(based on these two blog entries and inspired by Fedora-Blog)
First install pam_kwallet:
sudo zypper in pam_kwallet
Then edit the files /etc/pam.d/passwd
, /etc/pam.d/login
and /etc/pam.d/sddm
as follows, i.e. add the lines beginning with a -
(the hyphens are valid PAM syntax to reduce log entries if these PAM modules should not exist) and ending with the ### comment
:
/etc/pam.d/passwd :
#%PAM-1.0
auth include common-auth
-auth optional pam_kwallet5.so kdehome=.local/share # Add this line
account include common-account
password include common-password
session include common-session
/etc/pam.d/login :
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
#session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
-session optional pam_kwallet5.so auto_start # Add this line
/etc/pam.d/sddm :
#%PAM-1.0
-auth optional pam_kwallet5.so kdehome=.local/share # Add this line
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
-session optional pam_kwallet5.so auto_start # Add this line
Now log out and in again to see if you do not have to type in your kwallet password.
forked into a new guide here: How to configure pam_kwallet to auto-unlock kdewallet from sddm login credentials on openSUSE Leap 42.3 KDE Plasma5
if you or anyone else has suggestions of wants credit where credit is due, let me know. it's visible as a fork so it links back to here anyhow.
So far seems to be working fine with no adverse sideeffects but may be a little overkill and could be simplified some, but if SUSE's default pam config would just include pam_kwallet in appropriate places they already have gnome_keyring, we wouldn't have to go through all this trouble.
Also, I noticed if it's added to other files like login and passwd and such, then even system services attempt to use it whenever that pam module is called so just adding it to sddm seems sufficient. I think it attempts to startup initially with sddm but doesn't fully authenticate until it has a password authtok or something. Also, it should be making sockets in
$XDG_RUNTIME_DIR
(usually/run/user/1000
) and not /tmp but i think that may be an upstream thing or just how SUSE is configured by default to restrict environment vars so heavily. Maybe it's not inheriting the environment fully and needs some extra lines to keep certain environment vars.