a clipboard for 16s.
# Requires xclip(1) and secret-tool(1).

test -n "$1" || { echo >&2 "Usage: $0 <host_or_url> [<username>]"; exit 2; }
set -e

host=$(echo "$1" | sed -re 's,^([^:]+://[^/]+)/.*,\1,g')
pass=$( test -n "$2" \
  && secret-tool lookup hostname "$host" username "$2" \
  || secret-tool lookup hostname "$host")

if [ -z "$DISPLAY" ]; then
	echo "$pass"
else
	echo "$pass" | xclip -selection clipboard
	{ sleep 16; echo "" | xclip -selection clipboard; } &
	echo >&2 "copied to clipboard; will clear it after 16s"
fi

Needs package 'xclip' installed on your system.

Example usage:
Suppose you have

me@medion:~/tmp/today/seahorse$ gkeyring --all --keyring mozilla
3	https://forums.gentoo.org	efehfeknezk
7	https://www.facebook.com	,dlsldfkjesk
18	https://webmail.telenet.be	kdskfsdkk
20	https://forums.bunsenlabs.org	;ndkenrkl,em,ezlmkr,
me@medion:~/tmp/today/seahorse$

in a keyring - the script does not require your keyring to be named 'mozilla', mine just happens to be named so - you can then run the script (after installing it somewhere in your PATH).

moz-sec-get.sh https://forums.bunsenlabs.org

and you will have the password on your clipboard for 16s.

WARNING
The password will remain visible in your clipit history until you clear it.
I haven'd found a method to clear the clipit history from the command line. Any takers to add that functionality?

johnraff · 2016-02-13 04:36:24

xaos52 wrote:

When using passwords from a script, remember to open the keyring before launching the script.

In fact this is not necessary. If the keyring is locked...

johnraff wrote:

If you make a new keyring, different from "login" it won't be opened automatically when you start your session, but the first time a script uses it a password window will come up to open the keyring - with the keyring's password.

Probably this needs polkit-gnome-authentication-agent-1 to be running (as it is in BL by default).

johnraff · 2016-02-13 06:50:03

xaos52 wrote:

5. Let gnome keyring store your git password

Thank you for this - it works perfectly!

xaos52 wrote:

I haven'd found a method to clear the clipit history from the command line. Any takers to add that functionality?

Drop '-selection clipboard' from the xclip commands and the password will go into the primary selection instead, from where you can paste it with a middle-click. Make sure clipit's preference box "Use Primary (Selection)" is unchecked and it won't go in the history.

BTW that script uses secret-tool which is provided by libsecret-tools and a new discovery for me. It looks like a useful alternative to gkeyring in fact.

johnraff · 2016-04-17 07:45:07

Snake-charmers might be interested in this series (7) of articles on using python with gnome-keyring:
http://mindbending.org/en/bending-gnome … hon-part-1

#1 2016-02-10 09:21:42

Use cases for gnome-keyring

#2 2016-02-12 08:02:23

Re: Use cases for gnome-keyring

#3 2016-02-12 08:57:22

Re: Use cases for gnome-keyring

#4 2016-02-12 10:52:53

Re: Use cases for gnome-keyring

#5 2016-02-12 17:46:57

Re: Use cases for gnome-keyring

#6 2016-02-13 04:36:24

Re: Use cases for gnome-keyring

#7 2016-02-13 06:50:03

Re: Use cases for gnome-keyring

#8 2016-04-17 07:45:07

Re: Use cases for gnome-keyring

Board footer