[regression] kwallet asking for initial password
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kubuntu-settings (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
Years ago we had kwallet default to use a passwordless wallet. At some point around KDE 4 this stopped working. Someone should make it work again.
Rationale:
* The initial password dialog is confusing for people who are not acquainted with the concept of password wallets
* As KWallet still is not tied to PAM it will often ask for the password right after login (Akonadi triggering it or NetworkManager) which is redundant and annoying
* Primary concern is having a centralized storage that *encrypts* the data, having it password protected is bonus security
Amendment:
While at it, making sure that the wallet is *only* readable by the owner/user would be healthy as otherwise the encryption would make little sense. If it is only readable by the owner only a trusted person (root) or someone with physical access to the user's unlocked session can get hold of the content (mind that due to the 10 minute password timeout and the rate at which kwallet is used nowadays, physical access to the users session would probably also threaten the password security as all they'd need to do is open the walletmanager).
In the long run having a wallet with password would of course be desirable, though that is an upstream that needs to be addressed upstream mostly, to allow it not being interruptive.
| axel (axel334) wrote | #1 |
| affects: | kubuntu-default-settings (Ubuntu) → kubuntu-settings (Ubuntu) |
| Changed in kubuntu-settings (Ubuntu): | |
| status: | Triaged → Fix Released |
Perhaps kwallet should have options. There is a discussion about kwallet
http://
I need to admit that I don't understand much of technical analysis so I will put it in my own words.
From my point of view when I am the only person with physical access to my PC it annoys me when kwallet requires password every time when I want to open Kmail. So, I imagine that either kwallet should have no password or rather have password that allows access to kwallet while I want to manage my wallets - for example add, change or remove passwords - but not ask about it while other programs calls kwallet for passwords (like kmail or other). Kwallet should assume that if I am logged into this particular user account I am a legitimate user and the programs I use should be allowed to access passwords without further confirmation. Or at least make an option that allows kwallet to behave that way.
If kwallet could have this global password that protects adding, changing, deleting password in kwallet this would protect kwallet and the user from any other person physical access but at the same time it would be convenient to manage password for the legitimate user.
I am not a security expert, so forgive me if I don't take into account some important things I don't know about, but this is how it looks from a point of view of a regular user of desktop PC.