Reply to topic

Hooking KWallet with PAM

User avatar einar
Administrator
Posts
3402
Karma
7
OS

Hooking KWallet with PAM

Sat Apr 26, 2014 9:05 am
I've written a short guide on how to unlock the KDE Wallet with PAM, avoiding the need for a separate wallet password.

Use this thread to discuss and report adjustments so that they can be incorporated into the guide itself.


"Violence is the last refuge of the incompetent."
Image
Plasma FAQ maintainer - Plasma programming with Python
herby
Registered Member
Posts
1
Karma
0

Re: Hooking KWallet with PAM

Sat Apr 26, 2014 12:23 pm
I have got pam_kwallet working with 4 different machines, but with on caveat.

[*] I used a recent /usr/bin/startkde with pam_kwallet support
[*] I installed socat
[*] I added optional pam_kwallet entries for auth, session and password in /etc/pam.d/xdm after the correspondig includes.

With this configuration pam_kwallet works with local users, when sssd is not installed and for LDAP users, when sssd is installed.

The caveat is:

Logging in as a local user when sssd is in use does not work, because the 'sufficient' in /etc/pam.d/common-auth-pc make pam skip the pam_kwallet entry. Even if one only wants to use LDAP, this can happen by accident. In my case I had a local user with the same name as an LDAP user. I used this local user only for the first login to configure sssd and forgot to delete him afterwards.

I am no pam specialist, but I think it may be useful to use 'substack' instead of 'include' in pam configuration files, so that flow control inside of the common-* files does not extend to the outside. Maybe that's worth to make bug report...
andy1
Registered Member
Posts
1
Karma
0

Re: Hooking KWallet with PAM

Tue May 06, 2014 5:50 pm
I would have a single password for everything, correct?
User avatar einar
Administrator
Posts
3402
Karma
7
OS

Re: Hooking KWallet with PAM

Tue May 06, 2014 7:58 pm
That is correct, your regular user password will be used to unlock KWallet.


"Violence is the last refuge of the incompetent."
Image
Plasma FAQ maintainer - Plasma programming with Python
User avatar Sudhir Khanger
Registered Member
Posts
237
Karma
0
OS

Re: Hooking KWallet with PAM

Sat Jul 26, 2014 6:39 pm
It isn't working for me on Fedora 20 KDE 4.13 and pam-kwallet from stable repositories.

Code: Select all
[[email protected] pam.d]$ cat login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
-auth      optional     pam_kwallet.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
-session   optional     pam_kwallet.so auto_start
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so


Code: Select all
[[email protected] pam.d]$ cat kdm
#%PAM-1.0
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_env.so
auth       substack    system-auth
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet.so
auth       include     postlogin
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
-session    optional    pam_ck_connector.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet.so auto_start
session    include     postlogin


Code: Select all
[[email protected] pam.d]$ cat passwd
#%PAM-1.0
auth       include      system-auth
-auth      optional     pam_kwallet.so
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok
-password   optional    pam_kwallet.so use_authtok
password   substack     postlogin
User avatar OlafLostViking
Registered Member
Posts
11
Karma
0
OS

Re: Hooking KWallet with PAM

Fri May 15, 2015 4:48 pm
Anybody knows details about a potential port to kf5?
sukismedley
Registered Member
Posts
1
Karma
0

Re: Hooking KWallet with PAM

Sat Jul 11, 2015 12:00 pm
promeneur
Registered Member
Posts
28
Karma
0
OS

GPG Certificat ?

Tue Jul 28, 2015 9:51 am
opensuse 13.1 x86_64
kde 4.11.10 , 14.12 from "kde sc current" and "kde sc current extra" source

i chose to use GPG certificate technology to secure kwallet
then
when logging a window opens asking me the pass phrase of the certificate

i applied this guide to unlock kwallet by the login process
https://tweakhound.com/2015/03/15/opens ... tegration/

this guide is inspired by your guide and it is for opensuse 13.2

unlocking kwallet by login process does not work . somothing asks for me the pass phrase .

why ?
- opensuse 13.1 ?
- i use GPG certificate technology to secure kwallet ?

thanks


OpenSuse leap 15 x86_64,Asus Z97-P, Intel Core i5-4590, 8 GB, Intel HD Graphic 4600, Linksys WMP600N, Plugable usb-bt4le bluetooth 4.0 usb adapter, multicard reader USB 3.0 startech.com , HP LaserJet 1220, Headset bluetooth 3.0 Philips SHQ7300
User avatar OlafLostViking
Registered Member
Posts
11
Karma
0
OS

Re: Hooking KWallet with PAM

Tue Jul 28, 2015 10:25 am
For the KF5 users: pam_kwallet5.
promeneur
Registered Member
Posts
28
Karma
0
OS

Re: Hooking KWallet with PAM

Tue Jul 28, 2015 10:42 am
completing my question .

i installed not the factory version but this version of pam-kwallet
http://download.opensuse.org/repositori ... x86_64.rpm


OpenSuse leap 15 x86_64,Asus Z97-P, Intel Core i5-4590, 8 GB, Intel HD Graphic 4600, Linksys WMP600N, Plugable usb-bt4le bluetooth 4.0 usb adapter, multicard reader USB 3.0 startech.com , HP LaserJet 1220, Headset bluetooth 3.0 Philips SHQ7300
User avatar Sudhir Khanger
Registered Member
Posts
237
Karma
0
OS

Re: Hooking KWallet with PAM

Tue Jul 28, 2015 3:57 pm
OlafLostViking wrote:For the KF5 users: pam_kwallet5.


Lack of documentation is a big problem. See my post earlier. No one replied.
arojas
Registered Member
Posts
13
Karma
0
OS

Re: Hooking KWallet with PAM

Sat Aug 29, 2015 12:39 pm
Sudhir Khanger wrote:Lack of documentation is a big problem. See my post earlier. No one replied.


I agree. As a packager, I have no idea what I have to do to make this work out of the box, or even if I'm supposed to, or it's users who should make the necessary adjustments. The closest thing I could find to official documentation is einar's post, which refers to the kde4 version.

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], Bing [Bot], boudewijn, cairncrossr, chechoxque, Google [Bot], ipwizard, Stephen Leibowitz, Yahoo [Bot]