[KDE] No wallet auto-login

Plasma 5 supports auto-login (via PAM I guess?) into the wallet for quite a while now, however it doesn’t work here in my install.

How do I enable it in tumbleweed?

PS:
Some blog post I found:
http://martys.typepad.com/blog/2015/07/kwallet5-can-be-auto-unlocked-during-login-again.html

Notice that these are old and everything is upstreamed by now.

I do not really understand your question, and others may not either.

If you mean that you cannot login to a Plasma5 session without a password; I think that you may need to choose another Desktop Manager than sddm – try kdm or lightdm
YaST → System /etc/sysconfig Editor → Desktop → Display manager → DISPLAYMANAGER

If you mean a passwordless login to KWallet then you can set the password to be blank (empty).

Then you may mean something else entirely.

I have set the kwallet password to the same as my login password.
This way plasma will “AUTOMAGICAL” unlock your wallet on login.

I know that KDE supports it and I experience it in other distributions (e.g Chakra).

It was at least mentioned in a release log / blog of plasma (which I still need to find), but you if you look at the blogs above you should get the gist of it.

It’s not about pw-less (which is unsafe), but about auto-login, ie convenience to enter your password twice.

You did not mention whether you ha installed “pam_kwallet” and “socat”, which re referenced in yor blog links. they are in the Tumbleweed repository and yan be installed with YaST Software Manager.

OK, did a quick read through the links provided, followed by a

zypper se kwallet

, which returns

--+----------------------------+------------------------------------------------+-------  | kwallet-devel              | Safe desktop-wide storage for passwords        | pakket
  | kwallet-devel-32bit        | Safe desktop-wide storage for passwords        | pakket
i | kwallet-tools              | Safe desktop-wide storage for passwords        | pakket
i | kwallet-tools-lang         | Safe desktop-wide storage for passwords        | pakket
i | kwalletd5                  | Safe desktop-wide storage for passwords        | pakket
i | kwalletd5-lang             | Languages for package kwallet                  | pakket
  | kwalletmanager             | Portefeuillebeheer                             | pakket
i | kwalletmanager5            | Portefeuillebeheer                             | pakket
i | libkwalletbackend5-5       | Safe desktop-wide storage for passwords        | pakket
  | libkwalletbackend5-5-32bit | Safe desktop-wide storage for passwords        | pakket
  | libsvn_auth_kwallet-1-0    | KWallet support for Subversion                 | pakket
**  | pam_kwallet                | A PAM Module for kwallet signing               | pakket**
  | qupzilla-kwallet           | Kwallet plugin for QupZilla                    | pakket
  | qupzilla-kwallet-debuginfo | Debug information for package qupzilla-kwallet | pakket
  | signon-kwallet-extension   | KWallet integration for signon framework       | pakket

AFAICS the pam_kwallet package needs to be installed. I’ll install it and see what happens. Didn’t know this was even available, am not too impressed re. security, but hey, it’s better than passwordless

Ok, I installed now pam_kwallet (which pulled in socat).

I noticed in Yast, that “gnome-keyring-pam” was already installed - in contrary to pam_kwallet. IMHO pam_kwallet should be a default dependency for plasma 5. How / Where can I report this?

Description of pam_kwallet:

pam_kwallet - A PAM Module for kwallet signing
This PAM module allows you to automatically open your kwallet when signing into your account.

Anyway unfortunately this didn’t fix it yet for me, still asking for pwd.

I guess the problem is that I created the wallet before I installed pam_kwallet…
Any clues how to fix it?

pam-wallet may be considered a security leak so I doubt it will be installed by default.

But what about “gnome-keyring-pam”? Seems to me like applying double standards.

I tried a couple of the options from the link by Luca Beltrame ( KDE and openSUSE developper and packager BTW ), but none of them brought a working situation, I think though, it needs to be triggered somewhere,

Any chance to ping Luca Beltrame? I guess he has an account here (couldn’t find it tho)…

I think you need the kwallet password to be the same as your login password.

However, that said, I never did get it working.

I haven’t actually tried with opensuse. But a while ago, I installed Mint based on Ubuntu 14.04 (if I remember correctly). And that did not have pam-kwallet support. But that support was added in a major update a month or two later. I could never get it to work. But it worked fine with kubuntu 14.04.

Personally, I’m happy with GPG encryption for kwallet, so I’m not planning to further investigate this.

Thats the first thing I did (upon creation).

It does work in Chakra OOB and I guess there are more working distributions.

What does this mean, you enter GPG key by hand after every login / wallet access?

ArchWiki has an article about Kwallet where the usage of the pam module is explained as well:

https://wiki.archlinux.org/index.php?title=KDE_Wallet

Keep in mind that it was written for Arch Linux and not for openSUSE, so you should pay attention to the possible differences between those systems.

Did that. My /etc/pam.d/sddm looks like this

knurphtlaptop:/etc/pam.d> cat sddm#%PAM-1.0
auth     include        common-auth
-auth     optional        pam_kwallet5.so kdehome=.config
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
-session  optional        pam_kwallet5.so

, yet I’m asked for the kwallet password to unlock the wallet.

I enter the passphrase for my GPG key after each login. Since “gpg-agent” is running, it remembers the key so the wallet can then use it without my having to re-enter, until I logout (or until the gpg-agent retention period ends – you can configure how long that is).

I’m not particularly bothered by having to enter the passphrase once per login. Otherwise, I would use it so rarely that I would forget it.

My /etc/pam.d/ directory contains also sddm-autologin and sddm-greeter; I’ve not experimented with these but maybe they must be edited too.

I doubt it.
The latter one only affects sddm’s greeter obviously, the former one is related to autologin (so it may help if you have autologin enabled and are using sddm, I’m not sure).

Never tried this myself (my kwallet password is empty anyway), but gnome-keyring.so is being added to common-auth, common-password and common-session (if gnome-keyring-pam is installed).
Maybe adding similar lines to these files with pam_kwallet.so instead of pam_gnome_keyring.so (and omitting the only_if part) would help?

I.e.:
add to common-auth:

auth     optional        pam_kwallet5.so

add to common-password:

password     optional        pam_kwallet5.so

add to common-session:

session       optional        pam_kwallet5.so   auto_start

That’s what I would try at least. (not all of them may be necessary though, and maybe also try to omit the “auto_start” in the last one)

But be aware: messing up the PAM config may prevent you from logging in at all.

PS: on second thought, better edit the corresponding xxx-pc files, otherwise pam-config will not automatically update the config any more.

This works for me and had to disable auto-login from default Tumbleweed installation.

cat /etc/pam.d/sddm:

#%PAM-1.0
auth     include        common-auth
-auth     optional       pam_kwallet5.so
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
-session  optional       pam_kwallet5.so

If using Auto-Login, the same change in /etc/pam.d/sddm-autologin should work.

Btw, to all others: I remember now that we actually use /etc/pam.d/xdm for sddm as well in openSUSE IIANM, so if changing /etc/pam.d/sddm doesn’t help, try changing /etc/pam.d/xdm instead.