Short guide for pam_kwallet with KDE Plasma 5 on openSUSE

pam_kwallet-guide.md

(based on these two blog entries and inspired by Fedora-Blog)

First install pam_kwallet:

sudo zypper in pam_kwallet

Then edit the files /etc/pam.d/passwd, /etc/pam.d/login and /etc/pam.d/sddm as follows, i.e. add the lines beginning with a - (the hyphens are valid PAM syntax to reduce log entries if these PAM modules should not exist) and ending with the ### comment:

/etc/pam.d/passwd :

#%PAM-1.0
auth     include        common-auth
-auth optional pam_kwallet5.so kdehome=.local/share  # Add this line
account  include        common-account
password include        common-password
session  include        common-session

/etc/pam.d/login :

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
#session  optional       pam_lastlog.so nowtmp showfailed
session  optional       pam_mail.so standard
-session optional pam_kwallet5.so auto_start  # Add this line

/etc/pam.d/sddm :

#%PAM-1.0
-auth optional pam_kwallet5.so kdehome=.local/share  # Add this line
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
-session optional pam_kwallet5.so auto_start  # Add this line

Now log out and in again to see if you do not have to type in your kwallet password.

Damn. It works. Thank you :) 👍

Thanks, this has been a real PAM in my arse. Tried many forum guides, even tried copying some Kubuntu lines until it worked but everything on the system was trying to initialize kwallet if i just added kwallet under pam_gnome_keyring.so in all files it's in. Upstream seems to only care about GNOME... meanwhile gnome keyring has been neutered so hard since gnome2 it's practically worthless IMO.

Edit: Okay this didn't work for me at all, kwalletd wasn't even starting AT ALL anymore, and starting firefox or chrome was prompting me; whereas before it was but not not opening wallet.

I think this works for now on openSUSE Leap 42.3 but it still gets some weird journalctl messages about " pam_kwallet5: open_session called without kwallet5_key" and "pam_kwallet5: Couldn't get password (it is empty)" but it eventually successfully creates the /tnp/kwallet5_.socket and kwalletmanager5 shows the default kdewallet being used (so maybe it doesn't need to be in ALL of these files.)

/etc/pam.d/common-auth:-auth optional pam_kwallet5.so
/etc/pam.d/common-auth-pc:-auth optional pam_kwallet5.so
/etc/pam.d/common-password:-password optional pam_kwallet5.so use_authtok
/etc/pam.d/common-password-pc:-password optional pam_kwallet5.so use_authtok
/etc/pam.d/common-session:session optional pam_kwallet5.so auto_start only_if=sddm,sddm-greeter,sddm-helper
/etc/pam.d/common-session-pc:session optional pam_kwallet5.so auto_start only_if=sddm,sddm-greeter,sddm-helper

I basically just added pam_kwallet5.so whereever below every pam_gnome_keyring.so so it gets sourced by the other pam files where applicable (the duplicate -pc files are because of symlinks apparently). This is NOT update-proof though, system updates can erase/rewrite some or all of the files.

manually adding the correct lines in each of the other files likely needs a deeper understanding of openSUSE's PAM configuration since the order of items does matter a great deal and password auths need to be sourced by the stack somehow to auto open the wallet.

also, pam_env.so should always be last in a stack, which each of those main files does at the end. maybe I'm wrong but I think each file may be a substack to simplify things instead of having gigantic pam.d files such as kubuntu and some fedora spins. simply adding kwallet to random files doesn't add them to the substacks I listed above (which seem to run independently as a group), and thus doesn't really get included. I think a real solution is adding a new substack to pam (like "common-kwallet" or something) which gets sourced by all of the appropriate pam files, but my understanding of how PAM works is very limited.

Okay I think I finally found a permanent solution. The original proposed solution in this gist maybe worked on older versions of openSUSE but not Leap 42.3 from what I can tell.

