Kwallet prompting for password on login

ajgraves · May 3, 2025, 5:58pm

Hi, I’m running Tumbleweed and I’ve noticed that kwallet is prompting for password after login. I went looking to figure out how to automatically unlock kwallet upon login, however from what I can see it should do that automatically, I have no idea why it’s not.

The password is the same for my user account. pam_kwallet6 is installed, and the pam.d files are referencing pam_kwallet5.so as appropriate (I thought it was odd that it seemed to be looking for the pam_kwallet5 module rather than pam_kwallet6 but confirmed that 5.so seems to be what is installed by pam_kwallet6)

[12:51] [me@machine pam.d] $ grep kwallet *
common-auth:auth        optional        pam_kwallet5.so
common-auth-pc:auth     optional        pam_kwallet5.so
common-password:password        optional        pam_kwallet5.so
common-password-pc:password     optional        pam_kwallet5.so
common-session:session  optional        pam_kwallet5.so
common-session-nonlogin:session optional        pam_kwallet5.so
common-session-nonlogin-pc:session      optional        pam_kwallet5.so
common-session-pc:session       optional        pam_kwallet5.so

Based on the document found here it seems as though it should be working, but it’s not. Any ideas for things I can check?

arvidjaar · May 3, 2025, 6:10pm

Are you using autologin?

hcvv · May 3, 2025, 6:14pm

And you probably have left open at shutdown an application that on login automatically started is started and needs Kwallet?

ajgraves · May 3, 2025, 6:44pm

I am not auto logging in my session, I type my password to log in.

ajgraves · May 3, 2025, 6:45pm

I do have an application (Proton Mail Bridge) that starts on startup, that requires the wallet.

hcvv · May 3, 2025, 6:50pm

Then, what is the problem? You put that password in the wallet to protect it from others by a mother password. So why do you wonder t is asking for it when needed? It is only because of the application starting direct after login that it asks direct after login. Else it would have asked later when you would start it (or other applications that have their password there) later.

ajgraves · May 3, 2025, 7:00pm

I’m curious why there would be documentation saying kwallet can be unlocked automatically on login, then? Why would an application that starts on login cause issues with that, if the wallet should be unlocked by the login process? Maybe I am misunderstanding?

arvidjaar · May 3, 2025, 7:14pm

The items listed on the page you mentioned? What display manager are you using?

We have no idea in which directory you were when you run this command. Only the last part is shown. Also, in general the order of entries matter. Password is remembered in auth entry; show this in full.

ajgraves · May 3, 2025, 7:21pm

I referenced the page and stated that based on that, this should be working. I should have been clearer that I have confirmed all of the items listed on that page match my system. So according to that document it should “just work” but it is not working.

Display manager is SDDM.

This is from /etc/pam.d

Can you clarify what you want me to show in full? Which file in /etc/pam.d are you asking about? I will admit that I’m not certain which of the files in /etc/pam.d comes in to play here, however I’m assuming it’s common-auth.

arvidjaar · May 3, 2025, 9:09pm

/etc/pam.d/common-auth-pc

And better show

ls -l /etc/pam.d/common-auth*

ajgraves · May 3, 2025, 9:29pm

lrwxrwxrwx. 1 root root   14 Apr 14 15:19 /etc/pam.d/common-auth -> common-auth-pc
-rw-r--r--. 1 root root 1502 May  2 08:41 /etc/pam.d/common-auth-pc

$ cat common-auth-pc | grep -v ^#
auth    required        pam_env.so
auth    sufficient      pam_fprintd.so
auth    optional        pam_kwallet5.so
auth    required        pam_unix.so     try_first_pass

I used the grep -v line to ignore comments in the file.

arvidjaar · May 4, 2025, 4:49am

Do you use fingerprint scanner?

ajgraves · May 4, 2025, 4:21pm

I do, yes. I’ve noticed something weird about that too—I need to type my password on first login, but after pressing enter, it waits (until a 30 second timeout) for me to touch the fingerprint sensor as well. I haven’t tried to figure that one out yet, because honestly it hasn’t caused me much of an issue, I just need to remember to touch the fingerprint sensor after entering my password on the first login.

arvidjaar · May 4, 2025, 6:19pm

Well, pam_fprintd.so is defined as “sufficient” which means - if you logged in using fingerprint pam_kwallet.so is skipped.

ajgraves · May 4, 2025, 7:09pm

Ok, great, we’re getting somewhere

Now, this is the default config. I have done nothing to change any of this, aside from adding my fingerprint in to KDE settings. What is the best path forward?

Note also that this only in the last few days started happening. I have had this setup for a couple weeks now and it was “working just fine” until recently, so not sure what has changed.

arvidjaar · May 5, 2025, 3:59am

Try commenting out pam_fprintd.so line. Does it change anything?

And show also common-session (this is where kwalletd is started).

dcurtisfra · May 5, 2025, 10:23am

@ajgraves:

This ArchWiki HowTo should also still be OK → <Unlock KDE Wallet automatically on login>

Please note the requirement that, the Wallet has to be Blowfish encrypted and, the password has to be the same as the user’s login password.

Apart from that, pam-kwallet should be just fine but, maybe something changed with KDE Plasma 6 and Qt6 …

dcurtisfra · May 5, 2025, 10:38am

@ajgraves:

And also this – here on Leap 15.6 – with the PAM configuration links removed –

 > rpm --query --whatprovides /etc/pam.d/common-*
pam-1.3.0-150000.6.76.1.x86_64
pam-config-1.1-150600.16.3.1.x86_64
pam-1.3.0-150000.6.76.1.x86_64
pam-config-1.1-150600.16.3.1.x86_64
pam-1.3.0-150000.6.76.1.x86_64
pam-config-1.1-150600.16.3.1.x86_64
pam-1.3.0-150000.6.76.1.x86_64
pam-config-1.1-150600.16.3.1.x86_64
 >

Are you certain that, your system has only the KDE Plasma 6 PAM configuration packages installed?

Does “zypper verify” indicate anything?
Do “zypper packages --unneeded/orphaned/system” indicate anything? (All should indicate no packages needing attention on a well-ordered system.)

ajgraves · May 5, 2025, 1:05pm

Here you go:

#%PAM-1.0
#
# This file is autogenerated by pam-config. All manual
# changes will be overwritten!
#
# The pam-config configuration files can be used as template
# for an own PAM configuration not managed by pam-config:
#
# for i in account auth password session session-nonlogin; do \
#      rm -f common-$i; sed '/^#.*/d' common-$i-pc > common-$i; \
# done
# for i in account auth password session; do \
#      rm -f postlogin-$i; sed '/^#.*/d' postlogin-$i-pc > postlogin-$i; \
# done
#
# Afterwards common-{account, auth, password, session, session-nonlogin}
# and postlogin-{account, auth, password, session} can be
# adjusted. Never edit or delete common-*-pc or postlogin-*-pc files!
#
# WARNING: changes done by pam-config afterwards are not
# visible to the PAM stack anymore!
#
# WARNING: self managed PAM configuration files are not supported,
# will not see required adjustments by pam-config and can become
# insecure or break system functionality through system updates!
#
#
# Session-related modules common to all or login services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required        pam_selinux.so  close 
session required        pam_limits.so
session optional        pam_systemd.so
session required        pam_unix.so     try_first_pass 
session optional        pam_umask.so
session required        pam_selinux.so  open 
session optional        pam_kwallet5.so
session optional        pam_env.so

I will try that later today and see if it makes a difference.

ajgraves · May 5, 2025, 1:06pm

All of this is true