I currently have the two attached files in my /etc/pam.d (I think they should be bundled with the package) and I include them in system-auth and system-login. Still, I need to enter my kwallet password every time I logon. Reproducible: Always
Created attachment 412880 [details] /etc/pam.d/kwallet-login
Created attachment 412882 [details] /etc/pam.d/kwallet-passwd
Created attachment 412884 [details] /etc/pam.d/system-auth
Created attachment 412886 [details] /etc/pam.d/system-login
Can you check if these instructions work? https://wiki.archlinux.org/index.php/KDE_Wallet
That's where I got the config from. (There is no KWallet page on the Gentoo wiki! I'm meaning to write one, but how can I if I don't even get it configured myself...) Does the config from the page you linked differ from mine (except that I created extra files)?
Ah, it was just an idea (I'm not sure if anyone has successfully set it up on Gentoo). Apart from being in a separate file, the only difference I saw is a missing leading dash.
Right, but the dash only is a "quiet" option, right? (Which I don't want, because I want to debug it... but no idea where the debug output lands)
Created attachment 412902 [details] journalctl -b | grep kwallet This is the log output for this boot. I booted up and logged in via SDDM, logged out of the graphical session and logged in again.
Created attachment 415172 [details] kwallet-pam-5.4.2-r1.ebuild with kde4 support I am facing the same problem. I also found the documentation from Arch and tried there pam config without any luck. Then I noticed they have two pam modules, pam_kwallet.so and pam_kwallet5.so. Gentoo ebuild only installs one, so I analyzed their buidlscript [1] and found out, that you can pass the parameter -DKWALLET4=1 to cmake in order to build some kind of kde4 support? I modified the Gentoo ebuild (see attachment) to also build the kde4-part. I configured it in /etc/pam.d/sddm as documented in the Arch Wiki like so: auth include system-login auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include system-login password include system-login session include system-login session optional pam_kwallet5.so auto_start session optional pam_kwallet.so But unfortunately still no luck. Both PAM modules are loaded but the wallet is not unlocked. [1] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/kwallet-pam
On my system, I notice that there are two kwalletd5 processes: $ pgrep -au $USER wallet 30363 /usr/bin/kwalletd5 --pam-login 15 19 30627 /usr/bin/kwalletd5 I also notice that the currently running dbus-daemon was started *after* kwalletd5 (higher PID): $ pgrep -au $USER dbus 30378 /usr/bin/dbus-launch --sh-syntax --exit-with-session 30379 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 15 --session Could it be, that KDE does not detect the running kwalletd and starts a new one? Ideas why that could be: * kwalletd5 --pam-login is started in sddm's dbus session, which is not available later when KDE actually starts. * kwalletd5 --pam-login fails to register itself on the dbus. * KDE kills any existing dbus sessions and starts a new one.
I've added a pull request with some changes / upstream fixes, please give it a try: https://github.com/gentoo/kde/pull/464 Please also note that per Arch wiki: - currently, the wallet name must be 'kdewallet'. - use standard blowfish encryption, GnuPG does not work at this point. I can see something going on in messages at least: sddm-helper[20922]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate sddm-helper[20922]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred ... sddm-helper[20922]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session sddm-helper[20922]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_$USER.socket
I tried your changes/fixes but it still fails for me, only getting the same output you already observed.
What if you change the line to: auth optional pam_kwallet5.so kdehome=.local/share
Doesn't change the behaviour here. I still get the same messages you described.
Yeah, changing the line doesn't help either.
I wonder whether this is somehow related to "su -" on my system hanging for about 30s after I entered my password, before showing me the prompt. I assume there is some timeout involved? Maybe because some PAM module tries to contact something via DBus or similar? ("sudo -i" does not show this behaviour.) Does anyone else also see this on his system?
(In reply to Dennis Schridde from comment #17) > I wonder whether this is somehow related to "su -" on my system hanging for > about 30s after I entered my password, before showing me the prompt. I > assume there is some timeout involved? Maybe because some PAM module tries > to contact something via DBus or similar? ("sudo -i" does not show this > behaviour.) > > Does anyone else also see this on his system? I doubt it's related. "su -" is immediate on my system, but I have the kwallet bug. Seems like a separate bug.
It appears that kde-plasma/kwallet-pam-5.4.95-r1::kde fixed this.
(In reply to Dennis Schridde from comment #19) > It appears that kde-plasma/kwallet-pam-5.4.95-r1::kde fixed this. It changes the installation path of the module, but it still does not successfully unlock my kwallet here. But I cannot see an error message either: Nov 26 09:34:22 schroedinger sddm-helper[2190]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate Nov 26 09:34:22 schroedinger sddm-helper[2190]: [PAM] returning. Nov 26 09:34:22 schroedinger sddm-helper[2190]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred Nov 26 09:34:22 schroedinger sddm-helper[2190]: pam_unix(sddm:session): session opened for user fabian by (uid=0) Nov 26 09:34:22 schroedinger sddm-helper[2190]: Starting: "/usr/share/sddm/scripts/Xsession" "/usr/bin/startkde" Nov 26 09:34:22 schroedinger sddm-helper[2196]: Adding cookie to "/home/fabian/.Xauthority" Nov 26 09:34:22 schroedinger sddm-helper[2120]: [PAM] Ended. Nov 26 09:34:22 schroedinger sddm[1996]: Auth: sddm-helper exited successfully Nov 26 09:34:22 schroedinger sddm-helper[2190]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session Nov 26 09:34:22 schroedinger sddm-helper[2190]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_fabian.socket
Same here, it's not fixed.
