How to configure pam_kwallet to auto-unlock the default kwallet5 "kdewallet" from sddm login credentials on openSUSE Leap 42.3 KDE Plasma5
Note: Many other guides & posts were attempted before creating this, however they either no longer work or are ugly hacks which don't follow SUSE's odd pam.d layouts. Essentially, this solution boils down to this: pam_kwallet needs to be loaded from it's own substack just like pam_gnome_keyring already is configured to do so, so new substacks were created based on the gnome_keyring ones so that they could be added to sddm. I'm unsure how both gnome_keyring and kwallet behave if both are loaded from the same substack so I kept them in separate stacks. This was tested with only kwallet5 installed but it should also optionally load the old kwallet4 if it's present. My understanding of PAM is limited, so I'm open to suggestions, but this seemed like the cleanest solution which doesn't get overwritten on updates, though it should probably be globally registered as a recognized PAM stack somehow.
openSUSE's /etc/pam.d/ uses common files included as needed in each of the other files to simplify things. From my understanding, these common files are equivalent to having substack groups in each file like fedora and kubuntu often do (with lines starting with @).
While this could work on openSUSE too, you'd have to do a lot more modifications and follow the trail of common stacks in order to figure out how to get everything to load properly or cause recursive pam loops.
The main common files are usually named common-foo which are actually symlinks to common-foo-pc (for example), so I chose to keep that same structure for simplicity and consistency.
Prerequisites: pam_kwallet must be installed, and it is assumed that you have kwalletd5 installed too.
kwalletd (v4) is optional for legacy stuff and was untested, but it should work too.
Make copies of the required common stacks:
cd /etc/pam.d/
cp common-auth-pc kwallet-auth-pc
cp common-password-pc kwallet-password-pc
cp common-session-pc kwallet-session-pc
symlink the copied files to their appropriate name
ln -s kwallet-auth-pc kwallet-auth
ln -s kwallet-password-pc kwallet-password
ln -s kwallet-session-pc kwallet-session
You should end up with the following files:
/etc/pam.d/kwallet-auth -> kwallet-auth-pc
/etc/pam.d/kwallet-auth-pc
/etc/pam.d/kwallet-password -> kwallet-password-pc
/etc/pam.d/kwallet-password-pc
/etc/pam.d/kwallet-session -> kwallet-session-pc
/etc/pam.d/kwallet-session-pc
Edit each file, comment out any pam_gnome_keyring.so lines and add pam_kwallet5.so and pam_kwallet.so:
/etc/pam.d/kwallet-auth :
#%PAM-1.0
# kwallet auth stack
auth required pam_env.so
#-auth optional pam_gnome_keyring.so
auth optional pam_kwallet5.so
-auth optional pam_kwallet.so
auth required pam_unix.so try_first_pass
/etc/pam.d/kwallet-password :
#%PAM-1.0
# kwallet password stack
password requisite pam_cracklib.so
#password optional pam_gnome_keyring.so use_authtok
password optional pam_kwallet5.so use_authtok
-password optional pam_kwallet.so use_authtok
password required pam_unix.so use_authtok nullok shadow try_first_pass
/etc/pam.d/kwallet-session :
#%PAM-1.0
# kwallet session stack
session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_systemd.so
#session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
session optional pam_kwallet5.so auto_start only_if=sddm,sddm-helper,sddm-greeter
-session optional pam_kwallet.so auto_start only_if=sddm,sddm-helper,sddm-greeter
session optional pam_env.so
Add these new stacks below the existing ones in /etc/pam.d/sddm :
/etc/pam.d/sddm :
#%PAM-1.0
auth include common-auth
auth include kwallet-auth
account include common-account
password include common-password
password include kwallet-password
session required pam_loginuid.so
session include common-session
session include kwallet-session
If you haven't created the default kdewallet or it does not exist, it may be required to create or modify these files with the following lines:
~/.config/kwalletrc :
[Migration]
alreadyMigrated=true
[Wallet]
First Use=false
~/.config/kwalletmanager5rc :
[Wallet]
First Use=false
Note: If you had already created the default kdewallet, I believe it needs to have the same password as your login password in order for this to work. This was tested without any wallets created, and upon login the default kdewallet should automatically be created using your login credentials.
Reboot, log into KDE and check journalctl or other relevant logs (if you have logging enabled) and you should see something similar to this (and kwallet should not longer nag you to set up a new wallet, or ask for password):
display-manager[1390]: kwalletd5: Checking for pam module
display-manager[1390]: kwalletd5: Got pam-login param
display-manager[1390]: kwalletd5: Waiting for hash on 15-
display-manager[1390]: kwalletd5: waitingForEnvironment on: 18
display-manager[1390]: kwalletd5: client connected
display-manager[1390]: kwalletd5: client disconnected
org.kde.kwalletd5[2513]: kwalletd5 started
org.kde.kwalletd5[2513]: Migration agent starting...
org.kde.kwalletd5[2513]: old wallets were already migrated
org.kde.kwalletd5[2513]: Migration agent stop.
sddm-helper[2475]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
sddm-helper[2475]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
sddm-helper[2475]: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session
sddm-helper[2475]: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_myuser.socket
Add kwalletmanager5 to KDE's list of startup programs (so the wallet is opened and can stay open). I'm unsure if this is needed however, since it seemed to work without it too.
Note: kwalletmanager5 doesn't appear to refresh the list of applications currently using the wallet without closing and re-opening it again, I'm unsure if this is a bug but it doesn't seem to affect functionality in any way.
TODO:
- Figure out the correct pam_env.so stuff in order for it to create sockets in
$XDG_RUNTIME_DIRand not /tmp/ - Figure out the purpose of
pam_kwallet_initand/etc/xdg/autostart/pam_kwallet_init.desktop
this is great!