First I created a copy of the following files:

cd /etc/pam.d/
cp common-auth-pc kwallet-auth-pc
cp common-password-pc kwallet-password-pc 
cp common-session-pc kwallet-session-pc

Then I created symlinks to preserve the original directory structure

ln -s kwallet-auth-pc kwallet-auth
ln -s kwallet-password-pc kwallet-password
ln -s kwallet-session-pc kwallet-session

Each file was edited to comment out gnome_keyring and added kwallet5 and kwallet since these substacks are only intended to load the wallet
/etc/pam.d/kwallet-auth :

#%PAM-1.0
# kwallet auth stack
auth    required    pam_env.so
#-auth  optional    pam_gnome_keyring.so
auth    optional     pam_kwallet5.so
-auth   optional     pam_kwallet.so
auth    required    pam_unix.so    try_first_pass

/etc/pam.d/kwallet-password :

#%PAM-1.0
# kwallet password stack
password    requisite    pam_cracklib.so
#password  optional     pam_gnome_keyring.so    use_authtok
password    optional     pam_kwallet5.so   use_authtok
-password   optional     pam_kwallet.so   use_authtok
password    required    pam_unix.so     use_authtok nullok shadow try_first_pass

/etc/pam.d/kwallet-session :

#%PAM-1.0
# kwallet session stack
session    required   pam_limits.so
session    required   pam_unix.so    try_first_pass 
session    optional    pam_umask.so
session    optional    pam_systemd.so
#session  optional    pam_gnome_keyring.so  auto_start  only_if=gdm,gdm-password,lxdm,lightdm 
session    optional    pam_kwallet5.so  auto_start  only_if=sddm,sddm-helper,sddm-greeter
-session   optional    pam_kwallet.so  auto_start  only_if=sddm,sddm-helper,sddm-greeter
session    optional    pam_env.so

then finally, I added each of these new stacks below the existing ones in sddm
/etc/pam.d/sddm :

#%PAM-1.0
auth         include    common-auth
auth         include    kwallet-auth
account    include    common-account
password include    common-password
password include    kwallet-password
session    required  pam_loginuid.so
session    include    common-session
session    include    kwallet-session

Result: Success! journalctl logs below, and the default "kdewallet" opens by itself without prompting for password when an app requests to open it. I added kwalletmanager5 to startup so it opens immediately and stays open but it's not really necessary I don't think.

display-manager[1390]: kwalletd5: Checking for pam module
display-manager[1390]: kwalletd5: Got pam-login param
display-manager[1390]: kwalletd5: Waiting for hash on 15-
display-manager[1390]: kwalletd5: waitingForEnvironment on: 18
display-manager[1390]: kwalletd5: client connected
display-manager[1390]: kwalletd5: client disconnected
org.kde.kwalletd5[2513]: kwalletd5 started
org.kde.kwalletd5[2513]: Migration agent starting...
org.kde.kwalletd5[2513]: old wallets were already migrated
org.kde.kwalletd5[2513]: Migration agent stop.
sddm-helper[2475]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
sddm-helper[2475]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
sddm-helper[2475]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session
sddm-helper[2475]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_myuser.socket

I never had to create any wallets to get the default "kdewallet", but I do remember adding these lines after a fresh install (from arch wiki I think):
~/.config/kwalletrc :

[Migration]
alreadyMigrated=true

[Wallet]
First Use=false

~/.config/kwalletmanager5rc :

[Wallet]
First Use=false

forked into a new guide here: How to configure pam_kwallet to auto-unlock kdewallet from sddm login credentials on openSUSE Leap 42.3 KDE Plasma5
if you or anyone else has suggestions of wants credit where credit is due, let me know. it's visible as a fork so it links back to here anyhow.

So far seems to be working fine with no adverse sideeffects but may be a little overkill and could be simplified some, but if SUSE's default pam config would just include pam_kwallet in appropriate places they already have gnome_keyring, we wouldn't have to go through all this trouble.

Also, I noticed if it's added to other files like login and passwd and such, then even system services attempt to use it whenever that pam module is called so just adding it to sddm seems sufficient. I think it attempts to startup initially with sddm but doesn't fully authenticate until it has a password authtok or something. Also, it should be making sockets in $XDG_RUNTIME_DIR (usually /run/user/1000) and not /tmp but i think that may be an upstream thing or just how SUSE is configured by default to restrict environment vars so heavily. Maybe it's not inheriting the environment fully and needs some extra lines to keep certain environment vars.

so it appears one of the recent tumbleweed updates added kwallet to the common-* files just as I proposed, however I don't know if it works yet.

