Bug 413285 - Better handling for the case where user changed their password with something other than the Users KCM
Summary: Better handling for the case where user changed their password with something...
Status: CONFIRMED
Alias: None
Product: kwallet-pam
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 5.17.0
Platform: Other Linux
: NOR wishlist
Target Milestone: ---
Assignee: Plasma Bugs List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-21 15:19 UTC by kolAflash
Modified: 2021-12-04 19:53 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description kolAflash 2019-10-21 15:19:43 UTC 
This ticket is about the user password being changed via a non-KDE tool (e.g. "passwd" on shell) or being changed by the administrator.

If a user changes his password via KDE user-manager, this is handled here:
Bug 413284 - user-manager should change kwallet password (if identical before)

KWallet should remember if the user-password and the kwallet password where identical and kwallet-pam used to work.
(don't remember the clear text passwords, just a boolean if it used to work)
So if opening KWallet stops working on a login, KWallet should automatically ask what to do. Choices:
- change KWallet password to new user password*
- reset KWallet if old user/kwallet password is lost

In this case, only the old user password might be asked for. The new user password may be provided automatically.
Keep in mind: If kwallet-pam worked well before, many users won't even know about the whole kwallet password store concept. So asking them explicitly for a new password just causes confusion.
Comment 1 David Edmundson 2019-10-21 15:23:28 UTC 
PAM does have a hook that can get called it the password is being changed.

Ideally we should try and change the wallet password (gnome keyring does this). I did have a try, but there's a problem that our kwallet requires having a working X/wayland connection which makes life harder.
Comment 2 kolAflash 2019-10-21 15:36:09 UTC 
(In reply to David Edmundson from comment #1)
> PAM does have a hook that can get called it the password is being changed.
> 
> Ideally we should try and change the wallet password (gnome keyring does
> this). I did have a try, but there's a problem that our kwallet requires
> having a working X/wayland connection which makes life harder.

OK, this is a great idea if the same user changes the password via another non-KDE tool (e.g. "passwd").
Maybe this is even a more generic approach than implementing something in the KDE user-manager.
-> Bug 413284 - user-manager should change kwallet password (if identical before)

But a PAM hook won't work if the administrator/root changes the user password. Because the administrator probably can't provide the old user password for kwallet decryption.
Comment 3 Nate Graham 2019-10-27 23:35:47 UTC 
(In reply to David Edmundson from comment #1)
> PAM does have a hook that can get called it the password is being changed.
> 
> Ideally we should try and change the wallet password (gnome keyring does
> this). I did have a try, but there's a problem that our kwallet requires
> having a working X/wayland connection which makes life harder.
FWIW this is tracked by Bug 389030.