SUMMARY sddm can handover the wallet password on login to open the vault. But it does not when sddm is configured to autologin. I would like to see the credentials handover happen also on unlock of a locked session. My setup is to autologin, but autolock with "loginctl lock-session" set into autostart. This way my old pc with a magnetic harddisk can already load up everything while i am not working yet. kf5-kwallet-5.91.0-1.fc35.x86_64 kf5-kwallet-libs-5.91.0-1.fc35.x86_64 kwalletmanager5-21.12.2-1.fc35.x86_64 pam-kwallet-5.24.3-1.fc35.x86_64 OBSERVED RESULT on autologin credentials are not handed over from sddm to kwallet EXPECTED RESULT on session unlock credentials should be handed over to kwallet SOFTWARE/OS VERSIONS Linux/KDE Plasma: Fedora 35 KDE spin KDE Plasma Version: 5.24.3 KDE Frameworks Version: 5.91.0 Qt Version: 5.91.0 ADDITIONAL INFORMATION
This isn't possible because on autologin, no credentials are passed along at all; the entire credential-passing system is bypassed. As a result, there are no credentials for kwallet to get. The only way to make your wallet automatically unlock on login when using autologin is to set your wallet to have no password too! There isn't another sane and secure way to do this. In Plasma 5.25, we show a warning that tells you all of this when you turn on autologin, so you won't be confused.
Created attachment 148102 [details] attachment-18842-0.html But when you got a locked screen, you can catch the password, that was entered for the unlock and handover to wallet, right? On Mon, 11 Apr 2022, 20:05 Nate Graham, <bugzilla_noreply@kde.org> wrote: > https://bugs.kde.org/show_bug.cgi?id=452442 > > Nate Graham <nate@kde.org> changed: > > What |Removed |Added > > ---------------------------------------------------------------------------- > Resolution|--- |WORKSFORME > CC| |nate@kde.org > Status|REPORTED |RESOLVED > > --- Comment #1 from Nate Graham <nate@kde.org> --- > This isn't possible because on autologin, no credentials are passed along > at > all; the entire credential-passing system is bypassed. As a result, there > are > no credentials for kwallet to get. The only way to make your wallet > automatically unlock on login when using autologin is to set your wallet to > have no password too! There isn't another sane and secure way to do this. > > In Plasma 5.25, we show a warning that tells you all of this when you turn > on > autologin, so you won't be confused. > > -- > You are receiving this mail because: > You reported the bug.
Theoretically yes, but to implement that we would have to punch a security hole in the screen locker that would make it less secure. Also it wouldn't solve the problem because the lock screen and the login screens are separate things. The wallet still wouldn't unlock at *login*. Really, if you have auto-login on, I'm not sure how much sense it makes to use a lock screen at all. Clearly security is not a major concern in such a use case. :)
Created attachment 148103 [details] attachment-21770-0.html Thank you for elaborating. I am locking via Auto start instantly after Autologin. That for first user interaction is to enter password, thatfor I don't care what happens after login, I care about after unlocking. Let me elaborate since I got a feeling to not have explained myself very well. Desired Process: 1. Auto login, kwallet locked 2. Autostart triggers loginctl lock-session 3. User unlocks from lockscreen 4. Kwallet gets password from the unlock process. I can't see how that is another security issue than unlock the wallet upon manual login. If this is still declined, I won't force it anymore. Thank you :) On Mon, 11 Apr 2022, 20:36 Nate Graham, <bugzilla_noreply@kde.org> wrote: > https://bugs.kde.org/show_bug.cgi?id=452442 > > --- Comment #3 from Nate Graham <nate@kde.org> --- > Theoretically yes, but to implement that we would have to punch a security > hole > in the screen locker that would make it less secure. Also it wouldn't > solve the > problem because the lock screen and the login screens are separate things. > The > wallet still wouldn't unlock at *login*. > > Really, if you have auto-login on, I'm not sure how much sense it makes to > use > a lock screen at all. Clearly security is not a major concern in such a use > case. :) > > -- > You are receiving this mail because: > You reported the bug.
Aha! That is a legitimate use case. On Plasma Mobile we do that, with auto-login plus an immediate lock. So this seems like something worth supporting.
+1 we've discussed and agreed in meetings in the past that this would be useful to have. It's a matter of getting it done.
> It's a matter of getting it done. The challenge is the process order. Pam code forks a process sets an env with a path to a socket. When kwalletd starts it maybe connects to this. This all needs to happen before kwalletd tries to start up from any other activation.
*** This bug has been marked as a duplicate of bug 346741 ***