Issue with secrets storage on Ubuntu

[saiyam1814]

@jefferai taking conversation here with Katakoda issue as well I am in process of writing a blog on neat installation steps for Ubuntu/Centos There are few things that do not seem to work and if I can get them resolved then we can have a neat install step which can be helpful for others in the community as well I believe

I am planning to tell on 3 environments bare centos 7 VM , Ubuntu 18.04 Vm and katakoda ubuntu playground

For Ubuntu I have bellow error s:

boundary authenticate password -auth-method-id=ampw_1234567890 \
>     -login-name=admin -password=password
Error reading auth token from system credential store: exec: "dbus-launch": executable file not found in $PATH

Authentication information:
  Account ID:      apw_EJK7s6DcCQ
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 22 Oct 2020 10:17:30 BST
  Token:
  at_h1qSNMdB1c_s125wLmVW7LgzNKf1TFeNrFDRUZNcR2qeWkNyjZ7Qd6E2DWGsyPT9KmPKZkxBaQps7JKkbeeoJEwt7xXMyR6YKjEkqbrFWcsCdXm8rYgqjsFJwUYS2WBFbNh2
  User ID:         u_1234567890
Error saving auth token to system credential store: exec: "dbus-launch": executable file not found in $PATH

Installed dbus

apt install dbus-x11

boundary authenticate password -auth-method-id=ampw_1234567890     -login-name=admin -password=password
Error reading auth token from system credential store: The name org.freedesktop.secrets was not provided by any .service files

Authentication information:
  Account ID:      apw_EJK7s6DcCQ
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 22 Oct 2020 10:19:18 BST
  Token:
  at_VqoR4tBhxy_s18pG3buSH7fMcBVL1YP14NXipTgeg4Jm9aVd3WXL2WCpUvqs8xnCwnNC7D41zejxUfRYhJPGMvCcp1mbN1q9cPyM5AAJRvakFGQUNLC5ZjiyyoTuic4ZpoQUmu9XXtC2YY2u9BTdJDg8
  User ID:         u_1234567890
Error saving auth token to system credential store: The name org.freedesktop.secrets was not provided by any .service files

Next installed

sudo apt-get install -y gnome-keyring

boundary authenticate password -auth-method-id=ampw_1234567890     -login-name=admin -password=password
Error reading auth token from system credential store: failed to unlock correct collection '/org/freedesktop/secrets/aliases/default'

Authentication information:
  Account ID:      apw_EJK7s6DcCQ
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 22 Oct 2020 10:21:00 BST
  Token:
  at_7y54bPBIDx_s13PefhTbtKamPce8iph3t8HMK85nJWEBh9n2JXCk6oiWQ9K9qusfJDx6TEJPLoGo8GPqbawpLAxtMgk9aS5wyzr3S6qVgMG7S939K93pUXLffE7a5KXdwAc464p42rV2
  User ID:         u_1234567890
Error saving auth token to system credential store: failed to unlock correct collection '/org/freedesktop/secrets/aliases/default'

ok Katakoda after the documentation steps

apt install dbus-x11

boundary authenticate password -auth-method-id=ampw_1234567890 \
>     -login-name=admin -password=password
panic: runtime error: slice bounds out of range [237:151]

