Keyring password changed without me knowing?

For some reason, the keyring is not unlocked when I log in to Gnome, and the password for the keyring has been changed? I can no longer use my login password to unlock the keyring, but I don’t remember changing the keyring password. I also didn’t change my login password, and it has been used since the initial installation of Fedora. Furthermore, I’m the only user of this laptop.

What could be the cause of this?

I ran into something like that a while back. The entries in the keyring have a version number of sorts. I think there was a way to view what version each entry is encoded with, but I’ll have to hunt that down. The result is that a passphrase will not work after the upgrade until it is re-encoded, even if the passphrase has not changed.

1 Like

It looks like it shows under the “Details” section for the entry in the Passwords and Keys app (seahorse). You’ll see something like “gen0” for a password that was set with the older version of the app and, e.g., “gen10” for a password that was stored more recently. Apparently some clients will require that the “generation” version be updated before they will use the password from the keyring.

1 Like

If the passphrase does not work, how do unlock it in seahorse to check the details?

Sorry, I read too quickly. Your problem is different from mine. However, if you haven’t updated/reset your password in a very long time, I think that could still be the source of the problem. Fedora also depreciates older password hashing algorithms from time to time. You might try running update-crypto-policies --set LEGACY to revert to allowing some slightly older crypto algorithms and then see if you can unlock your keygring. If you can, then you should be able to re-apply the password to your keyring and it should encode the password with a newer algorithm. Then you can run update-crypto-policies --set DEFAULT to disallow the old algorithms again and you should be OK.

More info can be found here: Changes/StrongCryptoSettings2 - Fedora Project Wiki

Also, FYI, more changes are coming soon. See here: Changes/StrongCryptoSettings3 - Fedora Project Wiki

1 Like

That’s not the case for me, it seems. I tried update-crypto-policies --set LEGACY and rebooted, but the keyring still won’t unlock. It also doesn’t make sense since I have just recently reinstalled Fedora when 37 came out, so the keyring file is not that old and shouldn’t be affected by the depreciation of old algorithms.

I found a previous version of the keyring file from a snapper snapshot from a few days ago, and I can unlock it.

I just wonder why it suddenly became undecryptable, and suspect if I’ve gotten any malwares that caused it.

That is weird. About all I could suggest in that case is to keep an eye on the bug reports for gnome-keyring (click on the “changed” column label to get it to sort the newest ones to the top).

Edit: about all I see atm is 2150985 – [abrt] gnome-keyring: _gcry_logv(): gnome-keyring-daemon killed by SIGABRT. It is reported recently against Fedora 37. You might check your system logs for any indication that the gnome-keyring-daemon crashed. That might explain why it isn’t working on login, but I guess it doesn’t explain why you would be able to unlock an older version of the keyring.

1 Like

I hope this is not caused by data corruption due to some file system error. :thinking:
You can try comparing new and old files:

file ~/.local/share/keyrings/*.keyring
stat ~/.local/share/keyrings/*.keyring

Here are the output from the two commands:

$ sudo file /home/.snapshots/{804,813,824,830,851}/snapshot/user/.local/share/keyrings/login.keyring
/home/.snapshots/804/snapshot/user/.local/share/keyrings/login.keyring: GNOME keyring, major version 0, minor version 0, crypto type 0 (AES), hash type 0 (MD5), name "Login", last modified Tue Oct 18 16:39:50 2022, created Thu Jan  1 00:00:00 1970, not locked if idle, hash iterations 2639, salt 5671152323367239619, 6 item(s)
/home/.snapshots/813/snapshot/user/.local/share/keyrings/login.keyring: GNOME keyring, major version 0, minor version 0, crypto type 0 (AES), hash type 0 (MD5), name "Login", last modified Thu Jan  1 00:00:00 1970, created Tue Oct 18 16:39:50 2022, not locked if idle, hash iterations 2596, salt 11579539427720780673, 6 item(s)
/home/.snapshots/824/snapshot/user/.local/share/keyrings/login.keyring: GNOME keyring, major version 0, minor version 0, crypto type 0 (AES), hash type 0 (MD5), name "Login", last modified Thu Jan  1 00:00:00 1970, created Tue Oct 18 16:39:50 2022, not locked if idle, hash iterations 2596, salt 11579539427720780673, 6 item(s)
/home/.snapshots/830/snapshot/user/.local/share/keyrings/login.keyring: GNOME keyring, major version 0, minor version 0, crypto type 0 (AES), hash type 0 (MD5), name "Login", last modified Thu Jan  1 00:00:00 1970, created Tue Oct 18 16:39:50 2022, not locked if idle, hash iterations 1415, salt 6381053758584472797, 6 item(s)
/home/.snapshots/851/snapshot/user/.local/share/keyrings/login.keyring: GNOME keyring, major version 0, minor version 0, crypto type 0 (AES), hash type 0 (MD5), name "Login", last modified Tue Oct 18 16:39:50 2022, created Thu Jan  1 00:00:00 1970, not locked if idle, hash iterations 1489, salt 10434400876941994071, 6 item(s)

