Kwallet is no longer automatically unlocked on login

In many ways, this is a continuation of bug 92845. Details are available there.

A long-standing feature request was for single-sign-on -- where logging in would automatically unlock kwallet. (A very useful feature.) The issue was raised in 2004 with bug 92845 and was finally addressed in 2014. However, about a year later, this feature was removed with the transition to KDE 5.

Please bring this feature back! (We already waited a decade!)

Reproducible: Always

oh yes please.

With the gnupg backend this may shift towards a pam module to unlock the gpg key similar to pam_ssh [1].

[1] http://www.unix.com/man-page/debian/8/pam_ssh/

Seems that in Kubuntu 15.04 there are some improvements on this feature: I see signon-kwallet-extension and pam-kwallet packages. Is this packages from KDE or Ubuntu developers?

@Murz,

I contact the Kubuntu folks first and they said that there wasn't anything they could do: https://bugs.launchpad.net/ubuntu/+source/kubuntu-meta/+bug/1451865

Still, I'd be curious to know about those packages.

Hello Alex, pam-kwallet is still in your scratch repositories. I think pam-kwallet should end in KF5::Wallet framework, into the runtime directory.

Do you plan to port it to KF5? Do you need help with that?

I don't have plans (or time) at this very moment, so please feel free to take over.

Created attachment 93611
patch to kf5 kwallet

patch to kf5 kwallet, enable pam_kwallet support. codes directly token from kde4.

Created attachment 93612
patch to pam-kwallet git codes.

git clone git://anongit.kde.org/scratch/afiestas/pam-kwallet.git
And apply this patch.

changes:
1, kdehome not needed anymore, since kwalletd store files in ~/.local/share/kwalletd/
2, Change path of kdewallet.salt accordingly.

pam_kwallet still had some limitions:

1, it only handle wallet named 'kdewallet'.

2, If you had 'kdewallet' created already, need to set the wallet password as same as account password.

3, it did not implement 'pam_sm_chauthtok' currently, that's to say, use 'passwd' utility to change account password, will NOT change 'wallet' password, kwallet still use the old password, you need to change it manually.

I checked kwalletd/kwallet codes and found it is REALLY difficult to change runtime kwallet password via pam_sm_chauthtok. kwallet load everything to memory, if password changed via kwalletmanager5, it will sync back via kwallet backend. change 'salt' from outside can not change the password of wallet.

@Cjacker
Please keep in mind: Those limitations might be ugly. But the core functionality of pam_kwallet (logging in without typing the password twice) is what people really need! So that should have priority.

@Cjacker I'm not in a position to test your patch, but I may owe you a beer. Thanks for helping out!

(In reply to Cjacker from comment #9)
> pam_kwallet still had some limitions:
>
> 1, it only handle wallet named 'kdewallet'.
>
> 2, If you had 'kdewallet' created already, need to set the wallet password
> as same as account password.
>
> 3, it did not implement 'pam_sm_chauthtok' currently, that's to say, use
> 'passwd' utility to change account password, will NOT change 'wallet'
> password, kwallet still use the old password, you need to change it manually.
>
> I checked kwalletd/kwallet codes and found it is REALLY difficult to change
> runtime kwallet password via pam_sm_chauthtok. kwallet load everything to
> memory, if password changed via kwalletmanager5, it will sync back via
> kwallet backend. change 'salt' from outside can not change the password of
> wallet.

This one is true. But good news - the replacement KSecrets Service will handle that for you automagically.

See https://git.reviewboard.kde.org/r/124413/

What is the correct configuration in the PAM files to get this working? At least under Gentoo, this doesn't work: https://bugs.gentoo.org/show_bug.cgi?id=561470

(In reply to Manuel Bärenz from comment #14)
> What is the correct configuration in the PAM files to get this working? At
> least under Gentoo, this doesn't work:
> https://bugs.gentoo.org/show_bug.cgi?id=561470

Google:
https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/

(In reply to Valentin Rusu from comment #15)
> (In reply to Manuel Bärenz from comment #14)
> > What is the correct configuration in the PAM files to get this working? At
> > least under Gentoo, this doesn't work:
> > https://bugs.gentoo.org/show_bug.cgi?id=561470
>
> Google:
> https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/

This is for KDE4, and it doesn't work for kwallet5.