作为 systemd 服务运行时,是否可以使用 PAM 解锁 gnome 密钥环?
我们的软件使用 Python Keyring 模块来存储凭据,但我在 RHEL/Centos 上使用 SecretService Keyring 后端时遇到问题,因为它要求您将密钥环密码传递给 gnome_keyring_daemon。
从https://pypi.org/project/keyring/:
Install the GNOME Keyring daemon.
Start a D-Bus session, e.g. run dbus-run-session -- sh and run the following commands inside that shell.
Run gnome-keyring-daemon with --unlock option. The description of that option says:
Read a password from stdin, and use it to unlock the login keyring or create it if the login keyring does not exist.
When that command is started, enter your password into stdin and press Ctrl+D (end of data). After that the daemon will fork into background (use --foreground option to prevent that).
Now you can use the SecretService backend of Keyring. Remember to run your application in the same D-Bus session as the daemon.
当作为 systemd 服务运行时,我能够访问 gnome 密钥环(和凭据),如上所述,使用密钥环密码硬编码的脚本,如下所示:
dbus-run-session -- "./unlock-keyring-run.sh"
其中,unlock-keyring-run.sh 如下所示:
echo "Passw0rd" | gnome-keyring-daemon --unlock
run_my_program
我想知道 PAM 是否允许在 systemd 服务启动时解锁 gnome 密钥环,这样我就不必(不安全地)在脚本中传递它。有文档介绍如何在从控制台登录时使用 PAM 解锁密钥环:
https://wiki.gnome.org/Projects/GnomeKeyring/Pam/Manual
我想知道 gnome keyring PAM 指令是否适用于 /etc/pam.d/systemd-user ?