Summary: | Credentials handover from kscreenlocker to kwallet to support the case of auto-login plus screenlock-on-login | ||
---|---|---|---|
Product: | [Plasma] kscreenlocker | Reporter: | florianhilgenberg |
Component: | general | Assignee: | Plasma Bugs List <plasma-bugs> |
Status: | RESOLVED DUPLICATE | ||
Severity: | wishlist | CC: | aleixpol, bhush94, espidev, justin.zobel, kde, kdelibs-bugs, nate |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Fedora RPMs | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: |
attachment-18842-0.html
attachment-21770-0.html |
Description
florianhilgenberg
2022-04-09 18:24:17 UTC
This isn't possible because on autologin, no credentials are passed along at all; the entire credential-passing system is bypassed. As a result, there are no credentials for kwallet to get. The only way to make your wallet automatically unlock on login when using autologin is to set your wallet to have no password too! There isn't another sane and secure way to do this. In Plasma 5.25, we show a warning that tells you all of this when you turn on autologin, so you won't be confused. Created attachment 148102 [details] attachment-18842-0.html But when you got a locked screen, you can catch the password, that was entered for the unlock and handover to wallet, right? On Mon, 11 Apr 2022, 20:05 Nate Graham, <bugzilla_noreply@kde.org> wrote: > https://bugs.kde.org/show_bug.cgi?id=452442 > > Nate Graham <nate@kde.org> changed: > > What |Removed |Added > > ---------------------------------------------------------------------------- > Resolution|--- |WORKSFORME > CC| |nate@kde.org > Status|REPORTED |RESOLVED > > --- Comment #1 from Nate Graham <nate@kde.org> --- > This isn't possible because on autologin, no credentials are passed along > at > all; the entire credential-passing system is bypassed. As a result, there > are > no credentials for kwallet to get. The only way to make your wallet > automatically unlock on login when using autologin is to set your wallet to > have no password too! There isn't another sane and secure way to do this. > > In Plasma 5.25, we show a warning that tells you all of this when you turn > on > autologin, so you won't be confused. > > -- > You are receiving this mail because: > You reported the bug. Theoretically yes, but to implement that we would have to punch a security hole in the screen locker that would make it less secure. Also it wouldn't solve the problem because the lock screen and the login screens are separate things. The wallet still wouldn't unlock at *login*. Really, if you have auto-login on, I'm not sure how much sense it makes to use a lock screen at all. Clearly security is not a major concern in such a use case. :) Created attachment 148103 [details] attachment-21770-0.html Thank you for elaborating. I am locking via Auto start instantly after Autologin. That for first user interaction is to enter password, thatfor I don't care what happens after login, I care about after unlocking. Let me elaborate since I got a feeling to not have explained myself very well. Desired Process: 1. Auto login, kwallet locked 2. Autostart triggers loginctl lock-session 3. User unlocks from lockscreen 4. Kwallet gets password from the unlock process. I can't see how that is another security issue than unlock the wallet upon manual login. If this is still declined, I won't force it anymore. Thank you :) On Mon, 11 Apr 2022, 20:36 Nate Graham, <bugzilla_noreply@kde.org> wrote: > https://bugs.kde.org/show_bug.cgi?id=452442 > > --- Comment #3 from Nate Graham <nate@kde.org> --- > Theoretically yes, but to implement that we would have to punch a security > hole > in the screen locker that would make it less secure. Also it wouldn't > solve the > problem because the lock screen and the login screens are separate things. > The > wallet still wouldn't unlock at *login*. > > Really, if you have auto-login on, I'm not sure how much sense it makes to > use > a lock screen at all. Clearly security is not a major concern in such a use > case. :) > > -- > You are receiving this mail because: > You reported the bug. Aha! That is a legitimate use case. On Plasma Mobile we do that, with auto-login plus an immediate lock. So this seems like something worth supporting. +1 we've discussed and agreed in meetings in the past that this would be useful to have. It's a matter of getting it done. > It's a matter of getting it done.
The challenge is the process order.
Pam code forks a process sets an env with a path to a socket.
When kwalletd starts it maybe connects to this.
This all needs to happen before kwalletd tries to start up from any other activation.
*** This bug has been marked as a duplicate of bug 346741 *** |