Unlocking KWallet with PAM

Requests to unlock KWallet automatically on login (assuming the wallet password and user password are the same), like gnome-keyring can do, have been going on for years: in fact, bug reports requesting this feature are quite old.  Recently, thanks to the efforts of Alex Fiestas, a PAM module, which interfaces KWallet to the system authentication methods, has been developed. In parallel, the necessary glue code has been also added to the various parts of the KDE workspace so that it could make use of it.

While the module itself has not been released yet officially, it’s been used already by some distributions (Kubuntu). However documentation is lacking, so it could be hard to set it up for anyone else.  This post provides some indications on how to set KWallet up with PAM.

Before we begin, a disclaimer:  as we’re deailng with pre-release software, do everything at your own risk! Errors with PAM can lock you out of your system!

Also, ther’s no guarantee that these instructions, although they worked for me, will work for you. YMMV.


EDIT: You will need a more recent startkde script than the one shipped in Workspace 4.11.8: ask your distro for a back-port of the latest commits to it (last 3 since 4.11.8).  Thanks to Rex Dieter (Fedora) for letting me know.

You need to have libgcrypt and its development headers installed, and at least version 1.5.0 (earlier versions won’t work), along with the PAM development headers. Before beginning, change your wallet password to be the same as your login password (you chose a strong password, didn’t you ;).

EDIT: You wll need also socat, because it’s used to inject the right environment when the KDE workspace session is starting.

Building pam-kwallet

Clone the git repository holding pam-kwallet (NOTE for posterity: the URL may change in the future once the code moves properly inside KDE’s official modules):

git clone git://anongit.kde.org/scratch/afiestas/pam-kwallet.git

Then compile:

mkdir build; cd build
cmake -DCMAKE_INSTALL_PREFIX=$(kde4-config --prefix) ../

You may have to add -DLIB_SUFFIX=64 if you are using a 64 bit system or the library may get installed in the wrong path.

Install either as root or using sudo:

make install

Hooking pam-kwallet to PAM

Once this is done, we need to hook pam-kwallet to PAM proper. These instructions have been made with inspiration from the Arch Linux Wiki entry on GNOME keyring and should be your reference in case of issues.

We’ll have to tell PAM that it can use our freshly built module as an authentication mechanism. We will be doing so by editing specific files under /etc/pam.d. All operations should be done as root or using sudo.

First, we edit /etc/pam.d/login (added lines are with). This is how it looks in my system (note: depending on your distro, it may and will look different)

auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
#session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard
-session optional pam_kwallet.so auto_start #### Add this line

Then we change /etc/pam.d/passwd. Notice that there is a caveat described below:

auth include common-auth
-auth optional pam_kwallet.so ### add this line
account include common-account
password include common-password
session include common-session

It is essential now that you notice whether you are using a default .kde for your KDE applications settings, or another name (for example .kde4 in openSUSE). If it is different from .kde, you must add an option which tells the PAM module where it is (it only involves modifications in /etc/pam.d/passwd):

-auth optional pam_kwallet.so kdehome=.kde4 # for .kde4

Alternative setup

While the setup above should work, it may not. In this case, you will need to edit the PAM files used by your display manager. In the case of KDM, they may be /etc/pam.d/kdm _or /etc/pam.d/xdm_. For LightDM, you should edit both /etc/pam.d/lightdm and /etc/pam.d/lightdm-greeter.

Either case, put both the auth and the session line in the files, as such (example from my setup)

# LightDM PAM configuration used only for the greeter session
auth required pam_permit.so
-auth optional pam_kwallet.so kdehome=.kde4 ### added
account required pam_permit.so
password include common-password
session required pam_loginuid.so
session include common-session
-session optional pam_kwallet.so auto_start ### added

Wrapping it up

After these changes, log out and back in. If everything is correct, you will not see password requests from KWallet, but you will see your wallet properly unlocked!

And if it doesn’t work?

I warned you. ;) More seriously, look in the authentication logs for clues to see whether there were PAM errors. My suggestion would be to wait for distros to figure this out, or hope that a real PAM expert steps in, as debugging is very difficult (at least for me) at such a low level.

EDIT: As pointed out by Rex Dieter (Fedora), putting a - in front of your PAM entries will make PAM ignore them if unavailable, reducing the amount of logging sent to your syslog.

Dialogue & Discussion