$ sudo stat /home/.snapshots/{804,813,824,830,851}/snapshot/user/.local/share/keyrings/login.keyring
  File: /home/.snapshots/804/snapshot/user/.local/share/keyrings/login.keyring
  Size: 2850            Blocks: 8          IO Block: 4096   regular file
Device: 0,354   Inode: 3776318     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/ user)   Gid: ( 1000/ user)
Context: unconfined_u:object_r:gkeyringd_gnome_home_t:s0
Access: 2023-01-18 14:30:09.633275723 +0100
Modify: 2023-01-17 17:48:52.945103154 +0100
Change: 2023-01-17 17:48:52.953103150 +0100
 Birth: 2023-01-17 17:48:52.945103154 +0100
  File: /home/.snapshots/813/snapshot/user/.local/share/keyrings/login.keyring
  Size: 2850            Blocks: 8          IO Block: 4096   regular file
Device: 0,355   Inode: 3828468     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/ user)   Gid: ( 1000/ user)
Context: unconfined_u:object_r:gkeyringd_gnome_home_t:s0
Access: 2023-01-18 20:49:19.868935666 +0100
Modify: 2023-01-18 20:49:19.862935673 +0100
Change: 2023-01-18 20:49:19.867935667 +0100
 Birth: 2023-01-18 20:49:19.862935673 +0100
  File: /home/.snapshots/824/snapshot/user/.local/share/keyrings/login.keyring
  Size: 2850            Blocks: 8          IO Block: 4096   regular file
Device: 0,356   Inode: 3828468     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/ user)   Gid: ( 1000/ user)
Context: unconfined_u:object_r:gkeyringd_gnome_home_t:s0
Access: 2023-01-20 17:46:55.249820149 +0100
Modify: 2023-01-18 20:49:19.862935673 +0100
Change: 2023-01-18 20:49:19.867935667 +0100
 Birth: 2023-01-18 20:49:19.862935673 +0100
  File: /home/.snapshots/830/snapshot/user/.local/share/keyrings/login.keyring
  Size: 2850            Blocks: 8          IO Block: 4096   regular file
Device: 0,357   Inode: 3881071     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/ user)   Gid: ( 1000/ user)
Context: unconfined_u:object_r:gkeyringd_gnome_home_t:s0
Access: 2023-01-20 22:39:51.270311205 +0100
Modify: 2023-01-20 22:39:51.263311212 +0100
Change: 2023-01-20 22:39:51.269311206 +0100
 Birth: 2023-01-20 22:39:51.263311212 +0100
  File: /home/.snapshots/851/snapshot/user/.local/share/keyrings/login.keyring
  Size: 2850            Blocks: 8          IO Block: 4096   regular file
Device: 0,358   Inode: 3894902     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/ user)   Gid: ( 1000/ user)
Context: unconfined_u:object_r:gkeyringd_gnome_home_t:s0
Access: 2023-01-21 18:37:50.128299351 +0100
Modify: 2023-01-21 10:54:32.464383635 +0100
Change: 2023-01-21 18:36:59.485910380 +0100
 Birth: 2023-01-21 10:54:32.464383635 +0100

Keyrings from snapshots 813, 824, and 830 are not decryptable.

From the file output, the corrupted keyrings has their “last modified time” set to the beginning of Unix epoch, and their “created time” set to recent time, but the OK keyrings have their times set the other way round.

But the stat output shows different things, maybe it interprets the data differently?

I remember that there was once that my laptop shut down automatically in the middle of the night, and I only noticed it in the morning and when I had it boot up, I can’t find anything in journalctl that caused the shutdown. That was around the time the keyring file got corrupted. It didn’t occur to me until just now that these two could be related.

1 Like