$ rpm --query --whatprovides /etc/pam.d/common-*
file /etc/pam.d/common-account is not owned by any package
pam-config-2.12+git.20250411-1.1.x86_64
file /etc/pam.d/common-auth is not owned by any package
pam-config-2.12+git.20250411-1.1.x86_64
file /etc/pam.d/common-password is not owned by any package
pam-config-2.12+git.20250411-1.1.x86_64
file /etc/pam.d/common-session is not owned by any package
file /etc/pam.d/common-session-nonlogin is not owned by any package
file /etc/pam.d/common-session-nonlogin-pc is not owned by any package
pam-config-2.12+git.20250411-1.1.x86_64
This is a fresh install of Tumbleweed, there is no legacy software on this.
$ sudo zypper verify
Place your finger on the fingerprint reader
Refreshing service 'openSUSE'.
Loading repository data...
Reading installed packages...
Dependencies of all installed packages are satisfied.
$ sudo zypper packages --unneeded
Refreshing service 'openSUSE'.
Loading repository data...
Reading installed packages...
S | Repository | Name | Version | Arch
---+------------+-------------------------+------------+-------
i | repo-oss | containerd | 1.7.23-3.3 | x86_64
i | repo-oss | git-core | 2.49.0-2.1 | x86_64
i | repo-oss | python313-keyring | 25.2.1-1.5 | noarch
i | repo-oss | python313-pyxdg | 0.28-3.9 | noarch
i | repo-oss | python313-systemd | 235-4.5 | x86_64
i | repo-oss | rootlesskit | 2.3.4-1.1 | x86_64
i | repo-oss | slirp4netns | 1.3.2-1.2 | x86_64
i | repo-oss | typelib-1_0-WebKit2-4_0 | 2.48.1-3.1 | x86_64
$ sudo zypper packages --orphaned
Refreshing service 'openSUSE'.
Loading repository data...
Reading installed packages...
No packages found.
$ sudo zypper packages --system
Refreshing service 'openSUSE'.
Loading repository data...
Reading installed packages...
S | Repository | Name | Version | Arch
---+------------+------------------------+------------------------------------------+-------
i+ | @System | kernel-default | 6.14.3-1.1 | x86_64
i | @System | ovpn-dco-kmp-default | 0.2.20241216~git0.a08b2fd_k6.14.3_1-2.26 | x86_64
i | @System | virtualbox-kmp-default | 7.1.8_k6.14.3_1-1.3 | x86_64
Note, that I’ve just recreated the wallet and will see if anything changes here.
I exported the contents, deleted the wallet, created a new wallet named kdewallet and made sure blowfish was selected. Set the password to the same thing as my account password. Then imported the contents of the previous wallet. I will now log out and log back in and see how it goes.
EDIT: This didn’t make any difference, unfortunately.
I executed sudo pam-config --delete --fprintd and logged out and back in, and it seems as though the wallet unlocked automatically.
So it seems as though having fprintd enabled is mucking things up somehow, even though I’m entering my password on first login (which is really the only time the wallet should be unlocked).
I guess I will have to do a deep dive into pam configurations to attempt to sort this out. Always happy to hear suggestions though, as I’m sure I can’t be the only one that wants both to be able to use the fingerprint reader, AND have an automatically unlocked wallet.
It is the same as autologin - you never enter your password, so there is no way to use it for anything.
I am not sure what “first login” means here. With common-auth shown earlier if fingeprint authentication fails (times out) next module will be pam_kwallet5 which will request password if not already available. For testing you could try swapping two modules:
I mean first login after a reboot. In other words, not just locking the screen or anything like that. I mean my KDE session is logged out. My wallet is set to stay unlocked once unlocked, so the only time I need it to unlock is on that initial log in to the KDE session.
In my time using openSUSE Tumbleweed and having my fingerprint added to my account in KDE, never once has it allowed me to log in from a reboot (i.e. first login) with fingerprint only. I HAVE to enter my password after reboot/power on. However, I also have to touch the fingerprint reader after typing the password, or else it won’t let me in. (Caveat: There may be a time out where if I just let it sit and wait it will let me in, but, I haven’t sat there an waited).
I mentioned a couple of times that I am actually entering my password on the first login. So I don’t see how this could be the case.
I received this computer on April 14th, and installed it either that same day or the next. So roughly about 2 weeks.
Looks like SELinux:
$ sudo aa-status
apparmor module is loaded.
apparmor filesystem is not mounted.
