Comment # 6 on bug 1154663 from
(In reply to Fabian Vogt from comment #5)
> > pam_kwallet is a huge step ahead in safety and usability. For example everyone using openSUSE on a notebook will probably store the wifi passwords safely in kwallet. But entering the user password twice on login is just senseless.
> (actually KWallet might not just be used for wifi, but for a lot more like
> ssh passphrases)
> 
> That's the usability aspect, but not the safety one.

Actually alternatively people may store passwords in plaintext. And so it
becomes an security aspect.


> > And I suggest to simply default to blowfish. At least that's what the native KDE distro "Neon" does. https://neon.kde.org
> 
> The distro which installed and enabled pam_kwallet by default before looking
> at the code, which was so bad it allowed everyone to become root? Not a
> great example...

Point taken.


> > Configuring GPG is also little more work and maybe not something every KDE user wants to do. So by default there should be simply a KWallet being created with blowfish and made accessible via pam_kwallet. I think that's by far the best choice for inceasing security and usability.
> 
> I agree that making blowfish the default option is worth considering, but
> not hiding the choice altogether. This choice needs to be made upstream by
> KWallet devs though, not here in openSUSE.

Just created a ticket:
https://bugs.kde.org/show_bug.cgi?id=413314


> pam_kwallet should not be installed by default, as using it means that the
> wallet has to be unlocked permanently after login, exposing all contents
> over DBus, even after locking the screen, suspend, etc.

That's a point. But the resulting user experience - especially regarding using
encrypted wifi's - is really bad.
Any other ideas how to solve this!?


You are receiving this mail because: