kwallet-pam does not work with sddm. I have auth optional pam_kwallet5.so session optional pam_kwallet5.so in /etc/pam.d/sddm I get the following errors in /var/log/messages and /var/log/auth.log Feb 17 07:46:28 planet kernel: [ 48.459617] audit: type=1100 audit(1487313988.101:109): pid=4814 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_kwallet5,pam_unix acct="unruh" exe="/usr/libexec/sddm-helper" hostname=? addr=? terminal=? res=success' Feb 17 07:46:28 planet kernel: [ 48.459989] audit: type=1103 audit(1487313988.101:111): pid=4814 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_kwallet5,pam_unix acct="unruh" exe="/usr/libexec/sddm-helper" hostname=? addr=? terminal=? res=success' Feb 17 07:46:28 planet kernel: [ 48.466459] audit: type=1105 audit(1487313988.108:113): pid=4814 uid=0 auid=1000 ses=3 msg='op=PAM:session_open grantors=pam_keyinit,pam_kwallet5,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_loginuid acct="unruh" exe="/usr/libexec/sddm-helper" hostname=? addr=? terminal=:0 res=success' Feb 17 07:46:28 planet ksmserver[4989]: ksmserver: Starting autostart service "/etc/xdg/autostart/pam_kwallet_init.desktop" Feb 17 07:46:28 planet ksmserver[4989]: ksmserver: autostart service "/usr/libexec/pam_kwallet_init" finished with exit code 1 auth.log Feb 17 07:46:28 planet sddm-helper: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate Feb 17 07:46:28 planet sddm-helper: pam_kwallet5(sddm:auth): pam_kwallet5: Couldn't get password (it is empty) Feb 17 07:46:28 planet sddm-helper: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred Feb 17 07:46:28 planet sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: pam_sm_open_session Feb 17 07:46:28 planet sddm-helper: pam_kwallet5(sddm:session): pam_kwallet5: final socket path: /tmp/kwallet5_unruh.socket I put debugging into /usr/libexec/pam_kwallet_init and the PAM_KWALLET5_LOGON environment variable does not exist when it is run, although it is there once I am able to open a terminal and check. It seems that when the pam module is run the first time by pam (auth) the password is not there, and the kwallet pam module cannot open the socket. Then /usr/libexec/pam_kwallet_init is run, and it does nothing since there is no socket available. Finally in session, the kwallet pam module is run again. Now there is a password available and the environment variable is set, but it is too late. I tried removing the auth optional pam_kwallet5.so line from /etc/pam.d/sddm and now in the session call to the kwallet pam module the password is not there. It almost seems as though the pam stack has to be called twice before the user password is ready. (I have been trying to find the 5.9.2 source code to see if this is fixed, but have not been able to find it anywhere.)
Tried with 5.9.2 (self compiled) and have the same problem.
Do you have by any chance an ssh passphrase saved in your wallet? I had a similar issue which I fixed after removing the kwallet folder created by ksshaskpass.
Nope no ssh passwords in kwallet. It simply never gets the password from pam to open kwallet (password always empty) There is something wrong either with the timing (kwallet asking pam for the password befor pam has the password) or with the way kwallet is asking pam for the password. This is really annoying as I have to enter my password every time I open Chrome after a reboot. As such it is also insecure, as each time one enters a password is a chance for a shouldersurfer to snaffle the password. Does this really work for everyone else and I am the only one who has trouble?
I have looked at kwallet-pam (5.9.2) and kwallet-5.32.0 and it seems to be a complete mess. a)Minor: In kwallet-pam.c, start_kwallet the variable "needed" is out by 1. Thus the created socket has the name kwallet5.socke rather than kwallet5.socket b)kwallet-pam does an execve of kwalletd5, including the environment. But the created kwallet5 then tries to load the environment which is completely unneccesary, and on my system, hangs. If one removes the waitForEnv() condition in kwalletd/main.cpp subroutine checkPamModule hash=waitForHash(); if (hash == nullptr || waitForEnv() == -1 ) The hangup ceases and that subroutine delivers the hash to the calling program. However, after removing this condition, c) In kwallet5 (src/runtime/kwalletd/main.cpp) the program tries to use Qt but the instance of kwallet5 which is started by kwallet-pam has not DISPLAY or X running, and the program fails In main.cpp routine main, the line QApplication app(argc,argv); fails with May 07 16:04:07 planet kwalletd5[7678]: No protocol specified May 07 16:04:07 planet audit[7678]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 pid=7678 comm="kwalletd5" exe="/usr/bin/kwalletd5" sig=6 May 07 16:04:07 planet kwalletd5[7678]: QXcbConnection: Could not connect to display :0 May 07 16:04:07 planet kernel: audit: type=1701 audit(1494198247.305:119): auid=1000 uid=1000 gid=1000 ses=3 pid=7678 comm="kwalletd5" exe="/usr/bin/kwalletd5" sig=6 The problem appears to be that Qt is trying to open a GUI program, before the GUI is up. My knowledge of Qt is zero, so I cannot chase the problem any further. If I open Chrome and type in my password into the kwallet window request, everything works fine (except that there is an error in journalctl that the pipe and socket have values of 0 and cannot be used.) Ie, kwallet5-pam and kwallet5 together seem to be completely broken. It may be that this process has to wait until X actually comes up, so the Qt does not crash, but I do not know how to delay the pam module until sddm has actually brought up X. (Note the problem is there also in LightDM). Mageia 6 updated.
(In reply to unruh from comment #4) > I have looked at kwallet-pam (5.9.2) and kwallet-5.32.0 and it seems to be a > complete mess. > > a)Minor: In kwallet-pam.c, start_kwallet the variable "needed" is out by 1. > Thus the created socket has the name kwallet5.socke rather than > kwallet5.socket This should be fixed in 5.9.3
OK, I think I have tracked down the problems. a) pam_kwallet does not have the user's USER and HOME entries in the environment and thus kwalletd5 cannot open the .local/share/kwalletd directory to find the wallets. One needs to put something like set_env(pamh,"HOME",userInfo->pw_dir); set_env(pamh,"USER",username); somwhere after userInfo is set up in kwallet-pam-5.9.2/pam_kwallet.c Otherwise Qt cannot open the above directory. b) There is a race between pam's running of kwalletd5 and X coming up, which, at least on Mageia 6 kwalletd5 always looses. I have kludged this by putting a 2 second sleep into main() in kwallet.5.32.0/src/runtime/kwalletd/main.cpp just after hash=checkPamModule(argc,argv); if(hash != nullptr) sleep(2); This delays the Qt calls in kwalletd5 long enough that X has come up and the Qt calls do not crash. Note that there must be a more elegant way of doing this than putting in that sleep. c) as mentioned, the waitForEnvironment call in checkPamModule is unnecessary because pam already copies the environment over to kwalletd5 in the execve call, and unwanted because for some reason waitForEnvironment() waits forever and never returns. Doing all of the above, when I log into my account, the wallet after login is open. Without them, I have to reenter my password into the first program that uses kwallet. Note that the socket in /run/user/<UID>/kwallet.socket is never actually used by anything as far as I know. Certainly kwalletd5 does not use it, and only uses the existence of PAM_KWALLET5_LOGIN environment variable to see if kwalletd was started with the --pam-logon argument. Since that environment variable is in the environment opened by pam forever after, all of the programs using kwalletd5 check for the --pam-login variable. This causes no real harm, it is just not very elegant.
Created attachment 105424 [details] patch for kwallet-pam 5.9.2 to put USER and HOME into environment This patch puts USER and HOME environment variables into that for kwallet-pam, so they are delivered to kwalletd5 when kwallet-pam runs them. It also includes the addition of +1 to the "needed" variable so that the socket ends in .socket, rather than .socke
The bugs.kde.org/attachment.cgi fails so here is the attachment text. This patch adds a sleep(2) to kwalletd5 to make sure that X is up by the time that the Qt functions are called. It also removes the call to waitForEnvironment() since it is not needed and since that call hangs forever at least on Mageia 6, sddm. --------------------------------------------------------- diff -cr kwallet-5.32.0-orig/src/runtime/kwalletd/main.cpp kwallet-5.32.0/src/runtime/kwalletd/main.cpp *** kwallet-5.32.0-orig/src/runtime/kwalletd/main.cpp 2017-03-04 08:21:23.000000000 -0800 --- kwallet-5.32.0/src/runtime/kwalletd/main.cpp 2017-05-08 15:00:12.500570750 -0700 *************** *** 146,152 **** hash = waitForHash(); ! if (hash == nullptr || waitForEnvironment() == -1) { printf("kwalletd5: Hash or environment not received\n"); free(hash); return nullptr; --- 146,154 ---- hash = waitForHash(); ! if (hash == nullptr /* || waitForEnvironment() == -1 */) { ! //waitForEnvironment hangs and is not needed ! printf("kwalletd5: Hash or environment not received\n"); free(hash); return nullptr; *************** *** 166,171 **** --- 168,176 ---- #ifndef Q_OS_WIN if (getenv("PAM_KWALLET5_LOGIN")) { hash = checkPamModule(argc, argv); + //There is a race which kwalletd5 always "looses" so must wait for + // X to come up properly + if(hash != nullptr) sleep(2); } #endif
Thanks for the investigation and the patches. Please upload them at https://phabricator.kde.org/differential/diff/create/ (so that it will be easier to review them).
