Ubuntu
kubuntu-meta package

Kwallet is no longer automatically unlocked on login

Bug #1451865 reported by Leon Maurer on 2015-05-05
46
This bug affects 9 people
Affects Status Importance Assigned to Milestone
kdelibs
Fix Released
Wishlist
kubuntu-meta (Ubuntu)
Won't Fix
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

After upgrading to Kubuntu 15.04, kwallet is no longer unlocked on login. This was a feature that was long requested:

https://bugs.kde.org/show_bug.cgi?id=92845

And was implemented last year:

https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/

It worked in Kubuntu, but it no longer does.

This may be deliberate; perhaps the functionality is still there but was turned off by default? However, I have searched for an option to enable it, and I haven't found it.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: ubuntu-desktop (not installed)
ProcVersionSignature: Ubuntu 3.19.0-16.16-generic 3.19.3
Uname: Linux 3.19.0-16-generic x86_64
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: KDE
Date: Tue May 5 09:29:59 2015
EcryptfsInUse: Yes
InstallationDate: Installed on 2012-06-16 (1053 days ago)
InstallationMedia: Kubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120423)
SourcePackage: ubuntu-meta
UpgradeStatus: Upgraded to vivid on 2015-04-24 (10 days ago)

Leon Maurer (leon-n-maurer) wrote :
affects: ubuntu-meta (Ubuntu) → kubuntu-meta (Ubuntu)
Brian Murray (brian-murray) on 2015-05-05
tags: added: regression-release
Jonathan Riddell (jr) wrote :

This was never ported to kde frameworks 5.

Changed in kubuntu-meta (Ubuntu):
status: New → Won't Fix
Leon Maurer (leon-n-maurer) wrote :

Good to know. I guess I should file it with the KDE folks then.

In , Leon Maurer (leon-n-maurer) wrote :

In many ways, this is a continuation of bug 92845. Details are available there.

A long-standing feature request was for single-sign-on -- where logging in would automatically unlock kwallet. (A very useful feature.) The issue was raised in 2004 with bug 92845 and was finally addressed in 2014. However, about a year later, this feature was removed with the transition to KDE 5.

Please bring this feature back! (We already waited a decade!)

Reproducible: Always

In , Brix-g (brix-g) wrote :

oh yes please.

In , Till Schäfer (till2-schaefer) wrote :

With the gnupg backend this may shift towards a pam module to unlock the gpg key similar to pam_ssh [1].

[1] http://www.unix.com/man-page/debian/8/pam_ssh/

In , Murz (murznn) wrote :

Seems that in Kubuntu 15.04 there are some improvements on this feature: I see signon-kwallet-extension and pam-kwallet packages. Is this packages from KDE or Ubuntu developers?

In , Leon Maurer (leon-n-maurer) wrote :

@Murz,

I contact the Kubuntu folks first and they said that there wasn't anything they could do: https://bugs.launchpad.net/ubuntu/+source/kubuntu-meta/+bug/1451865

Still, I'd be curious to know about those packages.

In , 8-kde (8-kde) wrote :

Hello Alex, pam-kwallet is still in your scratch repositories. I think pam-kwallet should end in KF5::Wallet framework, into the runtime directory.

Do you plan to port it to KF5? Do you need help with that?

In , Alex Fiestas (afiestas) wrote :

I don't have plans (or time) at this very moment, so please feel free to take over.

In , Cjacker (cjacker) wrote :

Created attachment 93611
patch to kf5 kwallet

patch to kf5 kwallet, enable pam_kwallet support. codes directly token from kde4.

In , Cjacker (cjacker) wrote :

Created attachment 93612
patch to pam-kwallet git codes.

git clone git://anongit.kde.org/scratch/afiestas/pam-kwallet.git
And apply this patch.

changes:
1, kdehome not needed anymore, since kwalletd store files in ~/.local/share/kwalletd/
2, Change path of kdewallet.salt accordingly.

