Skip to content

Instantly share code, notes, and snippets.

@Trucido
Forked from benediktg/pam_kwallet-guide.md
Last active October 14, 2023 18:32
Show Gist options
  • Save Trucido/b788017a18e1189e6703e42315e8829c to your computer and use it in GitHub Desktop.
Save Trucido/b788017a18e1189e6703e42315e8829c to your computer and use it in GitHub Desktop.
How to configure pam_kwallet to auto-unlock kdewallet from sddm login credentials on openSUSE Leap 42.3 KDE Plasma5

How to configure pam_kwallet to auto-unlock the default kwallet5 "kdewallet" from sddm login credentials on openSUSE Leap 42.3 KDE Plasma5

Note: Many other guides & posts were attempted before creating this, however they either no longer work or are ugly hacks which don't follow SUSE's odd pam.d layouts. Essentially, this solution boils down to this: pam_kwallet needs to be loaded from it's own substack just like pam_gnome_keyring already is configured to do so, so new substacks were created based on the gnome_keyring ones so that they could be added to sddm. I'm unsure how both gnome_keyring and kwallet behave if both are loaded from the same substack so I kept them in separate stacks. This was tested with only kwallet5 installed but it should also optionally load the old kwallet4 if it's present. My understanding of PAM is limited, so I'm open to suggestions, but this seemed like the cleanest solution which doesn't get overwritten on updates, though it should probably be globally registered as a recognized PAM stack somehow.

The "/etc/pam.d/" directory layout:

openSUSE's /etc/pam.d/ uses common files included as needed in each of the other files to simplify things. From my understanding, these common files are equivalent to having substack groups in each file like fedora and kubuntu often do (with lines starting with @).
While this could work on openSUSE too, you'd have to do a lot more modifications and follow the trail of common stacks in order to figure out how to get everything to load properly or cause recursive pam loops. The main common files are usually named common-foo which are actually symlinks to common-foo-pc (for example), so I chose to keep that same structure for simplicity and consistency.

Instructions:

Prerequisites: pam_kwallet must be installed, and it is assumed that you have kwalletd5 installed too.
kwalletd (v4) is optional for legacy stuff and was untested, but it should work too.

Step 1:

Make copies of the required common stacks:

cd /etc/pam.d/
cp common-auth-pc kwallet-auth-pc
cp common-password-pc kwallet-password-pc 
cp common-session-pc kwallet-session-pc

Step 2:

symlink the copied files to their appropriate name

ln -s kwallet-auth-pc kwallet-auth
ln -s kwallet-password-pc kwallet-password
ln -s kwallet-session-pc kwallet-session

You should end up with the following files:

/etc/pam.d/kwallet-auth -> kwallet-auth-pc
/etc/pam.d/kwallet-auth-pc
/etc/pam.d/kwallet-password -> kwallet-password-pc
/etc/pam.d/kwallet-password-pc
/etc/pam.d/kwallet-session -> kwallet-session-pc
/etc/pam.d/kwallet-session-pc

Step 3:

Edit each file, comment out any pam_gnome_keyring.so lines and add pam_kwallet5.so and pam_kwallet.so:

/etc/pam.d/kwallet-auth :

#%PAM-1.0
# kwallet auth stack
auth    required    pam_env.so
#-auth  optional    pam_gnome_keyring.so
auth    optional    pam_kwallet5.so
-auth   optional    pam_kwallet.so
auth    required    pam_unix.so  try_first_pass

/etc/pam.d/kwallet-password :

#%PAM-1.0
# kwallet password stack
password    requisite    pam_cracklib.so
#password   optional     pam_gnome_keyring.so  use_authtok
password    optional     pam_kwallet5.so  use_authtok
-password   optional     pam_kwallet.so  use_authtok
password    required     pam_unix.so  use_authtok nullok shadow try_first_pass

/etc/pam.d/kwallet-session :

#%PAM-1.0
# kwallet session stack
session    required   pam_limits.so
session    required   pam_unix.so  try_first_pass 
session    optional   pam_umask.so
session    optional   pam_systemd.so
#session   optional   pam_gnome_keyring.so  auto_start only_if=gdm,gdm-password,lxdm,lightdm 
session    optional   pam_kwallet5.so  auto_start only_if=sddm,sddm-helper,sddm-greeter
-session   optional   pam_kwallet.so  auto_start only_if=sddm,sddm-helper,sddm-greeter
session    optional   pam_env.so

Step 4:

Add these new stacks below the existing ones in /etc/pam.d/sddm :

/etc/pam.d/sddm :

#%PAM-1.0
auth       include    common-auth
auth       include    kwallet-auth
account    include    common-account
password   include    common-password
password   include    kwallet-password
session    required   pam_loginuid.so
session    include    common-session
session    include    kwallet-session

Step 5:

If you haven't created the default kdewallet or it does not exist, it may be required to create or modify these files with the following lines:

~/.config/kwalletrc :

[Migration]
alreadyMigrated=true

[Wallet]
First Use=false

~/.config/kwalletmanager5rc :

[Wallet]
First Use=false

Note: If you had already created the default kdewallet, I believe it needs to have the same password as your login password in order for this to work. This was tested without any wallets created, and upon login the default kdewallet should automatically be created using your login credentials.

Step 6:

Reboot, log into KDE and check journalctl or other relevant logs (if you have logging enabled) and you should see something similar to this (and kwallet should not longer nag you to set up a new wallet, or ask for password):

display-manager[1390]: kwalletd5: Checking for pam module
display-manager[1390]: kwalletd5: Got pam-login param
display-manager[1390]: kwalletd5: Waiting for hash on 15-
display-manager[1390]: kwalletd5: waitingForEnvironment on: 18
display-manager[1390]: kwalletd5: client connected
display-manager[1390]: kwalletd5: client disconnected
org.kde.kwalletd5[2513]: kwalletd5 started
org.kde.kwalletd5[2513]: Migration agent starting...
org.kde.kwalletd5[2513]: old wallets were already migrated
org.kde.kwalletd5[2513]: Migration agent stop.
sddm-helper[2475]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
sddm-helper[2475]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
sddm-helper[2475]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session
sddm-helper[2475]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_myuser.socket

Step 7 (optional):

Add kwalletmanager5 to KDE's list of startup programs (so the wallet is opened and can stay open). I'm unsure if this is needed however, since it seemed to work without it too.

Note: kwalletmanager5 doesn't appear to refresh the list of applications currently using the wallet without closing and re-opening it again, I'm unsure if this is a bug but it doesn't seem to affect functionality in any way.

TODO:

  • Figure out the correct pam_env.so stuff in order for it to create sockets in $XDG_RUNTIME_DIR and not /tmp/
  • Figure out the purpose of pam_kwallet_init and /etc/xdg/autostart/pam_kwallet_init.desktop
@a4z
Copy link

a4z commented Sep 25, 2017

this is great!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment