Setup: * create a new user newuswer with an encrypted $HOME * login and create the kdewallet and generate an ssh keypair. Always use the same PW as for the login! * logout with an admin user on virtual console: * no process owned by newuser is running * home is mounted: mount | grep <newuser> Now login: $HOME mounted before login: * start kwalletmanager and you see that kdewallet is already open * start konsole and type ssh-add -l and you see fingerprint of your ssh key => yeah! Everything is okay * logout With an adminuser on virtual console: sudo umount ~<newuser> not mounted before login (sudo umount ~<newuser> ) * during login kwallet prompts for password * open konsole and ssh-add -l lists nothing (ssh key not automaticly loaded => Bug (IMHO) Expected result: Even with $HOME not mounted before login wallet and ssh-agent should be automaticlty opened during login , when login, wallet, and ssh-key password are the same. FWIW: I've made no changes to the /etc/pam.d/* files.
FWIW Failed try: pam_ecryptfs is called after pam_ssh. So I tried to increase the Prioity 1 -> 65 (ssh has 64) and run pam-auth-update to exchange the order in common-{auth,session}. Did not work :-( Still same problem :-( Maybe I should have expected this as pam_kwallet5 was always listed after pam_ecryptfs. Therefore I suspect that mount is async in pam_ecryptfs. Achim [2]root@lap-allee:/etc/pam.d# diff -u /etc/pam.d/common-auth{.orig,}; diff -u /etc/pam.d/common-session{.away,} --- /etc/pam.d/common-auth.orig 2017-08-04 13:34:10.384087845 +0200 +++ /etc/pam.d/common-auth 2017-08-04 14:27:43.789524897 +0200 @@ -22,6 +22,6 @@ # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) -auth optional pam_ssh.so use_first_pass auth optional pam_ecryptfs.so unwrap +auth optional pam_ssh.so use_first_pass # end of pam-auth-update config --- /etc/pam.d/common-session.away 2017-07-21 08:28:13.390559234 +0200 +++ /etc/pam.d/common-session 2017-08-04 14:27:43.801524888 +0200 @@ -27,8 +27,8 @@ session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so -session optional pam_ssh.so session optional pam_ecryptfs.so unwrap +session optional pam_ssh.so session optional pam_tmpdir.so session optional pam_systemd.so # end of pam-auth-update config [1]root@lap-allee:/etc/pam.d# grep Prio /usr/share/pam-configs/ecryptfs-utils Priority: 65
Same Problem here on Arch (Plasma 5.12.4-0 and Framework 5.44.0-1). After running "ecryptfs-migrate-home" on my $HOME and setting up automount with pam_ecryptfs.so in /etc/pam.d/system-auth, kdewallet is no longer automatically unlocked by pam_kwallet5.so in /etc/pam.d/sddm (this used to work before encryption). I can also confirm that it works if $HOME is already mounted. When it fails, I see this error message in the journal: "Apr 09 19:47:08 schwindl kwalletd5[796]: Wallet failed to get opened by PAM, error code is -9".
The workaround from https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking works for me - copy /home/$USER/.local/share/kwalletd/kdewallet.salt from the mounted, unencrypted $HOME to the same exact location of the unmounted, encrypted $HOME. However, this raises the question if it is safe to always have kdewallet.salt unencrypte?