Just few scripts and configuration files to enhance security and expirience of
Gnome Keyring and fingerprint authentication on laptops.

The problems
============
1. Gnome keyring and ssh-agent does not secure the password/key storage before
hibernation. This is insecure: the unencrypted keys are stored with memory dump
on the disk, etc.

2. If fingerprint authentication is performed with libfprint, the user some times
required to authenticate twice: first time with fingerprint to unlock screen and 
then anyway required to enter password to unlock keyring.


The solutions
=============
The configuration & description is for Ubuntu 12.04, but with minor adjustments
may be applied to any other distribution. 

1. You need fprint pam module patched with the 'pam_fprint-ds.patch'. The patch
implements few additional checks to detect remote users and bypass fingerprint 
authentication. Plus, additional checks to avoid fingerprint authentication may 
be executed by external script specifyed as parameter to pam module.

2. For security reasons, the keyring should be locked before suspend. If laptop
is stolen it could be possible to extract keys from the memory image stored 
in the swap partition otherwise. The current Ubuntu configuration does not do
this. Here is few scripts to implement this:
 a) '01_lock_everything' should be placed into the /etc/pm/sleep.d. It will
 be triggered on pm events and in the case of hibernate event (the suspend
 may be considered as well) and call the 'lock-keyrings.sh' from the 'scripts'
 directory to lock all unlocked keyrings. The 'scripts' should be copied to 
 the '/etc/scripts' by the way.
 b) Locking only keyring is not enough. ssh-agent is caching SSH key itself
 and even if keyring is locked, the cached key will stay in memory and will
 be ready to use upon resume. For this reason, 'lock-keyrings.sh' also 
 instructs ssh-agent to drop the cache.
 c) There is an oddity in handling of the key passwords for ssh and gpg. If
 the gnome keyring is locked, the password is requested upon access to ssh
 or gpg. However, the keyring will remain locked and only the specific accessed
 key will be unlocked. To avoid multiple password promts, it makes sense to 
 unlock the keyring imidetaly after wake-up. The easiest way to achieve this is 
 to call screensaver before going into hibernate. Therefore, 
 'gnome-screensaver-command --lock' is included in 'lock-keyrings.sh' as well.


3. There is one difficulty. Keyring should be locked using dbus and for this
reason the process running in the 'root' context should know the DBUS sessions
of all loged users. I don't know how this information may be extracted in run
time. For this reason, the X initialization code should be modified to write
session information into the temporary files accessible to root user only. 
'save-dbus-info.sh' script does this. It should be called somewhere during
X initialization after startup of dbus-launch. In Ubuntu, there is 
'75dbus_dbus-launch' in the /etc/X11/Xsession.d. It may be modified to call
/etc/scripts/save-dbus-info.sh before continuing with X initialization.
    STARTUP="$DBUSLAUNCH --exit-with-session /etc/scripts/save-dbus-info.sh $STARTUP"

4. Now pam authentication. We need two versions of common authentication module: 
one with fingerprint authentication and one without. Copy "common-auth" to 
"common-auth-with-password" and add in the beginning of common auth pam_fprint 
module:
    auth<-->[success=2 default=ignore]<---->pam_fprint.so finger=7
(7 is right index finger, fingers are numbered from 1 (left small finger on left 
hand) to 10 (small finger on right hand).
 a) The lightdm/gdm login should ask for password to unlock keyring. Therefore, 
 the 'common-auth' in corespondent pam configs needs to be replaced wtih 
 'common-auth-with-password'
 b) The gnome-screensaver should be fine with fingerprint authentication in most
 of the cases. However, after wake up we would need to unlock the keyring anyway
 and passwrod authentication is preferable. For this reason, there is script
 'check_keyring.sh' which checks if the keyring is locked or not. The pam config
 of 'gnome-screensaver' should start with
    auth<-->[success=2 default=ignore]<---->pam_fprint.so finger=7 check=/etc/scripts/check_keyring.sh
 and then use 'common-auth-with-password' authentication scheme. pam_fprint will 
 first call 'check_keyring.sh' and only continue if the Gnome keyring is already
 unlocked. The password authentication will be used otherwise.

Applictions (supporting gnome keyring)
===========
1. GPG is working out of the box
2. To integrate SSH, the public keys should be stored along with private in the
~/.ssh directory. I.e. for each 'id_dsa', 'id_dsa.pub' should be present as well.
3. Encfs partitions are supported with gnome-encfs
4. Empathy and Evolution are supported out of the box
5. Chromium support is enabled by setting CHROMIUM_FLAGS="--password-store=gnome"
in the /etc/chromium-browser/default
