Comment # 5
on bug 1154663
from Fabian Vogt
> pam_kwallet is a huge step ahead in safety and usability. For example everyone using openSUSE on a notebook will probably store the wifi passwords safely in kwallet. But entering the user password twice on login is just senseless.
(actually KWallet might not just be used for wifi, but for a lot more like ssh
passphrases)
That's the usability aspect, but not the safety one. It requires that the
blowfish is used with the same passphrase as the user account's password.
> And I suggest to simply default to blowfish. At least that's what the native KDE distro "Neon" does. https://neon.kde.org
The distro which installed and enabled pam_kwallet by default before looking at
the code, which was so bad it allowed everyone to become root? Not a great
example...
> Configuring GPG is also little more work and maybe not something every KDE user wants to do. So by default there should be simply a KWallet being created with blowfish and made accessible via pam_kwallet. I think that's by far the best choice for inceasing security and usability.
I agree that making blowfish the default option is worth considering, but not
hiding the choice altogether. This choice needs to be made upstream by KWallet
devs though, not here in openSUSE.
pam_kwallet should not be installed by default, as using it means that the
wallet has to be unlocked permanently after login, exposing all contents over
DBus, even after locking the screen, suspend, etc.