Bug 413285

Summary: Better handling for the case where user changed their password with something other than the Users KCM
Product: [Frameworks and Libraries] kwallet-pam Reporter: kolAflash <kolAflash>
Component: generalAssignee: Plasma Bugs List <plasma-bugs-null>
Status: CONFIRMED ---    
Severity: wishlist CC: kde, nate, postix
Priority: NOR    
Version First Reported In: 5.17.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=389030
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description kolAflash 2019-10-21 15:19:43 UTC 
This ticket is about the user password being changed via a non-KDE tool (e.g. "passwd" on shell) or being changed by the administrator.

If a user changes his password via KDE user-manager, this is handled here:
Bug 413284 - user-manager should change kwallet password (if identical before)

KWallet should remember if the user-password and the kwallet password where identical and kwallet-pam used to work.
(don't remember the clear text passwords, just a boolean if it used to work)
So if opening KWallet stops working on a login, KWallet should automatically ask what to do. Choices:
- change KWallet password to new user password*
- reset KWallet if old user/kwallet password is lost

In this case, only the old user password might be asked for. The new user password may be provided automatically.
Keep in mind: If kwallet-pam worked well before, many users won't even know about the whole kwallet password store concept. So asking them explicitly for a new password just causes confusion.
Comment 1 David Edmundson 2019-10-21 15:23:28 UTC 
PAM does have a hook that can get called it the password is being changed.

Ideally we should try and change the wallet password (gnome keyring does this). I did have a try, but there's a problem that our kwallet requires having a working X/wayland connection which makes life harder.
Comment 2 kolAflash 2019-10-21 15:36:09 UTC 
(In reply to David Edmundson from comment #1)
> PAM does have a hook that can get called it the password is being changed.
> 
> Ideally we should try and change the wallet password (gnome keyring does
> this). I did have a try, but there's a problem that our kwallet requires
> having a working X/wayland connection which makes life harder.

OK, this is a great idea if the same user changes the password via another non-KDE tool (e.g. "passwd").
Maybe this is even a more generic approach than implementing something in the KDE user-manager.
-> Bug 413284 - user-manager should change kwallet password (if identical before)

But a PAM hook won't work if the administrator/root changes the user password. Because the administrator probably can't provide the old user password for kwallet decryption.
Comment 3 Nate Graham 2019-10-27 23:35:47 UTC 
(In reply to David Edmundson from comment #1)
> PAM does have a hook that can get called it the password is being changed.
> 
> Ideally we should try and change the wallet password (gnome keyring does
> this). I did have a try, but there's a problem that our kwallet requires
> having a working X/wayland connection which makes life harder.
FWIW this is tracked by Bug 389030.