goroutine 1 [running]:
github.com/godbus/dbus.getSessionBusPlatformAddress(0x17d1fc7, 0x18, 0x0, 0x0)
        /root/go/pkg/mod/github.com/godbus/dbus@v4.1.0+incompatible/conn_other.go:30 +0x295
github.com/godbus/dbus.getSessionBusAddress(0x0, 0x0, 0x0, 0x0)
        /root/go/pkg/mod/github.com/godbus/dbus@v4.1.0+incompatible/conn.go:96 +0xf8
github.com/godbus/dbus.SessionBusPrivate(0x0, 0x40d900, 0xc0003f5c80)
        /root/go/pkg/mod/github.com/godbus/dbus@v4.1.0+incompatible/conn.go:101 +0x25
github.com/godbus/dbus.SessionBus(0x0, 0x0, 0x0)
        /root/go/pkg/mod/github.com/godbus/dbus@v4.1.0+incompatible/conn.go:73 +0xb5
github.com/zalando/go-keyring/secret_service.NewSecretService(0x7, 0x1b, 0x7)
        /root/go/pkg/mod/github.com/zalando/go-keyring@v0.1.0/secret_service/secret_service.go:50 +0x26
github.com/zalando/go-keyring.secretServiceProvider.Get(0x17dc55a, 0x1d, 0x17b78d7, 0x7, 0x0, 0x0, 0x0, 0x0)
        /root/go/pkg/mod/github.com/zalando/go-keyring@v0.1.0/keyring_linux.go:78 +0x59
github.com/zalando/go-keyring.Get(...)
        /root/go/pkg/mod/github.com/zalando/go-keyring@v0.1.0/keyring.go:32
github.com/hashicorp/boundary/internal/cmd/base.(*Command).ReadTokenFromKeyring(0xc0003cb080, 0x17b78d7, 0x7, 0x7)
        /go/internal/cmd/base/base.go:232 +0x77
github.com/hashicorp/boundary/internal/cmd/base.(*Command).Client(0xc0003cb080, 0xc0005dfbe8, 0x2, 0x2, 0x0, 0x0, 0x44aad5)
        /go/internal/cmd/base/base.go:217 +0x389
github.com/hashicorp/boundary/internal/cmd/commands/authenticate.(*PasswordCommand).Run(0xc000501440, 0xc00003a210, 0x3, 0x3, 0xc0000aae40)
        /go/internal/cmd/commands/authenticate/password.go:116 +0x136
github.com/mitchellh/cli.(*CLI).Run(0xc000498640, 0xc000498640, 0xc0000abce0, 0xc0000aada0)
        /root/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x1cf
github.com/hashicorp/boundary/internal/cmd.RunCustom(0xc00003a1f0, 0x5, 0x5, 0xc0005dfe60, 0xc00007c058)
        /go/internal/cmd/main.go:186 +0x846
github.com/hashicorp/boundary/internal/cmd.Run(...)
        /go/internal/cmd/main.go:92
main.main()
        /go/cmd/boundary/main.go:13 +0xda

[jefferai]

Can you give some more specific steps so I can repro? I've had this work on an Ubuntu 18.04 environment so probably the details matter. I'm guessing you're using a server, not desktop install? Is it on some cloud, started through Vagrant, etc?

Knowing how I can exactly reproduce this would be really great.

[malnick]

Opened PR 698 to address this in the docs - not linking so we don't accidentally close this when we merge that.

[saiyam1814]

Yes that is a cloud instance ubuntu 18.04 Not a desktop install

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
    2  sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
    3  sudo apt-get update && sudo apt-get install boundary

apt install dbus-x11

then

sudo apt-get install -y gnome-keyring

[birdiesanders]

@jefferai Saiyam and I are on the same team with Civo, we are using our IaaS machines to test. Just so you know we are working at this from different angles.

[jefferai]

@birdiesanders Ah gotcha.

@saiyam1814 which cloud? Which image? I could try with the standard 18.04 server install but cloud images are sometimes more stripped down.

[birdiesanders]

@jefferai We are using fairly standard images in our platform, I have also tested on Arch Linux with Plasma, and an Ubuntu Vm installed from ISO on my vCenter cluster in my lab, same results on all.

[saiyam1814]

Civo cloud Ubuntu 18.04

Centos also same behaviour

for Katakoda go here - https://www.katacoda.com/courses/ubuntu/playground run

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
     sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
     sudo apt-get update && sudo apt-get install boundary

apt install dbus-x11
boundary authenticate password -auth-method-id=ampw_1234567890 \
>     -login-name=admin -password=password
panic: runtime error: slice bounds out of range [237:151]

[jefferai]

Interesting. I am using Ubuntu 18.04 in WSL2 and installed a few packages and everything worked. Thanks for the link to the playground, let me dig into this.

The panic is coming from the library that handles the keyring integration so once I figure out what's going on I can try to fix the library too

[saiyam1814]

I can replicate if you want for centos or Ubuntu box or give you access to a new machine if you want

[jefferai]

I'm going to create a VM of stock 18.04.5 server and go from there...if I can't figure out what's going on or repro I'll take you up on that offer. I'm actually surprised Arch with KDE Plasma didn't work as KDE uses dbus secret service...

