Bug 476095

Summary: KDE Wallet doesn't get unlocked for systemd-homed managed users when logging in via FIDO2 key
Product: [Frameworks and Libraries] frameworks-kwallet Reporter: Balázs Róbert Börcsök <pauljouser>
Component: generalAssignee: Valentin Rusu <valir>
Status: REPORTED ---    
Severity: normal CC: kdelibs-bugs-null, nicolas.fella
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Balázs Róbert Börcsök 2023-10-25 20:31:05 UTC 
SUMMARY
***
KDE Wallet doesn't get unlocked for systemd-homed managed users when logging in via FIDO2 key
***

STEPS TO REPRODUCE
1. Create a systemd-homed managed user.
2. Add a FIDO2 security key to it.
3. Login via GDM using the FIDO2 key.

OBSERVED RESULT
KWallet doesn't get unlocked.

EXPECTED RESULT
KWallet is unlocked.
If a Wallet was created before for the user it should unlock automatically or enroll the security key.
If a Wallet was not created before logging it, set it up automatically or through a wizard.
Possibly support creating wallets tied to FIDO2 keys.

SOFTWARE/OS VERSIONS
Windows: -
macOS: -
Linux/KDE Plasma: 6.1.59-1-lts (64-bit)
(available in About System)
KDE Plasma Version: 5.27.8
KDE Frameworks Version: 5.111.0
Qt Version: 5.15.11

ADDITIONAL INFORMATION
I use GDM as a login manager for now, as Plasma's default seems to be broken when using systemd-homed.
I am using Wayland.
Possibly connected to https://bugs.kde.org/show_bug.cgi?id=427755 .
Comment 1 Balázs Róbert Börcsök 2023-12-23 00:02:54 UTC 
I have not tried using SDDM, but it seems like there are other people as well with this issue, I am assuming they are using that: https://unix.stackexchange.com/questions/763714/how-to-unlock-kdewallet-with-fido2-key

Also, I tried adding the relevant PAM configuration lines (see: https://wiki.archlinux.org/title/KDE_Wallet#Configure_PAM), to GDM, but it asks for the user password (I suppose logically, as KDE Wallet probably doesn't handle non password, like FIDO2 based encryption). If not supplying anything the login proceeds without the Wallet unlocking (logically).

I think that the underlying problem is that there is no support for FIDO2 in KDE Wallet, the cleanest and most future-proof solution in my opinion would be add that and then build an SSO-like experience (I login with my strong authentication, namely my FIDO2 key, which unlocks my KDE wallet, then it reprompts either for my FIDO2 key's password again or in addition or instead of that my wallet's password).

This is a really big topic actually, I am not sure if similar stuff is being worked on, maybe I will open a feature request in addition to this and somehow link this bug report there. This should be worked out well, with clear requirements, because this is the closest we could get to other platforms' SSO experience, I think.
Comment 2 Balázs Róbert Börcsök 2023-12-23 00:06:04 UTC 
(In reply to Balázs Róbert Börcsök from comment #1)
> then it reprompts either for my FIDO2 key's password again or in addition or instead of that my wallet's password

I meant this as an optional thing, only reprompt if configured.