Unlocking wallet during startup

While setting up plasma5 I found a solution for something that had been bothering me forever. Basically, while session management is restoring all windows, the wallet isn't open yet, so if the wallet is needed to get online (wifi password), all the apps being restored (in my case, about 20 konqueror windows) have no networking yet and just show error pages.
I had to be there during startup and type fast to unlock the wallet before the apps needed it.

One of the users of the wallet is ksshaskpass (which uses kwallet to give the ssh passphase to ssh-agent). By calling ssh-add in the Autostart folder, it was just one more of the kwallet queries in the queue, waiting for the user while everything is being restored.

While setting up plasma5 I did it slightly differently: I put the file that calls ssh-add into ~/.config/plasma-workspace/env/.
Because this is sourced by startkde, it actually blocks session startup, waiting for me to type the wallet password, and happens much before session management restore kicks in. This way, I can make sure to unlock the wallet first (which is useful for all wallet users afterwards, not just ksshaskpass). Very nice.
Too bad QtWebkit 5.6 crashes so much that konqueror is unusable... this idea comes 10 years too late :-)

This makes me wonder how distros set up ksshaskpass (more precisely where is the call to ssh-add). It also makes me wonder if we should have a more direct way of unlocking the wallet at startup (e.g. even for people without a ssh key). E.g. a mode where kwallet-query just opens the wallet and nothing else.


Isn't this where kwallet-pam comes in? I thought it was meant to solve exactly that problem.
I have not used it myself yet so not sure how well it works, and I see mentions that it has several limitations still. But generally, that's where I would start looking.

By Heinz Wiesinger at Fri, 06/03/2016 - 20:35

Have you had a look at libpam-kwallet?

Cheers, Johannes

By Johannes Ranke at Fri, 06/03/2016 - 22:16

I feel this would solve this nicely, unless you use different passwords for your wallet. Alternatively, using GPG as SSH agent (like I do on my home system, with a smart card) would work, too.

By Luca Beltrame at Fri, 06/03/2016 - 23:11

>also makes me wonder if we should have a more direct way of unlocking the wallet at startup

Possibly not quite the same thing, but are you aware we have a PAM-wallet-unlocker; so it's unlocked immediately after login

By David E at Fri, 06/03/2016 - 23:38

Thanks for all the replies about kwallet-pam. However none of them tells me how to actually use it :-)

I have kde/workspace/kwallet-pam compiled and installed (and socat installed), but it doesn't seem to make any difference. This is kind of thing that doesn't work out of the box when installing as a user (not root) into a custom prefix, I assume?
Running pam_wallet_init by hand exits immediately with no debug output and no error code. And I do see in the .xsession-errors log file that it's started... so I don't get why this doesn't work. I removed my ssh-add env script, and I get a kwallet prompt from the first app that needs the wallet, on session startup.

By David Faure at Sat, 06/04/2016 - 08:17

I am happily using pam-kwallet on several computers. On most it works fully as advertised. On one it works well for kf5 based applications but fails for kde4 based ones (like kontact). I believe this is because of old history I'm carrying on that PC. On newly installed systems it works fine.

Note that I'm using it on Fedora, which has packaged it in an rpm. Installing the rpm does the necessary configuration.

From what I understand you have to tell pam to use this module. For example, my system starts with the sddm login manager. There is a sddm related pam config file called /etc/pam.d/sddm. This file has a number of additional lines specifically for pam-kwallet. If you are using another session manager, you may have to edit other pam files.

My auth lines in that file look like this:

auth        substack      password-auth
-auth        optional      pam_gnome_keyring.so
-auth        optional      pam_kwallet5.so
-auth        optional      pam_kwallet.so
auth        include       postlogin

And the last few lines for the session config look like this:

session     include       password-auth
-session     optional      pam_gnome_keyring.so auto_start
-session     optional      pam_kwallet5.so
-session     optional      pam_kwallet.so
session     include       postlogin

Note there are both pam_kwallet5.so and pam_kwallet.so. The first is to unlock kf5 based kwallet, the second is for kde4 base kwallet. I am aware this configuration is probably highly Fedora specific, but I hope it gives you a direction to figure it out on your machine.

Lastly, keep in mind this will only work if your login password is the same as your kwallet password, as pam_kwallet will reuse that password to attempt to unlock the wallet.

By Geert Janssens at Sat, 06/04/2016 - 09:16

Are you aware of the possibility to unlock KWallet via PAM from the login manager?
That's how I always do it, which gives me an unlocked wallet right from the get-go, without having to enter any additional password.

By colomar at Sat, 06/04/2016 - 00:26

In my experience, PAM method fails when I have an encrypted HOME directory. Do you use encrypted HOME?

By Donatas Glodenis at Sat, 06/04/2016 - 05:33

My home is encrypted with encfs and i can login/decrypt it with just one password with kwallet-pam and pam-encfs. You need the following settings:

# /etc/pam.d/system-login
auth sufficient pam_encfs.so

# /etc/pam.d/login
session required pam_encfs.so #Automatic unmount (optional)

# /etc/pam.d/sddm
auth sufficient pam_encfs.so
session required pam_encfs.so

By gcala at Sat, 06/04/2016 - 09:51

Where are you initializing pam_kwallet5.so in this setup?
I'm trying to use pam_kwallet/pam_kwallet5 together with pam_ecryptfs and it is not working (works only if HOME is already mounted, e.g. when login via ssh or console before using xdm/sddm). If HOME is not mounted when login in, kwallet will always ask for a password (which is the same as the user password).

By gordin at Sat, 06/04/2016 - 13:30