unlocking kwallet by login process

promeneur · November 30, 2016, 12:02pm

name ot the wallet must be “kwallet”
when creating the wallet you must choose as encrypting method “blowfish” not gpg one
install pam-kwallet packet

edit /etc/pam.d/sddm file

add these statements:

-auth optional pam_kwallet5.so
-session optional pam_kwallet5.so auto_start

original contents:

#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

contents after editing:

#%PAM-1.0
auth include common-auth
-auth optional pam_kwallet5.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
-session optional pam_kwallet5.so auto_start

i used this tuto
https://wiki.archlinux.org/index.php/KDE_Wallet

Enjoy

note: i assume this works also for 42.1 but i didn’t check

knurpht · November 30, 2016, 12:47pm

Thanks for sharing. I gave this a try a while ago, and couldn’t get it to work. Will give it another shot, on Tumbleweed and Leap 42.2

promeneur · September 16, 2017, 3:18pm

i forgot to mention you must chose same pwd for the wallet as the user one.

i checked this works well with 42.2 and 42.3.

today for the pionner using 42.2 and framework 5.37 and plasma 5.10.5 this works no more. updating to framework 5.38 and plasma 5.10.95 does not solve problem.

Bequimao · September 16, 2017, 9:19pm

Sorry,

works here in Tumbleweed, but the name of the wallet is kdewallet, just as I tested it some time ago in Leap 42.2.

Best regards,
Bequimão

promeneur · September 17, 2017, 8:05pm

i found that the problem is a naming problem.

the opening process wants a wallet named “kdewallet”
the creation process creates a wallet named “kwallet”

this inconsistency is new because with another leap 42.2 wallet is named consistently “kdewallet” by the creation process.

i creates two links:
kdewallet.kwl -> kwallet.kwl
kdewallet.salt -> kwallet.salt

then no more problem.

wolfi323 · September 17, 2017, 8:18pm

I
I’m pretty sure that the default wallet is in fact called “kdewallet”, consistently.

If you create an additional one, it may be called “kwallet” by default though, haven’t checked.

Also it should be noted that modifying the PAM configuration is not necessary any more in Tumbleweed (and therefore also Leap 15 and up).
This is done now automatically when you install pam_kwallet5.

And actually the current package modifies the “common” PAM files, which works for all display managers, not just sddm.

promeneur · January 16, 2018, 11:31am

for statements :

-auth optional pam_kwallet5.so
-session optional pam_kwallet5.so auto_start

you can omit “-”

“-” means you want a log

wolfi323 · January 16, 2018, 11:38am

Acually it means you do not want a log.

From “man pam.d”:

   If the type value from the list above is prepended with a - character
the PAM library will not log to the system log if it is not possible
to load the module because it is missing in the system. This can be
useful especially for modules which are not always installed on the
system and are not required for correct authentication and
authorization of the login session.