How to configure
pam_kwallet to auto-unlock the default
kwallet5 "kdewallet" from
sddm login credentials on openSUSE Leap 42.3 KDE Plasma5
Note: Many other guides & posts were attempted before creating this, however they either no longer work or are ugly hacks which don't follow SUSE's odd pam.d layouts. Essentially, this solution boils down to this: pam_kwallet needs to be loaded from it's own substack just like pam_gnome_keyring already is configured to do so, so new substacks were created based on the gnome_keyring ones so that they could be added to sddm. I'm unsure how both gnome_keyring and kwallet behave if both are loaded from the same substack so I kept them in separate stacks. This was tested with only kwallet5 installed but it should also optionally load the old kwallet4 if it's present. My understanding of PAM is limited, so I'm open to suggestions, but this seemed like the cleanest solution which doesn't get overwritten on updates, though it should probably be globally registered as a recognized PAM stack somehow.
/etc/pam.d/" directory layout:
/etc/pam.d/ uses common files included as needed in each of the other files to simplify things. From my understanding, these common files are equivalent to having substack groups in each file like fedora and kubuntu often do (with lines starting with
While this could work on openSUSE too, you'd have to do a lot more modifications and follow the trail of common stacks in order to figure out how to get everything to load properly or cause recursive pam loops. The main common files are usually named
common-foo which are actually symlinks to
common-foo-pc (for example), so I chose to keep that same structure for simplicity and consistency.
pam_kwallet must be installed, and it is assumed that you have
kwalletd5 installed too.
kwalletd (v4) is optional for legacy stuff and was untested, but it should work too.
Make copies of the required common stacks:
cd /etc/pam.d/ cp common-auth-pc kwallet-auth-pc cp common-password-pc kwallet-password-pc cp common-session-pc kwallet-session-pc
symlink the copied files to their appropriate name
ln -s kwallet-auth-pc kwallet-auth ln -s kwallet-password-pc kwallet-password ln -s kwallet-session-pc kwallet-session
You should end up with the following files:
/etc/pam.d/kwallet-auth -> kwallet-auth-pc /etc/pam.d/kwallet-auth-pc /etc/pam.d/kwallet-password -> kwallet-password-pc /etc/pam.d/kwallet-password-pc /etc/pam.d/kwallet-session -> kwallet-session-pc /etc/pam.d/kwallet-session-pc
Edit each file, comment out any pam_gnome_keyring.so lines and add pam_kwallet5.so and pam_kwallet.so:
#%PAM-1.0 # kwallet auth stack auth required pam_env.so #-auth optional pam_gnome_keyring.so auth optional pam_kwallet5.so -auth optional pam_kwallet.so auth required pam_unix.so try_first_pass
#%PAM-1.0 # kwallet password stack password requisite pam_cracklib.so #password optional pam_gnome_keyring.so use_authtok password optional pam_kwallet5.so use_authtok -password optional pam_kwallet.so use_authtok password required pam_unix.so use_authtok nullok shadow try_first_pass
#%PAM-1.0 # kwallet session stack session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_systemd.so #session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm session optional pam_kwallet5.so auto_start only_if=sddm,sddm-helper,sddm-greeter -session optional pam_kwallet.so auto_start only_if=sddm,sddm-helper,sddm-greeter session optional pam_env.so
Add these new stacks below the existing ones in
#%PAM-1.0 auth include common-auth auth include kwallet-auth account include common-account password include common-password password include kwallet-password session required pam_loginuid.so session include common-session session include kwallet-session
If you haven't created the default kdewallet or it does not exist, it may be required to create or modify these files with the following lines:
[Migration] alreadyMigrated=true [Wallet] First Use=false
[Wallet] First Use=false
Note: If you had already created the default kdewallet, I believe it needs to have the same password as your login password in order for this to work. This was tested without any wallets created, and upon login the default kdewallet should automatically be created using your login credentials.
Reboot, log into KDE and check journalctl or other relevant logs (if you have logging enabled) and you should see something similar to this (and kwallet should not longer nag you to set up a new wallet, or ask for password):
display-manager: kwalletd5: Checking for pam module display-manager: kwalletd5: Got pam-login param display-manager: kwalletd5: Waiting for hash on 15- display-manager: kwalletd5: waitingForEnvironment on: 18 display-manager: kwalletd5: client connected display-manager: kwalletd5: client disconnected org.kde.kwalletd5: kwalletd5 started org.kde.kwalletd5: Migration agent starting... org.kde.kwalletd5: old wallets were already migrated org.kde.kwalletd5: Migration agent stop. sddm-helper: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate sddm-helper: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_myuser.socket
Step 7 (optional):
kwalletmanager5 to KDE's list of startup programs (so the wallet is opened and can stay open). I'm unsure if this is needed however, since it seemed to work without it too.
kwalletmanager5 doesn't appear to refresh the list of applications currently using the wallet without closing and re-opening it again, I'm unsure if this is a bug but it doesn't seem to affect functionality in any way.
- Figure out the correct pam_env.so stuff in order for it to create sockets in
$XDG_RUNTIME_DIRand not /tmp/
- Figure out the purpose of
this is great!