This ticket is about the user password being changed via a non-KDE tool (e.g. "passwd" on shell) or being changed by the administrator. If a user changes his password via KDE user-manager, this is handled here: Bug 413284 - user-manager should change kwallet password (if identical before) KWallet should remember if the user-password and the kwallet password where identical and kwallet-pam used to work. (don't remember the clear text passwords, just a boolean if it used to work) So if opening KWallet stops working on a login, KWallet should automatically ask what to do. Choices: - change KWallet password to new user password* - reset KWallet if old user/kwallet password is lost In this case, only the old user password might be asked for. The new user password may be provided automatically. Keep in mind: If kwallet-pam worked well before, many users won't even know about the whole kwallet password store concept. So asking them explicitly for a new password just causes confusion.
PAM does have a hook that can get called it the password is being changed. Ideally we should try and change the wallet password (gnome keyring does this). I did have a try, but there's a problem that our kwallet requires having a working X/wayland connection which makes life harder.
(In reply to David Edmundson from comment #1) > PAM does have a hook that can get called it the password is being changed. > > Ideally we should try and change the wallet password (gnome keyring does > this). I did have a try, but there's a problem that our kwallet requires > having a working X/wayland connection which makes life harder. OK, this is a great idea if the same user changes the password via another non-KDE tool (e.g. "passwd"). Maybe this is even a more generic approach than implementing something in the KDE user-manager. -> Bug 413284 - user-manager should change kwallet password (if identical before) But a PAM hook won't work if the administrator/root changes the user password. Because the administrator probably can't provide the old user password for kwallet decryption.
(In reply to David Edmundson from comment #1) > PAM does have a hook that can get called it the password is being changed. > > Ideally we should try and change the wallet password (gnome keyring does > this). I did have a try, but there's a problem that our kwallet requires > having a working X/wayland connection which makes life harder. FWIW this is tracked by Bug 389030.