476095 – KDE Wallet doesn't get unlocked for systemd-homed managed users when logging in via FIDO2 key

Bug 476095 - KDE Wallet doesn't get unlocked for systemd-homed managed users when logging in via FIDO2 key

Summary: KDE Wallet doesn't get unlocked for systemd-homed managed users when logging ...

Status:	REPORTED

Alias:	None

Product:	frameworks-kwallet
Classification:	Frameworks and Libraries
Component:	general (show other bugs)
Version:	unspecified
Platform:	Arch Linux Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Valentin Rusu

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-10-25 20:31 UTC by Balázs Róbert Börcsök
Modified:	2023-12-23 00:06 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Balázs Róbert Börcsök 2023-10-25 20:31:05 UTC

SUMMARY
***
KDE Wallet doesn't get unlocked for systemd-homed managed users when logging in via FIDO2 key
***

STEPS TO REPRODUCE
1. Create a systemd-homed managed user.
2. Add a FIDO2 security key to it.
3. Login via GDM using the FIDO2 key.

OBSERVED RESULT
KWallet doesn't get unlocked.

EXPECTED RESULT
KWallet is unlocked.
If a Wallet was created before for the user it should unlock automatically or enroll the security key.
If a Wallet was not created before logging it, set it up automatically or through a wizard.
Possibly support creating wallets tied to FIDO2 keys.

SOFTWARE/OS VERSIONS
Windows: -
macOS: -
Linux/KDE Plasma: 6.1.59-1-lts (64-bit)
(available in About System)
KDE Plasma Version: 5.27.8
KDE Frameworks Version: 5.111.0
Qt Version: 5.15.11

ADDITIONAL INFORMATION
I use GDM as a login manager for now, as Plasma's default seems to be broken when using systemd-homed.
I am using Wayland.
Possibly connected to https://bugs.kde.org/show_bug.cgi?id=427755 .

Comment 1 Balázs Róbert Börcsök 2023-12-23 00:02:54 UTC

I have not tried using SDDM, but it seems like there are other people as well with this issue, I am assuming they are using that: https://unix.stackexchange.com/questions/763714/how-to-unlock-kdewallet-with-fido2-key

Also, I tried adding the relevant PAM configuration lines (see: https://wiki.archlinux.org/title/KDE_Wallet#Configure_PAM), to GDM, but it asks for the user password (I suppose logically, as KDE Wallet probably doesn't handle non password, like FIDO2 based encryption). If not supplying anything the login proceeds without the Wallet unlocking (logically).

I think that the underlying problem is that there is no support for FIDO2 in KDE Wallet, the cleanest and most future-proof solution in my opinion would be add that and then build an SSO-like experience (I login with my strong authentication, namely my FIDO2 key, which unlocks my KDE wallet, then it reprompts either for my FIDO2 key's password again or in addition or instead of that my wallet's password).

This is a really big topic actually, I am not sure if similar stuff is being worked on, maybe I will open a feature request in addition to this and somehow link this bug report there. This should be worked out well, with clear requirements, because this is the closest we could get to other platforms' SSO experience, I think.

Comment 2 Balázs Róbert Börcsök 2023-12-23 00:06:04 UTC

(In reply to Balázs Róbert Börcsök from comment #1)
> then it reprompts either for my FIDO2 key's password again or in addition or instead of that my wallet's password

I meant this as an optional thing, only reprompt if configured.