Short guide for pam_kwallet with KDE Plasma 5 on openSUSE

pam_kwallet-guide.md

(based on these two blog entries and inspired by Fedora-Blog)

First install pam_kwallet:

sudo zypper in pam_kwallet

Then edit the files /etc/pam.d/passwd, /etc/pam.d/login and /etc/pam.d/sddm as follows, i.e. add the lines beginning with a - (the hyphens are valid PAM syntax to reduce log entries if these PAM modules should not exist) and ending with the ### comment:

/etc/pam.d/passwd :

#%PAM-1.0
auth     include        common-auth
-auth optional pam_kwallet5.so kdehome=.local/share  # Add this line
account  include        common-account
password include        common-password
session  include        common-session

/etc/pam.d/login :

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
#session  optional       pam_lastlog.so nowtmp showfailed
session  optional       pam_mail.so standard
-session optional pam_kwallet5.so auto_start  # Add this line

/etc/pam.d/sddm :

#%PAM-1.0
-auth optional pam_kwallet5.so kdehome=.local/share  # Add this line
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
-session optional pam_kwallet5.so auto_start  # Add this line

Now log out and in again to see if you do not have to type in your kwallet password.

so it appears one of the recent tumbleweed updates added kwallet to the common-* files just as I proposed, however I don't know if it works yet.

grep kwallet /etc/pam.d/*
/etc/pam.d/common-auth:auth     optional        pam_kwallet5.so
/etc/pam.d/common-auth-pc:auth  optional        pam_kwallet5.so
/etc/pam.d/common-password:password     optional        pam_kwallet5.so
/etc/pam.d/common-password-pc:password  optional        pam_kwallet5.so
/etc/pam.d/common-session:session       optional        pam_kwallet5.so
/etc/pam.d/common-session-pc:session    optional        pam_kwallet5.so

# rpm -qp --scripts pam_kwallet-5.10.5-2.1.x86_64.rpm 
postinstall scriptlet (using /bin/sh):
  /usr/sbin/pam-config -a --kwallet5 || :
postuninstall scriptlet (using /bin/sh):
  if [ "$1" = "0" ]; then
    /usr/sbin/pam-config -d --kwallet5 || :
  fi

I also noticed this line added to the top of common-password though i'm not sure by what package.

session optional        pam_systemd.so

seems to work out of the box on tumbleweed but since it doesn't have an only_if= it attempts to load it from every other pam module.

display-manager[1425]: kwalletd5: Checking for pam module
display-manager[1425]: kwalletd5: Got pam-login param
display-manager[1425]: kwalletd5: Waiting for hash on 15-
display-manager[1425]: kwalletd5: waitingForEnvironment on: 18
display-manager[1425]: kwalletd5: client connected
display-manager[1425]: kwalletd5: client disconnected
systemd[2056]: pam_kwallet5(systemd-user:session): pam_kwallet5: pam_sm_close_session
systemd[1746]: pam_kwallet5(systemd-user:session): (null): pam_sm_open_session
systemd[1746]: pam_kwallet5(systemd-user:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
sddm-helper[1744]: pam_kwallet5(sddm-greeter:session): (null): pam_sm_open_session
sddm-helper[1744]: pam_kwallet5(sddm-greeter:session): pam_kwallet5: open_session called without kwallet5_key
sddm-helper[2007]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
sddm-helper[2007]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
systemd[2008]: pam_kwallet5(systemd-user:session): (null): pam_sm_open_session
systemd[2008]: pam_kwallet5(systemd-user:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this.
sddm-helper[2007]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session
sddm-helper[2007]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket
sddm-helper[1744]: pam_kwallet5(sddm-greeter:session): pam_kwallet5: pam_sm_close_session
systemd[1747]: pam_kwallet5(systemd-user:session): pam_kwallet5: pam_sm_close_session
sudo[2266]: pam_kwallet5(sudo:auth): (null): pam_sm_authenticate
sudo[2266]: pam_kwallet5(sudo:setcred): pam_kwallet5: pam_sm_setcred
sudo[2266]: pam_kwallet5(sudo:session): pam_kwallet5: pam_sm_open_session
sudo[2266]: pam_kwallet5(sudo:session): pam_kwallet5: we were already executed

seems to be a lot of "we were already executed" and attempts at pam_sm_open_session on su and sudo modules and such.

It works!!! Thank you a lot!!

Thank you! It works in Tumbleweed.

I have also lost a few hours to login at startup to kwallet to have gmailfeed applet connected. Then I found this:

https://www.kubuntuforums.net/showthread.php/73691-Remove-KDE-Wallet
"I just changed the password to empty. kwallet seems far more trouble than it's worth "

That is totally correct and closed my issue :)

so i finally upgraded from 42.3 to 15.1 (fresh install) and noticed the same as @Trucido . I can confirm that the the wallet now automatically opens (provided you used the same password as user login) without altering any config files. However, sudo no longer works! I suspect this is related to the common-auth and common-password being much broader than editing the sddm file (which, I guess, only applied to gui logins). So in fact, I think the new change into common-* files is not so good because you only ever want to use the kwallet in a gui session (i.e. sddm file)?
But when I open these common files, it says not to change anything since it will be overwritten anyway, so... what now? :)

Hi, Same here, not sure how to proceed..

it appears to be a known bug (libgcrypt related): https://bugzilla.opensuse.org/show_bug.cgi?id=1133808

Just hit the same problem after upgrading to LEAP 15.1 and libgcrypt20-1.8.2-lp151.8.1.

Exact commands to downgrade to v 1.8.2-lp150.5.3.1 and lock the broken version can be found here.