Unlocking wallet during startup

JUN

2016

Unlocking wallet during startup

Submitted by David Faure

While setting up plasma5 I found a solution for something that had been bothering me forever. Basically, while session management is restoring all windows, the wallet isn't open yet, so if the wallet is needed to get online (wifi password), all the apps being restored (in my case, about 20 konqueror windows) have no networking yet and just show error pages.
I had to be there during startup and type fast to unlock the wallet before the apps needed it.

One of the users of the wallet is ksshaskpass (which uses kwallet to give the ssh passphase to ssh-agent). By calling ssh-add in the Autostart folder, it was just one more of the kwallet queries in the queue, waiting for the user while everything is being restored.

While setting up plasma5 I did it slightly differently: I put the file that calls ssh-add into ~/.config/plasma-workspace/env/.
Because this is sourced by startkde, it actually blocks session startup, waiting for me to type the wallet password, and happens much before session management restore kicks in. This way, I can make sure to unlock the wallet first (which is useful for all wallet users afterwards, not just ksshaskpass). Very nice.
Too bad QtWebkit 5.6 crashes so much that konqueror is unusable... this idea comes 10 years too late :-)

This makes me wonder how distros set up ksshaskpass (more precisely where is the call to ssh-add). It also makes me wonder if we should have a more direct way of unlocking the wallet at startup (e.g. even for people without a ssh key). E.g. a mode where kwallet-query just opens the wallet and nothing else.

Comments

How to you initialize pam_kwallet5?

Where are you initializing pam_kwallet5.so in this setup?
I'm trying to use pam_kwallet/pam_kwallet5 together with pam_ecryptfs and it is not working (works only if HOME is already mounted, e.g. when login via ssh or console before using xdm/sddm).

By gordin at Sat, 06/04/2016 - 14:46

In Fedora ssh-agent starts startkde

In Fedora ssh-agent starts startkde. And then you put "ssh-add ~/.ssh/github Startup and Shutdown. You will be asked for password only once first time as long as you save the passwords in kwallet.

sudhir 1557 0.0 0.0 51296 568 ? Ss Jun03 0:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/startkde"

I have no idea how to setup pam-kwallet. It didn't work for me when it was released. Also I didn't find any good tutorial on it so I gave up.

By Sudhir Khanger at Sat, 06/04/2016 - 08:10

Yes that's what I used to have

ssh-add in Autostart is what I had for 10 years, it works, but it comes in a bit too late, as I described. If you're on WIFI, it makes all the apps start offline until you unlock the wallet.

By David Faure at Sat, 06/04/2016 - 08:18

The early versions of pam

The early versions of pam-kwallet didn't work very well, but recent versions are much better. As mentioned in another reply it works flawlessly on most of my systems. I have only one system for which the kde4 wallet won't unlock. This system has the oldest configuration history and it looks like it fails for some old cruft in there. On cleanly installed systems the wallets (both kf5 and kde4 ones) unlock flawlessly during login.

By Geert Janssens at Sat, 06/04/2016 - 09:20

Recent PostsView a list of recently added blog posts and polls

User ListShow a list of users who have their blogs hosted at KDE Blogs