Change login password and sync with KDE wallet, ecryptfs?

Hi, this is my first post here and I hope I chose the right form and keyword. I have a lot of experience with using and administrating comparatively “raw” Linuxes (Debian and Arch with XFCE), but recently I have started to favour openSUSE Tumbleweed with KDE as the Linux that hopefully I can give to for “non-technical” friends. In fact I’m quite enthusiastic about Tumbleweed/KDE. It looks beautiful, updates itself and should not require too much intervention from me – no need for distro upgrades every few years and well-curated “rolling” updates that will rarely break things. At least that’s my current impression. I have very little KDE experience but enjoyed playing with it on the two installations I did so far before giving them away. Of course RustDesk is part of these installations for any further support sessions.

For the second, more “serious” try I set up the end user’s personal account over this weekend and had the “handover” session today. I completed the setup while my pre-set login password was still in place and was going to ask my friend to take ownership by changing the user password as one of the final steps of the meeting. I had decided to use ecryptfs on this laptop – my preference had been full encryption via LUKS but regrettably that didn’t work; the boot password prompt appeared but the keyboard didn’t seem to work at that point. I didn’t take the time to investigate further.

I understand that ecryptfs has its drawbacks and was therefore not surprised that it wasn’t offered by the installer. I saw some online info (outdated perhaps) about ecryptfs setup being possible via YaST but couldn’t find this. So I set up ecryptfs via the ecryptfs-migrate-home command. Since I wanted to let my friend decide about encryption, I only did this during the handover meeting. So just like with LUKS over the weekend, I would not have the time to investigate any encryption problems in depth. I asked my friend to write down and store the key generated by ecryptfs-migrate-home, logged out and back in successfully, then rebooted to see that the encryption would automatically be unlocked, and it worked.

Then when the time came to change the login password, I was of course interested to see if the change would be propagated to ecryptfs. I therefore didn’t use any command line tools but the KDE user settings, hoping that KDE would know about any other components that are unlocked by the login password. That did not work. First I logged out and back in and saw that KDE wallet asked for a password, which I initially ignored. At least ecryptfs looked fine at that point. But when I then rebooted I saw that the password change had not been propagated. There were dozens of error dialogs about files not being writable (in fact they didn’t exist) and when logging in from the command line I could see that the home directory had been replaced by a dummy that helpfully contained a Readme file and a launcher with explanations how I could unlock the encryption (using the previous login password). I did that and then used ecryptfs-rewrap-passphrase to set the passphrase to the new login password. To complete the password change, I then changed the KDE wallet passphrase as well. After this, everything worked as it should even after a reboot. I was now able to hand over the laptop.

My question is: Is there a way to change the login password that will automatically update the password for the KDE wallet, and ideally also rewrap the ecryptfs passphrase?

Thanks for your thoughts.

I don’t have a sure answer, because I have not recently changed my password.

As far as I know, it should depend on the PAM configuration.

Thanks – I didn’t meddle with the PAM configuration and the KDE wallet had been set up without any interference from me (as one would expect).

YaST used cryptconfig package which has been dropped.

KDE user settings is expected to do it. If it does not, it is probably a bug that needs investigation. But that is better asked on KDE forums.

I do not think so.

You forgot to show the working PAM configuration. I am rather curious, because to my best knowledge using PAM here is between impossible and useless.

Hmm … official pam_ecryptfs manual page only lists support for authentication and session. But apparently code includes support for changing password as well, and pam-config (which is the standard tool to manage PAM configuration in openSUSE) also writes password module. So, the following may work

pam-config -a --ecryptfs

after which plain

passwd

as normal user should also rewrap mount password. As well as any tool going via PAM stack for changing password - again, as this normal user.

The catch is - rewrapping requires the previous login password. When root resets password for another user, the previous password for this user is not known (which is the whole point of doing it) and eCryptfsis not updated.

But with this PAM configuration going via KDE user settings should both rewrap eCryptfs (via PAM) and update KDE wallet password.

Yes, this seems correct although I have not tested whether it actually works.

The OP is not completely clear as to how the user password was changed.

I became curious, so I setup eCryptfs on a reasonably up-to-date Tumbleweed.

When I go via System Settings - System - Users and request password change I am asked if I want to change wallet password

image

But instead of using the password I have just entered I need to provide it again:

image

So, it is not really integrated in any sense of this word. Sure, it is better than nothing …

But the worst is - KDE Users module does not authenticate user at all! It will set user password as root, without requesting the current password. Which obviously cannot rewrap eCryptfs mount password.

Installing ecyrptfs-utils did add ecryptfs to the PAM, so plain

passwd

does update both login password and rewraps eCryptfs mount password.

Additional stumbling block is default password quality rules. KDE Users module goes via superuser and so you can use passwords that are rejected by plain passwd.

Personally I would consider it a bug in KDE being worth bug report.

Sorry if this wasn’t clear enough: I did make the password change in the way described by @arvidjaar – I wanted to use the most “integrated” way possible to maximise the chance that the change would be propagated. That included being logged in and hopefully able to use the currently active decrypted state, and I thought that this would not be the situation when coming from a root process. I saw no prompt for changing the KDE wallet password. Between starting this thread and now I have had no other installation of Tumbleweed/KDE to play with, but in the next few weeks I hope I will. (I already have the laptop I want to use for this and give away after my experiments, I just hope that it being very old hardware won’t prevent the installation.)