In , Cjacker (cjacker) wrote :

pam_kwallet still had some limitions:

1, it only handle wallet named 'kdewallet'.

2, If you had 'kdewallet' created already, need to set the wallet password as same as account password.

3, it did not implement 'pam_sm_chauthtok' currently, that's to say, use 'passwd' utility to change account password, will NOT change 'wallet' password, kwallet still use the old password, you need to change it manually.

I checked kwalletd/kwallet codes and found it is REALLY difficult to change runtime kwallet password via pam_sm_chauthtok. kwallet load everything to memory, if password changed via kwalletmanager5, it will sync back via kwallet backend. change 'salt' from outside can not change the password of wallet.

In , kolAflash (colaflash) wrote :

@Cjacker
Please keep in mind: Those limitations might be ugly. But the core functionality of pam_kwallet (logging in without typing the password twice) is what people really need! So that should have priority.

In , Leon Maurer (leon-n-maurer) wrote :

@Cjacker I'm not in a position to test your patch, but I may owe you a beer. Thanks for helping out!

Bug Watch Updater (bug-watch-updater) on 2015-07-22
Changed in kdelibs:
importance: Unknown → Wishlist
In , 8-kde (8-kde) wrote :

(In reply to Cjacker from comment #9)
> pam_kwallet still had some limitions:
>
> 1, it only handle wallet named 'kdewallet'.
>
> 2, If you had 'kdewallet' created already, need to set the wallet password
> as same as account password.
>
> 3, it did not implement 'pam_sm_chauthtok' currently, that's to say, use
> 'passwd' utility to change account password, will NOT change 'wallet'
> password, kwallet still use the old password, you need to change it manually.
>
> I checked kwalletd/kwallet codes and found it is REALLY difficult to change
> runtime kwallet password via pam_sm_chauthtok. kwallet load everything to
> memory, if password changed via kwalletmanager5, it will sync back via
> kwallet backend. change 'salt' from outside can not change the password of
> wallet.

This one is true. But good news - the replacement KSecrets Service will handle that for you automagically.

In , 8-kde (8-kde) wrote :

See https://git.reviewboard.kde.org/r/124413/

Bug Watch Updater (bug-watch-updater) on 2015-08-07
Changed in kdelibs:
status: Unknown → Fix Released
In , Manuel Bärenz (turion) wrote :

What is the correct configuration in the PAM files to get this working? At least under Gentoo, this doesn't work: https://bugs.gentoo.org/show_bug.cgi?id=561470

In , Valir (valir) wrote :

(In reply to Manuel Bärenz from comment #14)
> What is the correct configuration in the PAM files to get this working? At
> least under Gentoo, this doesn't work:
> https://bugs.gentoo.org/show_bug.cgi?id=561470

Google:
https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/

In , Manuel Bärenz (turion) wrote :

(In reply to Valentin Rusu from comment #15)
> (In reply to Manuel Bärenz from comment #14)
> > What is the correct configuration in the PAM files to get this working? At
> > least under Gentoo, this doesn't work:
> > https://bugs.gentoo.org/show_bug.cgi?id=561470
>
> Google:
> https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/

This is for KDE4, and it doesn't work for kwallet5.

Serhiy Zahoriya (xintx-ua) wrote :

sudo apt install pam-kwallet5

On 15.10 in my case installing pam-kwallet5 was sufficient, SDDM PAM config already contains necessary lines.

Nathaniel Eliot (temujin9) wrote :

It appears that this is actually available, but that default settings are breaking it.

In kwalletmanager, go to Settings > Configure Wallet and uncheck "Close when last application stops using it".

Otherwise, the wallet will get opened by pam_kwallet, and then immediately closed again because nothing else is using it.

Serhiy Zahoriya (xintx-ua) wrote :

16.04, Plasma 5.6.5. Unchecking "Close when last application stops using it" doesn't help.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.