Bug 383115

Summary: With encrypted and _not_ already mounted $HOME: kwallet (and ssh-agent) not opened automatically on login. (With already mounted home it works.)
Product: [KDE Neon] neon Reporter: Achim Bohnet <ach>
Component: Packages User EditionAssignee: Neon Bugs <neon-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: bobbywibowo, bryantdl7, isa-lie, jr, kramski, neon-bugs, sitter
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=375236
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Achim Bohnet 2017-08-04 11:03:47 UTC 
Setup:
* create a new user newuswer with an encrypted $HOME
* login and create the kdewallet and generate an ssh keypair. Always use the same PW as for the login!
* logout 

with an admin user on virtual console:
 * no process owned by newuser is running
 * home is mounted:  mount | grep <newuser>


Now login:

$HOME mounted before login:
 * start kwalletmanager and you see that kdewallet is already open
 * start konsole and type ssh-add -l and you see fingerprint of your ssh key
=> yeah! Everything is okay
 * logout


With an adminuser on virtual console: sudo umount ~<newuser>  

not mounted before login (sudo umount ~<newuser> )
 * during login kwallet prompts for password
 * open konsole and ssh-add -l  lists nothing (ssh key not automaticly loaded
=> Bug (IMHO)

Expected result:  Even with $HOME not mounted before login wallet and ssh-agent
should be automaticlty opened during login , when login, wallet, and ssh-key password are the same.

FWIW: I've made no changes to the /etc/pam.d/* files.
Comment 1 Achim Bohnet 2017-08-04 12:54:59 UTC 
FWIW Failed try:  pam_ecryptfs is called after pam_ssh.  So I tried to increase the Prioity 1 -> 65 (ssh has 64) and run pam-auth-update to exchange the order in common-{auth,session}.
Did not work :-( Still same problem :-(

Maybe I should have expected this as pam_kwallet5 was always listed after pam_ecryptfs.   Therefore I suspect that mount is async in pam_ecryptfs.

Achim

[2]root@lap-allee:/etc/pam.d# diff -u /etc/pam.d/common-auth{.orig,}; diff -u /etc/pam.d/common-session{.away,}
--- /etc/pam.d/common-auth.orig 2017-08-04 13:34:10.384087845 +0200
+++ /etc/pam.d/common-auth      2017-08-04 14:27:43.789524897 +0200
@@ -22,6 +22,6 @@
 # since the modules above will each just jump around
 auth   required                        pam_permit.so
 # and here are more per-package modules (the "Additional" block)
-auth   optional        pam_ssh.so use_first_pass
 auth   optional        pam_ecryptfs.so unwrap
+auth   optional        pam_ssh.so use_first_pass
 # end of pam-auth-update config
--- /etc/pam.d/common-session.away      2017-07-21 08:28:13.390559234 +0200
+++ /etc/pam.d/common-session   2017-08-04 14:27:43.801524888 +0200
@@ -27,8 +27,8 @@
 session optional                       pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 session        required        pam_unix.so 
-session        optional        pam_ssh.so 
 session        optional        pam_ecryptfs.so unwrap
+session        optional        pam_ssh.so 
 session        optional pam_tmpdir.so 
 session        optional        pam_systemd.so 
 # end of pam-auth-update config
[1]root@lap-allee:/etc/pam.d# grep Prio /usr/share/pam-configs/ecryptfs-utils 
Priority: 65
Comment 2 kramski 2018-04-09 21:14:42 UTC 
Same Problem here on Arch (Plasma 5.12.4-0 and Framework 5.44.0-1).

After running "ecryptfs-migrate-home" on my $HOME and setting up automount with pam_ecryptfs.so in /etc/pam.d/system-auth, kdewallet is no longer automatically unlocked by pam_kwallet5.so in /etc/pam.d/sddm (this used to work before encryption).

I can also confirm that it works if $HOME is already mounted.

When it fails, I see this error message in the journal:

"Apr 09 19:47:08 schwindl kwalletd5[796]: Wallet failed to get opened by PAM, error code is -9".
Comment 3 kramski 2020-01-17 19:20:31 UTC 
The workaround from https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking works for me - copy /home/$USER/.local/share/kwalletd/kdewallet.salt from the mounted, unencrypted $HOME to the same exact location of the unmounted, encrypted $HOME.

However, this raises the question if it is safe to always have kdewallet.salt unencrypte?
Comment 4 BRYANTDL7 2025-09-09 16:09:42 UTC 
This ticket has been archived due to the age of this request, in order to keep currently present issues at the forefront for proper resolution. If this issue is still present, please reopen this ticket and provide additional details related to the request.