Sorry, I cannot log in or register. William G. Unruh __| Canadian Institute for|____ Tel: +1(604)822-3273 Physics&Astronomy _|___ Advanced Research _|____ Fax: +1(604)822-5324 UBC, Vancouver,BC _|_ Program in Cosmology |____ unruh@physics.ubc.ca Canada V6T 1Z1 ____|____ and Gravity ______|_ www.theory.physics.ubc.ca/ On Tue, 9 May 2017, Elvis Angelaccio wrote: > https://bugs.kde.org/show_bug.cgi?id=376573 > > --- Comment #9 from Elvis Angelaccio <elvis.angelaccio@kde.org> --- > Thanks for the investigation and the patches. Please upload them at > https://phabricator.kde.org/differential/diff/create/ (so that it will be > easier to review them). > > -- > You are receiving this mail because: > You reported the bug.
Oh sorry, I should have mentioned that you need to register here: https://identity.kde.org/
Well, I am already registered on bugs.kde.org. But that registration system you pointed me to is hopeless. I try to use my bugs credentials. It refuses. I finally click on register, and enter the data and I get a Client rejected by automatic spammer detection system I think I am not interested in jumping through these kinds of stupid hoops only in order to try to help you. You have my patches. William G. Unruh __| Canadian Institute for|____ Tel: +1(604)822-3273 Physics&Astronomy _|___ Advanced Research _|____ Fax: +1(604)822-5324 UBC, Vancouver,BC _|_ Program in Cosmology |____ unruh@physics.ubc.ca Canada V6T 1Z1 ____|____ and Gravity ______|_ www.theory.physics.ubc.ca/ On Tue, 9 May 2017, Elvis Angelaccio wrote: > https://bugs.kde.org/show_bug.cgi?id=376573 > > --- Comment #11 from Elvis Angelaccio <elvis.angelaccio@kde.org> --- > Oh sorry, I should have mentioned that you need to register here: > https://identity.kde.org/ > > -- > You are receiving this mail because: > You reported the bug.
(In reply to unruh from comment #12) > Well, I am already registered on bugs.kde.org. But that registration system > you pointed me to is hopeless. I try to use my bugs credentials. It refuses. > I > finally click on register, and enter the data and I get a > Client rejected by automatic spammer detection system > I think I am not interested in jumping through these kinds of stupid hoops > only in order to try to help you. Bugs.kde.org is one of the few services not linked to the account provided by identity.kde.org (so far). The wikis, phabricator and the forums all use it. Unfortunately, due to high amount of spam received in the past, a set of strong blacklisting rules was implemented. It is unfortunate for legitimate users getting caught in this, but there was no other way so far. You can still register to identity.kde.org by contacting the sysadmin to their list (no registration needed, https://mail.kde.org/mailman/listinfo/sysadmin). It is a one-time (small) effort.
Can you still reproduce this bug?
Dear Bug Submitter, This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information as soon as possible and set the bug status as REPORTED. Due to regular bug tracker maintenance, if the bug is still in NEEDSINFO status with no change in 30 days the bug will be closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging If you have already provided the requested information, please mark the bug as REPORTED so that the KDE team knows that the bug is ready to be confirmed. Thank you for helping us make KDE software even better for everyone!
This bug has been in NEEDSINFO status with no change for at least 30 days. The bug is now closed as RESOLVED > WORKSFORME due to lack of needed information. For more information about our bug triaging procedures please read the wiki located here: https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging Thank you for helping us make KDE software even better for everyone!