Setup: * create a new user newuswer with an encrypted $HOME * login and create the kdewallet and generate an ssh keypair. Always use the same PW as for the login! * logout with an admin user on virtual console: * no process owned by newuser is running * home is mounted: mount | grep <newuser> Now login: $HOME mounted before login: * start kwalletmanager and you see that kdewallet is already open * start konsole and type ssh-add -l and you see fingerprint of your ssh key => yeah! Everything is okay * logout With an adminuser on virtual console: sudo umount ~<newuser> not mounted before login (sudo umount ~<newuser> ) * during login kwallet prompts for password * open konsole and ssh-add -l lists nothing (ssh key not automaticly loaded => Bug (IMHO) Expected result: Even with $HOME not mounted before login wallet and ssh-agent should be automaticlty opened during login , when login, wallet, and ssh-key password are the same. FWIW: I've made no changes to the /etc/pam.d/* files.
FWIW Failed try: pam_ecryptfs is called after pam_ssh. So I tried to increase the Prioity 1 -> 65 (ssh has 64) and run pam-auth-update to exchange the order in common-{auth,session}. Did not work :-( Still same problem :-( Maybe I should have expected this as pam_kwallet5 was always listed after pam_ecryptfs. Therefore I suspect that mount is async in pam_ecryptfs. Achim [2]root@lap-allee:/etc/pam.d# diff -u /etc/pam.d/common-auth{.orig,}; diff -u /etc/pam.d/common-session{.away,} --- /etc/pam.d/common-auth.orig 2017-08-04 13:34:10.384087845 +0200 +++ /etc/pam.d/common-auth 2017-08-04 14:27:43.789524897 +0200 @@ -22,6 +22,6 @@ # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) -auth optional pam_ssh.so use_first_pass auth optional pam_ecryptfs.so unwrap +auth optional pam_ssh.so use_first_pass # end of pam-auth-update config --- /etc/pam.d/common-session.away 2017-07-21 08:28:13.390559234 +0200 +++ /etc/pam.d/common-session 2017-08-04 14:27:43.801524888 +0200 @@ -27,8 +27,8 @@ session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so -session optional pam_ssh.so session optional pam_ecryptfs.so unwrap +session optional pam_ssh.so session optional pam_tmpdir.so session optional pam_systemd.so # end of pam-auth-update config [1]root@lap-allee:/etc/pam.d# grep Prio /usr/share/pam-configs/ecryptfs-utils Priority: 65
Same Problem here on Arch (Plasma 5.12.4-0 and Framework 5.44.0-1). After running "ecryptfs-migrate-home" on my $HOME and setting up automount with pam_ecryptfs.so in /etc/pam.d/system-auth, kdewallet is no longer automatically unlocked by pam_kwallet5.so in /etc/pam.d/sddm (this used to work before encryption). I can also confirm that it works if $HOME is already mounted. When it fails, I see this error message in the journal: "Apr 09 19:47:08 schwindl kwalletd5[796]: Wallet failed to get opened by PAM, error code is -9".
The workaround from https://wiki.gentoo.org/wiki/KDE#KWallet_auto-unlocking works for me - copy /home/$USER/.local/share/kwalletd/kdewallet.salt from the mounted, unencrypted $HOME to the same exact location of the unmounted, encrypted $HOME. However, this raises the question if it is safe to always have kdewallet.salt unencrypte?
This ticket has been archived due to the age of this request, in order to keep currently present issues at the forefront for proper resolution. If this issue is still present, please reopen this ticket and provide additional details related to the request.