JUN
3
2016
|
Unlocking wallet during startupWhile setting up plasma5 I found a solution for something that had been bothering me forever. Basically, while session management is restoring all windows, the wallet isn't open yet, so if the wallet is needed to get online (wifi password), all the apps being restored (in my case, about 20 konqueror windows) have no networking yet and just show error pages. One of the users of the wallet is ksshaskpass (which uses kwallet to give the ssh passphase to ssh-agent). By calling ssh-add in the Autostart folder, it was just one more of the kwallet queries in the queue, waiting for the user while everything is being restored. While setting up plasma5 I did it slightly differently: I put the file that calls ssh-add into ~/.config/plasma-workspace/env/. This makes me wonder how distros set up ksshaskpass (more precisely where is the call to ssh-add). It also makes me wonder if we should have a more direct way of unlocking the wallet at startup (e.g. even for people without a ssh key). E.g. a mode where kwallet-query just opens the wallet and nothing else. |
![]() |
Comments
kwallet-pam
Isn't this where kwallet-pam comes in? I thought it was meant to solve exactly that problem.
I have not used it myself yet so not sure how well it works, and I see mentions that it has several limitations still. But generally, that's where I would start looking.
Automatic unlocking of kwallet
Have you had a look at libpam-kwallet?
Cheers, Johannes
What about pam-kwallet(5)?
I feel this would solve this nicely, unless you use different passwords for your wallet. Alternatively, using GPG as SSH agent (like I do on my home system, with a smart card) would work, too.
>also makes me wonder if we
>also makes me wonder if we should have a more direct way of unlocking the wallet at startup
Possibly not quite the same thing, but are you aware we have a PAM-wallet-unlocker; so it's unlocked immediately after login
OK, but how?
Thanks for all the replies about kwallet-pam. However none of them tells me how to actually use it :-)
I have kde/workspace/kwallet-pam compiled and installed (and socat installed), but it doesn't seem to make any difference. This is kind of thing that doesn't work out of the box when installing as a user (not root) into a custom prefix, I assume?
Running pam_wallet_init by hand exits immediately with no debug output and no error code. And I do see in the .xsession-errors log file that it's started... so I don't get why this doesn't work. I removed my ssh-add env script, and I get a kwallet prompt from the first app that needs the wallet, on session startup.
pam-kwallet via pam.d
I am happily using pam-kwallet on several computers. On most it works fully as advertised. On one it works well for kf5 based applications but fails for kde4 based ones (like kontact). I believe this is because of old history I'm carrying on that PC. On newly installed systems it works fine.
Note that I'm using it on Fedora, which has packaged it in an rpm. Installing the rpm does the necessary configuration.
From what I understand you have to tell pam to use this module. For example, my system starts with the sddm login manager. There is a sddm related pam config file called /etc/pam.d/sddm. This file has a number of additional lines specifically for pam-kwallet. If you are using another session manager, you may have to edit other pam files.
My auth lines in that file look like this:
And the last few lines for the session config look like this:
Note there are both pam_kwallet5.so and pam_kwallet.so. The first is to unlock kf5 based kwallet, the second is for kde4 base kwallet. I am aware this configuration is probably highly Fedora specific, but I hope it gives you a direction to figure it out on your machine.
Lastly, keep in mind this will only work if your login password is the same as your kwallet password, as pam_kwallet will reuse that password to attempt to unlock the wallet.
Unlocking via PAM
Are you aware of the possibility to unlock KWallet via PAM from the login manager?
That's how I always do it, which gives me an unlocked wallet right from the get-go, without having to enter any additional password.
PAMand encrypted HOME
In my experience, PAM method fails when I have an encrypted HOME directory. Do you use encrypted HOME?
My home is encrypted with
My home is encrypted with encfs and i can login/decrypt it with just one password with kwallet-pam and pam-encfs. You need the following settings:
# /etc/pam.d/system-login
auth sufficient pam_encfs.so
# /etc/pam.d/login
session required pam_encfs.so #Automatic unmount (optional)
# /etc/pam.d/sddm
auth sufficient pam_encfs.so
session required pam_encfs.so
How to you initialize pam_kwallet5?
Where are you initializing pam_kwallet5.so in this setup?
I'm trying to use pam_kwallet/pam_kwallet5 together with pam_ecryptfs and it is not working (works only if HOME is already mounted, e.g. when login via ssh or console before using xdm/sddm). If HOME is not mounted when login in, kwallet will always ask for a password (which is the same as the user password).
Pages