Rémi Cardona

Archives for: October 2007

29 October, 2007

10:18 UTC, by Rémi CARDONA

, 525 words, 4778 views

Categories: Gentoo, Gnome

Gnome's cool features : gnome-keyring & pam

Today, I'm starting a new theme for this blog. Instead of ranting or trolling like a good chunk of bloggers out there, I'll be writing about the cool new stuff upstream Gnome developers have coded during the past 6 months (probably more, since I'll try to go back to older features as well) and that we offer in Gentoo, but are hidden.

As many know, Gentoo is about choice, and the default choice is to "opt-in". So if you install Gnome on Gentoo, you get a bare-bone Gnome experience, sometimes in stark contrast to what other distros do. So in order to level the playing field, I'll be writing about how to enable some of those cool features.

Today's special : gnome-keyring's pam module.

Gnome-keyring now provides its own pam module, so you don't need to emerge pam_keyring. Just enable the pam use flag (it should be on by default) and you'll be ready to start configuring it

All in all it's not that complicated. Here's my /etc/pam.d/system-auth

#%PAM-1.0



auth       required     pam_env.so

auth       optional     pam_gnome_keyring.so

auth       sufficient   pam_unix.so try_first_pass likeauth nullok

auth       required     pam_deny.so

account    required     pam_unix.so

# This can be used only if you enabled the cracklib USE flag

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   optional     pam_gnome_keyring.so

# This can be used only if you enabled the cracklib USE flag

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

# This can be used only if you enabled the !cracklib USE flag

# password   sufficient pam_unix.so try_first_pass nullok md5 shadow

password   required     pam_deny.so

session required pam_limits.so session optional pam_gnome_keyring.so auto_start session required pam_unix.so

There are a few things to keep in mind though :

Always keep an open root shell when doing pam modifications. Better safe than sorry.
Don't try it on pam 0.78, it should work but it needs more tweaking and I'm not entirely sure about it. Flameeyes is pushing for pam 0.99 to hit stable on most arches anyway. Things should move quickly.
Your keyring password must be the same as your pam password. If they are not the same, you need to delete your keyring inside ~/.gnome2/keyrings.
Once the passwords are the same, gnome-keyring will keep the two passwords in sync provided you use passwd to modify your password. If root does it for you, it won't work.
Using this configuration file as-is will launch gnome-keyring for every pam service that includes system-auth. If you run other services on your machine, I'd recommend putting the same pam commands inside gdm and gnome-screensaver. Just make sure to put them before the include statements in those two files.

I'd like to thank Flameeyes for his help, Tester and wltjr for testing things out with me yesterday when I was hitting a roadblock trying to figure out how it all works So thanks to the three of you.

Other than that, enjoy

Update : check out the blog comment from welp, there's some good additional info

Permalink 4 comments • Trackback (0)

17 October, 2007

23:27 UTC, by Rémi CARDONA

, 72 words, 1209 views

Categories: Gentoo, Gnome

Gnome 2.20 is out of p.mask

It's 1:20am in my timezone, I just pulled out Gnome 2.20 from package.mask, which is great because both Fedora and Ubuntu still haven't been released (that was my personal goal for this release).

I'm tired, I probably messed a few things up, so don't hesitate to open bugs in bugzilla

NB: do not try to mix and match Gnome 2.20 if you're not running an unstable system. Such bugs will be closed.

Enjoy!

Permalink 3 comments • Trackback (0)

11 October, 2007

10:00 UTC, by Rémi CARDONA

, 300 words, 1152 views

Categories: Gentoo

How to make Gentoo's CVS access suck less ...

This post started out as a major rant against CVS and how it sucks to be using it from Europe and how all those round trips in the protocol make even just bumping a single ebuild a tedious task that I have never been able to do in under 4~5 minutes.

But no! I shall not lower myself to this level and instead write a praise for the OpenSSH folks who through their l33t coding skills give us the opportunity to improve CVS for free

The problem : the CVS protocol sucks because for each file/directory you want to update, CVS will open a new SSH connection to send its command. The SSH protocol does not really help with that since creating a new connection brings a lot of overhead.

The solution : use the OpenSSH ControlMaster option to tell it to use a single connection that stays open (somewhat like Keep-alive in HTTP) and that will be used to create new "sub-connections" that are much cheaper.

"How?" you ask me. Well, here's how.

Add this to your ~/.ssh/config
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
After running ssh-agent, run the following command :
ssh -M -N -f login@cvs.gentoo.org
Enjoy a 3x speed-up like I did! For those that doubt it, here's how I measured
cd gentoo-x86/profiles
find &> /dev/null
time cvs up -dP
ssh -M -N -f login@cvs.gentoo.org
time cvs up -dP