(based on these two blog entries and inspired by Fedora-Blog)
First install pam_kwallet:
sudo zypper in pam_kwallet
Then edit the files /etc/pam.d/passwd
, /etc/pam.d/login
and /etc/pam.d/sddm
as follows, i.e. add the lines beginning with a -
(the hyphens are valid PAM syntax to reduce log entries if these PAM modules should not exist) and ending with the ### comment
:
/etc/pam.d/passwd :
#%PAM-1.0
auth include common-auth
-auth optional pam_kwallet5.so kdehome=.local/share # Add this line
account include common-account
password include common-password
session include common-session
/etc/pam.d/login :
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
#session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
-session optional pam_kwallet5.so auto_start # Add this line
/etc/pam.d/sddm :
#%PAM-1.0
-auth optional pam_kwallet5.so kdehome=.local/share # Add this line
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
-session optional pam_kwallet5.so auto_start # Add this line
Now log out and in again to see if you do not have to type in your kwallet password.
Thanks, this has been a real PAM in my arse. Tried many forum guides, even tried copying some Kubuntu lines until it worked but everything on the system was trying to initialize kwallet if i just added kwallet under pam_gnome_keyring.so in all files it's in. Upstream seems to only care about GNOME... meanwhile gnome keyring has been neutered so hard since gnome2 it's practically worthless IMO.
Edit: Okay this didn't work for me at all, kwalletd wasn't even starting AT ALL anymore, and starting firefox or chrome was prompting me; whereas before it was but not not opening wallet.
I think this works for now on openSUSE Leap 42.3 but it still gets some weird journalctl messages about " pam_kwallet5: open_session called without kwallet5_key" and "pam_kwallet5: Couldn't get password (it is empty)" but it eventually successfully creates the /tnp/kwallet5_.socket and kwalletmanager5 shows the default kdewallet being used (so maybe it doesn't need to be in ALL of these files.)
/etc/pam.d/common-auth:-auth optional pam_kwallet5.so
/etc/pam.d/common-auth-pc:-auth optional pam_kwallet5.so
/etc/pam.d/common-password:-password optional pam_kwallet5.so use_authtok
/etc/pam.d/common-password-pc:-password optional pam_kwallet5.so use_authtok
/etc/pam.d/common-session:session optional pam_kwallet5.so auto_start only_if=sddm,sddm-greeter,sddm-helper
/etc/pam.d/common-session-pc:session optional pam_kwallet5.so auto_start only_if=sddm,sddm-greeter,sddm-helper
I basically just added pam_kwallet5.so whereever below every pam_gnome_keyring.so so it gets sourced by the other pam files where applicable (the duplicate -pc files are because of symlinks apparently). This is NOT update-proof though, system updates can erase/rewrite some or all of the files.
manually adding the correct lines in each of the other files likely needs a deeper understanding of openSUSE's PAM configuration since the order of items does matter a great deal and password auths need to be sourced by the stack somehow to auto open the wallet.
also, pam_env.so should always be last in a stack, which each of those main files does at the end. maybe I'm wrong but I think each file may be a substack to simplify things instead of having gigantic pam.d files such as kubuntu and some fedora spins. simply adding kwallet to random files doesn't add them to the substacks I listed above (which seem to run independently as a group), and thus doesn't really get included. I think a real solution is adding a new substack to pam (like "common-kwallet" or something) which gets sourced by all of the appropriate pam files, but my understanding of how PAM works is very limited.