$ sudo sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 34
The whole stack is SDDM, logging in to KDE, running on top of Wayland.
sudo always prompted for fingerprint. kdesu always asked for password.
I’m going to be honest, at this point I think I’m just going to leave fingerprint disabled and continue typing password as needed. However, I will continue to dive into this as I have time, in case others run in to the same issue and find themselves on this thread looking for a solution.
‘ /etc/pam.d/common-account’ should be a link pointing to “common-account-pc”.
‘/etc/pam.d/common-auth’ should be a link pointing to “common-auth-pc”.
‘/etc/pam.d/common-password’ should be a link pointing to “common-password-pc”.
‘/etc/pam.d/common-session’ should be a link pointing to “common-session-pc”
The other “common-session” links aren’t present on Leap 15.6 – you’ll have to check for where Tumbleweed has linked those directory items.
If you’re using a freshly installed Tumbleweed system, it’s a little bit surprising that, the PAM KWallet6 package has included at least one KWallet5 shared object – I downloaded the package and checked it –
/usr/lib64/security/pam_kwallet5.so
No idea …
I’ll be testing the Leap 16 Beta version in a day or two – can let you know how KDE Plasma 6 is looking on that distribution.
The “unneeded” packages can possibly be carefully removed with the “–clean-deps” option included on the command.
The “system” packages should be forcibly re-installed, with the “–force” option.
Somehow you’ve lost the pointer to the correct repository for these three packages.
I was surprised by this as well, given Plasma is up to 6 on TW. I have pam_kwallet6 installed, but it seems to stick with the 5 in the number, despite the correct package providing it:
$ zypper what-provides /usr/lib64/security/pam_kwallet5.so
Command 'what-provides' is replaced by 'search --provides --match-exact'.
See 'help search' for all available options.
Loading repository data...
Reading installed packages...
S | Name | Summary | Type
---+--------------+----------------------------------+--------
i | pam_kwallet6 | A PAM Module for KWallet signing | package
Except I want things like git-core, as I use git. Not sure why that’s listed as unneeded…
I don’t understand, this is an older kernel and older kernel modules (for that older kernel) that, I assume TW keeps at least one or a few older kernel versions around in case the latest and greatest causes issues, you can boot into an older kernel. I don’t want to force these to reinstall.
So aside from git, all the other packages that were unneeded were left over from when I installed distrobox without first installing podman. So distrobox installed docker by default. I fixed that right afterwards by installing podman then removing docker, however I didn’t clean the dependencies. I have since rectified that (as well as --forced git-core, since I want to keep that around).
On this Leap 15.6 machine, git-core is installed from the SLE 15 update repository. I have currently nothing that seems to need the thing.
You could try forcibly re-installing the thing to clean up whatever is missing.
The “zypper packages --system” command shows the installed packages which are not provided by any repository – there’s possibly a missing item in RPM database.
If you don’t want to forcibly reinstall the concerned package(s) you could try “rpm --rebuilddb”.
Just stopping by to post a similar situation with kwallet after a recent upgrade in my Pop_OS! system running on a linux laptop. In my case only when launching a database app, Jabref, there will be a series of 4 windows asking me to “choose Blowfish,” or “choose GPG”?? (something like that) for my encryption.
However, that system is running GNOME DE, I never set up kwallet, don’t use disk encryption, etc. Thinking it was a problem with Jabref I posted on their forum asking how to get rid of these stinking questions . . . and the forum guys posted back saying, “This is a kwallet problem” . . . .
And, as in the case of the OP on this thread, I didn’t create a kwallet, nor run Plasma on that machine. I asked them “which one should I choose?” between the Blowfish or GPG question to see if that makes these annoying windows go away, seems like from this thread “Blowfish” would be my answer. But then seemingly I could also remove kwallet altogether? Not using it in any form . . . nuke it???
This just happened to me after today’s update to openSUSE Tumbleweed.
This has NOT happened to me before. I had no trouble logging in with my usual user account, however. This Tumbleweed update has messed up other things today big time, however.
Hey everyone… I got the same issue today after a zypper dup I did.
I mean I can easily type the password and everything works, but it’s very inconvenient.
I checked online and everyone says to install kwallet-pam for a rapid fix, I tried but apparently it’s already there:
$ sudo zypper install pam_kwallet
Loading repository data...
Reading installed packages...
'pam_kwallet' not found in package names. Trying capabilities.
'pam_kwallet6' providing 'pam_kwallet' is already installed.
Resolving package dependencies...
Nothing to do.
Also, the password of my kwallet is the same of my login… Honestly before today I didn’t even knew kwallet existed.