grep kwallet /etc/pam.d/*
/etc/pam.d/common-auth:auth     optional        pam_kwallet5.so
/etc/pam.d/common-auth-pc:auth  optional        pam_kwallet5.so
/etc/pam.d/common-password:password     optional        pam_kwallet5.so
/etc/pam.d/common-password-pc:password  optional        pam_kwallet5.so
/etc/pam.d/common-session:session       optional        pam_kwallet5.so
/etc/pam.d/common-session-pc:session    optional        pam_kwallet5.so

# rpm -qp --scripts pam_kwallet-5.10.5-2.1.x86_64.rpm 
postinstall scriptlet (using /bin/sh):
  /usr/sbin/pam-config -a --kwallet5 || :
postuninstall scriptlet (using /bin/sh):
  if [ "$1" = "0" ]; then
    /usr/sbin/pam-config -d --kwallet5 || :
  fi

I also noticed this line added to the top of common-password though i'm not sure by what package.

session optional        pam_systemd.so

seems to work out of the box on tumbleweed but since it doesn't have an only_if= it attempts to load it from every other pam module.

display-manager[1425]: kwalletd5: Checking for pam module
display-manager[1425]: kwalletd5: Got pam-login param
display-manager[1425]: kwalletd5: Waiting for hash on 15-
display-manager[1425]: kwalletd5: waitingForEnvironment on: 18
display-manager[1425]: kwalletd5: client connected
display-manager[1425]: kwalletd5: client disconnected
systemd[2056]: pam_kwallet5(systemd-user:session): pam_kwallet5: pam_sm_close_session
systemd[1746]: pam_kwallet5(systemd-user:session): (null): pam_sm_open_session
systemd[1746]: pam_kwallet5(systemd-user:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
sddm-helper[1744]: pam_kwallet5(sddm-greeter:session): (null): pam_sm_open_session
sddm-helper[1744]: pam_kwallet5(sddm-greeter:session): pam_kwallet5: open_session called without kwallet5_key
sddm-helper[2007]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
sddm-helper[2007]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
systemd[2008]: pam_kwallet5(systemd-user:session): (null): pam_sm_open_session
systemd[2008]: pam_kwallet5(systemd-user:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
sddm-helper[2007]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session
sddm-helper[2007]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket
sddm-helper[1744]: pam_kwallet5(sddm-greeter:session): pam_kwallet5: pam_sm_close_session
systemd[1747]: pam_kwallet5(systemd-user:session): pam_kwallet5: pam_sm_close_session
sudo[2266]: pam_kwallet5(sudo:auth): (null): pam_sm_authenticate
sudo[2266]: pam_kwallet5(sudo:setcred): pam_kwallet5: pam_sm_setcred
sudo[2266]: pam_kwallet5(sudo:session): pam_kwallet5: pam_sm_open_session
sudo[2266]: pam_kwallet5(sudo:session): pam_kwallet5: we were already executed

seems to be a lot of "we were already executed" and attempts at pam_sm_open_session on su and sudo modules and such.

It works!!! Thank you a lot!!

Thank you! It works in Tumbleweed.

I have also lost a few hours to login at startup to kwallet to have gmailfeed applet connected. Then I found this:

https://www.kubuntuforums.net/showthread.php/73691-Remove-KDE-Wallet
"I just changed the password to empty. kwallet seems far more trouble than it's worth "

That is totally correct and closed my issue :)

so i finally upgraded from 42.3 to 15.1 (fresh install) and noticed the same as @Trucido . I can confirm that the the wallet now automatically opens (provided you used the same password as user login) without altering any config files. However, sudo no longer works! I suspect this is related to the common-auth and common-password being much broader than editing the sddm file (which, I guess, only applied to gui logins). So in fact, I think the new change into common-* files is not so good because you only ever want to use the kwallet in a gui session (i.e. sddm file)?
But when I open these common files, it says not to change anything since it will be overwritten anyway, so... what now? :)

Hi, Same here, not sure how to proceed..

it appears to be a known bug (libgcrypt related): https://bugzilla.opensuse.org/show_bug.cgi?id=1133808

Just hit the same problem after upgrading to LEAP 15.1 and libgcrypt20-1.8.2-lp151.8.1.

Exact commands to downgrade to v 1.8.2-lp150.5.3.1 and lock the broken version can be found here.