Create “Default keyring” from command line on CentOS 7

centos7gnomegoogle-chrome

I have a CentOS 7.4 machine that I need to start in kiosk mode. There is a touch screen attached to that machine and on boot, google chrome must start in full screen and load a certain web page.

What I did so far was the following:

installed google chrome 70.x (yum install google-chrome-stable)
created a 'kiosk' user without a password
I setup the kiosk user to autologin
created the following file: /home/kiosk/.config/autostart/chrome-kiosk.desktop which contains (among several lines) the following line:

Exec=/usr/bin/google-chrome-stable –incognito –kiosk –disable-web-security –user-data-dir=/home/kiosk/Documents/kiosk/tmp/ –test-type file:///home/kiosk/Documents/kiosk/offline.html

When the computer starts, kiosk user automatically logins and chrome starts in full screen loading the offline.html page as I specified in the above config file.

So far so good. Bu the problem is that on first load (after setting kiosk user to autologin) the system tells me that 'an application wants to create a new keyring called "Default keyring"'. Then prompts the user to enter a keyring password.

I got rid of that by following the steps described here: http://ask.xmodulo.com/disable-entering-password-unlock-default-keyring.html. Actually I instructed the user of the machine to perform the steps described there, as I only have ssh access to the machine and I cannot acces the graphical interface.

But what I need to do is to find an automated way to get rid of that keyring stuff. I found plenty of links that describe how to solve this issue but all of them requires access to the graphical interface, but as I said I only have ssh access.

I have a shell script that installs chrome and other packages, creates the kiosk user, adds the /home/kiosk/.config/autostart/chrome-kiosk.desktop config file, etc.. I want to fix the keyring stuff also by command line completely. There are several machines that I will have to run the script on. I don't want to instruct the users to perform the manual steps described in the link above but instead to solve everything from command line.

Is there any way to do that? The security is not an issue as the machines will be some local (offline) machines.

Best Answer

I do this by:

Deploying .desktop files to disable the gnome-keyring services (so: gnome-keyring-pkcs11.desktop, gnome-keyring-secrets.desktop, gnome-keyring-ssh.desktop) to the kiosk user's ~/.config/autostart with the following content:
```
[Desktop Entry] 
Hidden=true
```
Setting 0700 permissions on /usr/bin/gnome-keyring-daemon so it's only executable by root and not loaded via PAM when the kiosk user logs in.

I'm not sure the first step is completely necessary - perhaps if the services weren't disabled you'd just get errors in logs when they try to connect to the keyring daemon; I haven't tried.

I deploy this using Ansible, but a shell script or similar would work just as well.

Related Solutions

IIS, SQLServer, Google Chrome and Windows Authentication

Your problem is that you are using chromium documentation to solve a chrome problem. While similar, they are two different browsers. You need to enable delegation by white-listing the servers that IIS can delegate to. The way that you do it in Chrome is similar to chromium but in the case of the registry keys you need to use [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] for chrome instead of [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium] for chromium.

When you read the doc, you will find that you can user Group Policy, Chrome for Business or the command line to enable delegation, but in your setting, I assume that you used the registry option. I find that the essential key to set is AuthNegotiateDelegateWhitelist. Set the Value to "*" to start. Once you have it working, lock it down to just the servers you want by changing the * to a comma separated list of servers, either by IP address or DNS name. Wild cards are allowed. You may want to look at the AuthServerWhiteList key as well.

Powershell – Reflect HKLM registry changes to HKCU

Google Chrome ADM/ADMX templates

You can use Google Chrome ADM/ADMX templates (ZIP including documentation) to force settings on every user on every computer via Group Policy.

gpedit.msc > Local Computer Policy > Computer Configuration > Administrative Templates
(Right click on) Administrative Templates > Add/Remove Templates
Load chrome.adm in your preferred language (policy_templates.zip\windows\adm[locale]\chrome.adm)
You'll find Google / Google Chrome folder under Administrative Templates

Active Setup

If you need to run your script only once per user during logon, you could use Active Setup.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\AarronH]
@="Aarron H's script for Chrome ExtensionInstallForcelist"
"StubPath"="PATH\TO\YOUR\SCRIPT"

Answer for EDIT: Getting the key containing the GUID

Get-ChildItem -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects' | Where-
Object {$_.Name -like '*Machine*'}

Best Answer

Related Solutions

IIS, SQLServer, Google Chrome and Windows Authentication

Powershell – Reflect HKLM registry changes to HKCU

Related Topic