| Summary: | Transition pam-kwallet to kwallet5 -- allowing single-sign-on | ||
|---|---|---|---|
| Product: | [Frameworks and Libraries] frameworks-kwallet | Reporter: | Leon Maurer <leon.maurer> |
| Component: | general | Assignee: | Alex Fiestas <afiestas> |
| Status: | RESOLVED FIXED | ||
| Severity: | wishlist | CC: | ach, anders, ansla80, aurelien, auxsvr, bastian.beischer, bernie, brix, bugs.kde.org, bugs.kde, CisBug, cjacker, emisca, endymion+kde, eseifert, esigra, heri+kde, hirvard, ivan, jimmy.kloss, kde-bugs, kde, kde, kdebugs, kdelibs-bugs, kolAflash, kwbolte, L.Bonnaud, l.jirkovsky, malkavian666, manuel, MurzNN, olaf.the.lost.viking, orion, pavol, pietro.pizzi, russianneuromancer, sjakub, tailings, thothonegan, till2.schaefer, toddrme2178, valir |
| Priority: | NOR | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Other | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | ||
| Sentry Crash Report: | |||
| Attachments: |
patch to kf5 kwallet
patch to pam-kwallet git codes. |
||
|
Description
Leon Maurer
2015-06-10 21:13:20 UTC
oh yes please. With the gnupg backend this may shift towards a pam module to unlock the gpg key similar to pam_ssh [1]. [1] http://www.unix.com/man-page/debian/8/pam_ssh/ Seems that in Kubuntu 15.04 there are some improvements on this feature: I see signon-kwallet-extension and pam-kwallet packages. Is this packages from KDE or Ubuntu developers? @Murz, I contact the Kubuntu folks first and they said that there wasn't anything they could do: https://bugs.launchpad.net/ubuntu/+source/kubuntu-meta/+bug/1451865 Still, I'd be curious to know about those packages. Hello Alex, pam-kwallet is still in your scratch repositories. I think pam-kwallet should end in KF5::Wallet framework, into the runtime directory. Do you plan to port it to KF5? Do you need help with that? I don't have plans (or time) at this very moment, so please feel free to take over. Created attachment 93611 [details]
patch to kf5 kwallet
patch to kf5 kwallet, enable pam_kwallet support. codes directly token from kde4.
Created attachment 93612 [details]
patch to pam-kwallet git codes.
git clone git://anongit.kde.org/scratch/afiestas/pam-kwallet.git
And apply this patch.
changes:
1, kdehome not needed anymore, since kwalletd store files in ~/.local/share/kwalletd/
2, Change path of kdewallet.salt accordingly.
pam_kwallet still had some limitions: 1, it only handle wallet named 'kdewallet'. 2, If you had 'kdewallet' created already, need to set the wallet password as same as account password. 3, it did not implement 'pam_sm_chauthtok' currently, that's to say, use 'passwd' utility to change account password, will NOT change 'wallet' password, kwallet still use the old password, you need to change it manually. I checked kwalletd/kwallet codes and found it is REALLY difficult to change runtime kwallet password via pam_sm_chauthtok. kwallet load everything to memory, if password changed via kwalletmanager5, it will sync back via kwallet backend. change 'salt' from outside can not change the password of wallet. @Cjacker Please keep in mind: Those limitations might be ugly. But the core functionality of pam_kwallet (logging in without typing the password twice) is what people really need! So that should have priority. @Cjacker I'm not in a position to test your patch, but I may owe you a beer. Thanks for helping out! (In reply to Cjacker from comment #9) > pam_kwallet still had some limitions: > > 1, it only handle wallet named 'kdewallet'. > > 2, If you had 'kdewallet' created already, need to set the wallet password > as same as account password. > > 3, it did not implement 'pam_sm_chauthtok' currently, that's to say, use > 'passwd' utility to change account password, will NOT change 'wallet' > password, kwallet still use the old password, you need to change it manually. > > I checked kwalletd/kwallet codes and found it is REALLY difficult to change > runtime kwallet password via pam_sm_chauthtok. kwallet load everything to > memory, if password changed via kwalletmanager5, it will sync back via > kwallet backend. change 'salt' from outside can not change the password of > wallet. This one is true. But good news - the replacement KSecrets Service will handle that for you automagically. What is the correct configuration in the PAM files to get this working? At least under Gentoo, this doesn't work: https://bugs.gentoo.org/show_bug.cgi?id=561470 (In reply to Manuel Bärenz from comment #14) > What is the correct configuration in the PAM files to get this working? At > least under Gentoo, this doesn't work: > https://bugs.gentoo.org/show_bug.cgi?id=561470 Google: https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/ (In reply to Valentin Rusu from comment #15) > (In reply to Manuel Bärenz from comment #14) > > What is the correct configuration in the PAM files to get this working? At > > least under Gentoo, this doesn't work: > > https://bugs.gentoo.org/show_bug.cgi?id=561470 > > Google: > https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/ This is for KDE4, and it doesn't work for kwallet5. |