[birdiesanders]

@jefferai Yeah, I am at a loss there as well, because I have a couple of other applications that use kwallet5 and that implements the service as well, so idk at this point.

[jefferai]

@birdiesanders are you running from a terminal within KDE? if so is it a login terminal? Konsole at least does not default to login terminals so perhaps some env vars or so are missing.

[birdiesanders]

Yeah, yakuake, which is konsole.

[birdiesanders]

I can try setting konsole to use a login shell right quick.

[birdiesanders]

No change, sadly.

[jefferai]

OK...I've got something that works, although I can't (and at the moment don't have time to) verify it works on Plasma on Arch. Would be great if you could verify it at least on Ubuntu.

The second issue you got after installing dbus-x11 is that most desktop managers will create a default keyring on login, but on the CLI, in the absence of a default keyring, you have to manually unlock it in order to create it.

1. Install gnome-keyring-daemon and dbus-x11
2. Run gnome-keyring-daemon --unlock. You'll get a blank line waiting for input. Type in a password, hit Enter, then Ctrl-D
3. Run gnome-keyring-daemon --start

It should now work. You'll have to run the --unlock and --start in each new terminal.

There's a different library that we could switch to that supports secret-service but also supports an encrypted file on disk. The issue there would be the password to decrypt it -- it wouldn't cache since each invocation of the CLI is a new invocation. Potentially you could source it into an env var. I'd be curious if this sounds like a good alternative that you'd use.

[malnick]

@birdiesanders We added the above to our getting started documentation as well: https://www.boundaryproject.io/docs/getting-started/run-and-login#login-to-boundary

Let us know if this is a working fix for you, thanks!

[RaspberryTech01]

I am having the same issue with Ubuntu 20.04 minimal. I have installed dbus-x11 but not sure how to install gnome-keyring-daemon.

Error saving auth token to system credential store: The name org.freedesktop.secrets was not provided by any .service files

[tcassaert]

I am having the same issue with Ubuntu 20.04 minimal. I have installed dbus-x11 but not sure how to install gnome-keyring-daemon.

@RaspberryTech01 The gnome-keyring-daemon is provided by the gnome-keyring package.

[twmcelroy]

I am on Oracle Linux 7 and having similar issues. I was getting the org.freedesktop.secrets error. Then I run the gnome-keyring-daemon and that clears up the errors but it looks like my token is then authenticated and expires at the same time.

[opc@vmx-11x-hubjmp-01 ~]$ eval "$(printf 'foobar\n' | gnome-keyring-daemon --unlock)" gcrypt-Message: 23:21:51.935: out of core handler ignored in FIPS mode

[opc@vmx-11x-hubjmp-01 ~]$ eval "$(printf 'foobar\n' | gnome-keyring-daemon --start)" gcrypt-Message: 23:21:55.867: out of core handler ignored in FIPS mode

[opc@vmx-11x-hubjmp-01 ~]$ boundary authenticate password -auth-method-id=ampw_1234567890 -login-name=admin -password=password

Authentication information: Account ID: apw_lJtXMwqwRb Auth Method ID: ampw_1234567890 Expiration Time: Sun, 25 Oct 2020 23:21:58 GMT Token: xxx User ID: u_1234567890 [opc@vmx-11x-hubjmp-01 ~]$ boundary targets read -id ttcp_1234567890 Error reading auth token from system credential store: Failed to activate service 'org.freedesktop.secrets': timed out Error from controller when performing read on target: Error information: Code: Unauthenticated Message: Unauthenticated, or invalid token. Status: 401

[jefferai]

Hi there,

In #731 I've added support for using pass (https://www.passwordstore.org/) and made it the default on Linux. This is headless and uses GPG. You can still turn it off (including more or less permanently via env var) but I think pass strikes a nice balance of usability (GPG is widely available, not hard to set up, has caching) such that having it be the default does not place nearly as much of a burden on users as a secret-service implementation (which is still available for those that want it).

[vaygr]

@jefferai I'm curious how hard it'd be to add plain gpg backend. Similar to what https://github.com/joemiller/vault-gpg-token-helper does for Vault.