375236 – kwallet-pam doesn't work in conjunction with dm-crypt-encrypted /home which gets unlocked with pam_mount

Bug 375236 - kwallet-pam doesn't work in conjunction with dm-crypt-encrypted /home which gets unlocked with pam_mount

Summary: kwallet-pam doesn't work in conjunction with dm-crypt-encrypted /home which g...

Status:	CONFIRMED

Alias:	None

Product:	kwallet-pam
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	5.14.5
Platform:	unspecified Linux

Importance:	VHI grave
Target Milestone:	---
Assignee:	Plasma Bugs List

URL:
Keywords:	usability

Depends on:
Blocks:

Reported:	2017-01-18 14:15 UTC by Peter
Modified:	2022-09-09 08:42 UTC (History)
CC List:	10 users (show)

See Also:	383115
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Peter 2017-01-18 14:15:34 UTC

My /home partition is encrypted using dm-crypt. It gets unlocked on login with the help of pam_mount.

kwallet-pam doesn't work with this setup. I followed the wiki to set SDDM up in the required way: https://wiki.archlinux.org/index.php/KDE_Wallet#Unlock_KDE_Wallet_automatically_on_login .
Still, I need to enter the password to unlock kwallet after I login to the system.

I've checked that this problem is indeed caused by dm-crypt-encryption/pam_mount. If I unlock my home partition by logging my user in to, say, tty2, and only after that use SDDM to login to a KDE Plasma session, then kwallet-pam works correctly, and I don't have to enter my password to unlock kwallet upon login.

My guess is that kwallet-pam tries to unlock kwallet too early in the login process, before pam_mount finishes unlocking the encrypted /home partition.

I use a fully updated Archlinux x64 system. Package versions:
kwallet-pam 5.8.1
kwallet 5.30.0
pam 1.3.0
pam_mount 2.16
cryptsetup 1.7.3
sddm 0.14.0

Here is what "cat /etc/pam.d/sddm" returns:
                                                                                                                                                                                                           
#%PAM-1.0                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                   
auth            include         system-login                                                                                                                                                                                                       
auth            optional        pam_mount.so                                                                                                                                                                                                       
auth           optional        pam_kwallet5.so
auth            optional        pam_kwallet.so kdehome=.kde4
account         include         system-login
password        optional        pam_mount.so
password        include         system-login
session         include         system-login
session         optional        pam_mount.so
session         optional        pam_kwallet5.so
session         optional        pam_kwallet.so

Comment 1 Denis Kurz 2017-01-18 21:17:58 UTC

Peter, are both your kde4 and "kde5" wallets locked after login?

I couldn't find a hint in "man pam.d" saying so, and I'm no pam expert, but maybe the order of lines in pam.d/sddm is important. You put both kwallet auth lines before the pam_mount line. Does reordering them make any difference?

"man pam.d" doesn't mention dependency management of any other kind, so if reordering doesn't help, there might be no way to get kwallet-pam working reliably in conjunction with pam_mount. But then again, I'm no expert on this...

Comment 2 Peter 2017-01-19 14:11:19 UTC

(In reply to Denis Kurz from comment #1)
> Peter, are both your kde4 and "kde5" wallets locked after login?
> 
> I couldn't find a hint in "man pam.d" saying so, and I'm no pam expert, but
> maybe the order of lines in pam.d/sddm is important. You put both kwallet
> auth lines before the pam_mount line. Does reordering them make any
> difference?
> 
> "man pam.d" doesn't mention dependency management of any other kind, so if
> reordering doesn't help, there might be no way to get kwallet-pam working
> reliably in conjunction with pam_mount. But then again, I'm no expert on
> this...

Both kwallet4 and kwallet5 are locked if I login straight to KDE from SDDM after booting up the PC. If I login to tty2 beforehand, thus unlocking the /home partition, and only after that login to KDE through SDDM, then both kwallet4 and kwallet5 are unlocked.

I've cheked the following ordering of lines in /etc/pam.d/sddm, and I don't see any difference (i.e. the problem persists, in exactly the same fashion):

#%PAM-1.0

auth            include         system-login
auth            optional        pam_kwallet5.so
auth            optional        pam_kwallet.so kdehome=.kde4
auth            optional        pam_mount.so
account         include         system-login
password        optional        pam_mount.so
password        include         system-login
session         include         system-login
session         optional        pam_kwallet5.so
session         optional        pam_kwallet.so
session         optional        pam_mount.so

Comment 3 Denis Kurz 2017-01-21 18:50:25 UTC

Ok, in this case, I'm lost, sorry. I reopen so someone with more insight can review the bug and judge whether it's fixable from our side.

Comment 4 Jonathan Verner 2017-03-20 09:31:41 UTC

Same problem happens here (encrypted home with ecryptfs), neon packages. Also happend with kde4 (see https://bugs.launchpad.net/ubuntu/+source/pam-kwallet/+bug/1335135).

Comment 5 Kamil Piwowarski 2018-04-21 12:02:58 UTC

Same bug here and there is more about it:

https://diasporabr.com.br/posts/1629872
https://forum.manjaro.org/t/kwallet-will-not-automatically-unlock-after-encrypting-home-directory/28835

Comment 6 Philipp Woelfel 2019-02-24 22:52:15 UTC

I'm suffering from this bug, too (Manjaro). Is there any way I can help debugging this? It seems pam_gnome_keyring works fine in conjunction with pam_mount, so I suppose there's no inherent reason this shouldn't be fixable...

Comment 7 Erik Quaeghebeur 2019-03-16 17:45:05 UTC

I'm encountering this issue on Gentoo with 5.14.5. In the Gentoo wiki, there is a suggested workaround involving copying kdewallet.salt to the root partition:

https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking

It does not work for me, but I may be misunderstanding where it should be copied. (I'm go to try a couple of other locations than I already did.)

Comment 8 Erik Quaeghebeur 2019-03-16 18:07:38 UTC

(In reply to Erik Quaeghebeur from comment #7)
> […], there is a suggested workaround involving copying kdewallet.salt to the
> root partition:
> 
> https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking
Well, if kdewallet.salt is be copied to its usual location,

/home/$USER/.local/share/kwalletd/kdewallet.salt,

but without the encrypted home being mounted, then it works for me. So this seems like a viable workaround and may also point to what is going wrong.

What happens for me sometimes is that pam_mount fails and I get thrown into an uninitialized Plasma session. For this session, some files are autocreated. Among them kdewallet.kwl and kdewallet.salt in the usual location (as above). It could be that these empty/wrong files are what causes the issue. I haven't tested this yet, as removing them would not be robust against the problem of pam_mount failing sometimes.