I've written a short guide on how to unlock the KDE Wallet with PAM, avoiding the need for a separate wallet password.

Use this thread to discuss and report adjustments so that they can be incorporated into the guide itself.

I have got pam_kwallet working with 4 different machines, but with on caveat.

[*] I used a recent /usr/bin/startkde with pam_kwallet support
[*] I installed socat
[*] I added optional pam_kwallet entries for auth, session and password in /etc/pam.d/xdm after the correspondig includes.

With this configuration pam_kwallet works with local users, when sssd is not installed and for LDAP users, when sssd is installed.

The caveat is:

Logging in as a local user when sssd is in use does not work, because the 'sufficient' in /etc/pam.d/common-auth-pc make pam skip the pam_kwallet entry. Even if one only wants to use LDAP, this can happen by accident. In my case I had a local user with the same name as an LDAP user. I used this local user only for the first login to configure sssd and forgot to delete him afterwards.

I am no pam specialist, but I think it may be useful to use 'substack' instead of 'include' in pam configuration files, so that flow control inside of the common-* files does not extend to the outside. Maybe that's worth to make bug report...

I would have a single password for everything, correct?

That is correct, your regular user password will be used to unlock KWallet.

It isn't working for me on Fedora 20 KDE 4.13 and pam-kwallet from stable repositories.

Code: Select all

[donnie@fedora pam.d]$ cat login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
-auth      optional     pam_kwallet.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
-session   optional     pam_kwallet.so auto_start
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

Code: Select all

[donnie@fedora pam.d]$ cat kdm
#%PAM-1.0
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       substack    system-auth
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet.so
auth       include     postlogin
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
-session    optional    pam_ck_connector.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet.so auto_start
session    include     postlogin

Code: Select all

[donnie@fedora pam.d]$ cat passwd
#%PAM-1.0
auth       include      system-auth
-auth      optional     pam_kwallet.so
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok
-password   optional    pam_kwallet.so use_authtok
password   substack     postlogin

Anybody knows details about a potential port to kf5?

all information of porting status is submitted here
http://developer.kde.org/~cfeck/portingstatus.html
can check
thanks,
http://www.thecheesyanimation.com/Exter ... ering.html

opensuse 13.1 x86_64
kde 4.11.10 , 14.12 from "kde sc current" and "kde sc current extra" source

i chose to use GPG certificate technology to secure kwallet
then
when logging a window opens asking me the pass phrase of the certificate

i applied this guide to unlock kwallet by the login process
https://tweakhound.com/2015/03/15/opens ... tegration/

this guide is inspired by your guide and it is for opensuse 13.2

unlocking kwallet by login process does not work . somothing asks for me the pass phrase .

why ?
- opensuse 13.1 ?
- i use GPG certificate technology to secure kwallet ?

thanks

For the KF5 users: pam_kwallet5.

completing my question .

i installed not the factory version but this version of pam-kwallet
http://download.opensuse.org/repositori ... x86_64.rpm

OlafLostViking wrote:For the KF5 users: pam_kwallet5.

Lack of documentation is a big problem. See my post earlier. No one replied.

Sudhir Khanger wrote:Lack of documentation is a big problem. See my post earlier. No one replied.

I agree. As a packager, I have no idea what I have to do to make this work out of the box, or even if I'm supposed to, or it's users who should make the necessary adjustments. The closest thing I could find to official documentation is einar's post, which refers to the kde4 version.