I finally managed to get it working (at least for kwallet5) by adding the missing runtime dependency on net-misc/socat. Created a pull request: https://github.com/gentoo/kde/pull/505
(In reply to Fabian Köster from comment #22) > I finally managed to get it working (at least for kwallet5) by adding the > missing runtime dependency on net-misc/socat. Created a pull request: > > https://github.com/gentoo/kde/pull/505 Out of curiosity, do you know exactly which part uses it? A quick grep in kwallet-pam didn't show anything.
(In reply to Michael Palimaka (kensington) from comment #23) > (In reply to Fabian Köster from comment #22) > > I finally managed to get it working (at least for kwallet5) by adding the > > missing runtime dependency on net-misc/socat. Created a pull request: > > > > https://github.com/gentoo/kde/pull/505 > > Out of curiosity, do you know exactly which part uses it? A quick grep in > kwallet-pam didn't show anything. It is not used from kwallet-pam sourcecode but kde-plasma/plasma-workspace: /startkde/startkde.cmake: env | socat STDIN UNIX-CONNECT:$PAM_KWALLET_LOGIN /startkde/startkde.cmake: env | socat STDIN UNIX-CONNECT:$PAM_KWALLET5_LOGIN Maybe the dependency should be in plasma-workspace? I a m not sure about this...
(In reply to Fabian Köster from comment #22) > I finally managed to get it working (at least for kwallet5) by adding the > missing runtime dependency on net-misc/socat. Thank you, that's very interesting! I recently installed net-misc/socat for the powerline shell statusline (bug #566444), so that might also have caused the fix reported in comment #19.
(In reply to Fabian Köster from comment #24) > (In reply to Michael Palimaka (kensington) from comment #23) > > (In reply to Fabian Köster from comment #22) > > > I finally managed to get it working (at least for kwallet5) by adding the > > > missing runtime dependency on net-misc/socat. Created a pull request: > > > > > > https://github.com/gentoo/kde/pull/505 > > > > Out of curiosity, do you know exactly which part uses it? A quick grep in > > kwallet-pam didn't show anything. > > It is not used from kwallet-pam sourcecode but kde-plasma/plasma-workspace: > > /startkde/startkde.cmake: env | socat STDIN > UNIX-CONNECT:$PAM_KWALLET_LOGIN > /startkde/startkde.cmake: env | socat STDIN > UNIX-CONNECT:$PAM_KWALLET5_LOGIN > > Maybe the dependency should be in plasma-workspace? I a m not sure about > this... Great, thanks for the info! Since it looks like it will only ever be called if kwallet-pam is active, it's probably fine to keep the dep in kwallet-pam.
Thanks, fixed in git. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e3be3e92c29ba6497b7abf7dbcaabd09ff9e516
Sorry, still doesn
Created attachment 418698 [details] journalctl -b | grep kwallet
(Double sorry, I hit enter to early on the last comment.) This is still not fixed for me. I get an error code -9.
What is the name of your wallet and what encryption method does it use?
The name is kdewallet. About the encryption method, I'm not absolutely sure anymore. I thought I'm using Blowfish, but possibly it's GPG, which might be the culprit then. How do I find out?
I've been struggling to get pam_kwallet5 working for a while. I was seeing errors like this: Dec 30 07:27:21 shadowcat sddm-helper[2174]: pam_kwallet5(sddm:session): (null): pam_sm_open_session Dec 30 07:27:21 shadowcat sddm-helper[2174]: pam_kwallet5(sddm:session): pam_kwallet5: open_session called without kwallet5_key I eventually tracked it down to a line in /etc/pam.d/system-auth: auth sufficient pam_ssh.so try_first_pass Changing 'sufficient' to 'optional' fixed the problem. I think that pam_ssh was causing the auth cycle of the pam stack to exit before pam_kwallet5 got a look in. Noting here for the record in case anyone in this thread is suffering from the same issue, or someone on the interwebs finds this bug report in the future.
<wltjr> with sddm seems to require adding the stuff to /etc/pam.d/sddm, the stuff I added to kde had no effect, /etc/pam.d/kde was used by kdm but does not seem to be by sddm for obvious reasons
So, kde-apps/kwalletd-pam:4 is now in tree for proper unlocking of KDE4-based wallets. kdebase-pam-10 contains the required PAM settings for KDM (_only_ for kwalletd:4/kwalletd-pam:4), sddm-0.13.0-r3 ships the required lines for both KDE4-and KF5-based wallet unlocking. I've tested both ways (KDM and SDDM) with success.
(In reply to manuel from comment #30) > (Double sorry, I hit enter to early on the last comment.) > > This is still not fixed for me. I get an error code -9. KDE Wallet - ArchWiki "If your KWallet password is the same as your username password, you can unlock your wallet automatically on login. " https://wiki.archlinux.org/index.php/KDE_Wallet