http://bugzilla.opensuse.org/show_bug.cgi?id=1154663 http://bugzilla.opensuse.org/show_bug.cgi?id=1154663#c1 Neil Rickert changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nwr10cst-oslnx@yahoo.com --- Comment #1 from Neil Rickert --- I am opposed to this. The problem is that pam_kwallet does not work if "lightdm" is used as the display-manager. I reported this a long time ago, as bug 1102588 -- I think that was for Leap 15.0. I have just tested with Leap 15.2 Alpha, and the problem is still there. I don't think it's a good idea to make pam_kwallet a default if it won't work for some users. For the record, I mainly use GDM or SDDM, although I am currently using lightdm on my main desktop. But people should be able to change display manager without causing problems for kwallet. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1154663 http://bugzilla.opensuse.org/show_bug.cgi?id=1154663#c3 --- Comment #3 from Luca Beltrame --- For the record, I wouldn't want it by default, even if I use it daily. pam_kwallet has not the nicest codebase to say the least, gets little to no maintenance by upstream KDE, and was also hit by security vulnerabilities. It would require quite a lot of changes to be viable. -- You are receiving this mail because: You are on the CC list for the bug.

pam_kwallet is a huge step ahead in safety and usability. For example everyone using openSUSE on a notebook will probably store the wifi passwords safely in kwallet. But entering the user password twice on login is just senseless. (actually KWallet might not just be used for wifi, but for a lot more like ssh

http://bugzilla.opensuse.org/show_bug.cgi?id=1154663 http://bugzilla.opensuse.org/show_bug.cgi?id=1154663#c5 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |fvogt@suse.com Resolution|--- |WONTFIX --- Comment #5 from Fabian Vogt --- passphrases) That's the usability aspect, but not the safety one. It requires that the blowfish is used with the same passphrase as the user account's password.

And I suggest to simply default to blowfish. At least that's what the native KDE distro "Neon" does. https://neon.kde.org

The distro which installed and enabled pam_kwallet by default before looking at the code, which was so bad it allowed everyone to become root? Not a great example...

Configuring GPG is also little more work and maybe not something every KDE user wants to do. So by default there should be simply a KWallet being created with blowfish and made accessible via pam_kwallet. I think that's by far the best choice for inceasing security and usability.

I agree that making blowfish the default option is worth considering, but not hiding the choice altogether. This choice needs to be made upstream by KWallet devs though, not here in openSUSE. pam_kwallet should not be installed by default, as using it means that the wallet has to be unlocked permanently after login, exposing all contents over DBus, even after locking the screen, suspend, etc. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1154663 http://bugzilla.opensuse.org/show_bug.cgi?id=1154663#c7 --- Comment #7 from Neil Rickert ---

Actually alternatively people may store passwords in plaintext. And so it becomes an security aspect.

I set WiFi passwords to be stored in plaintext and available to all users. But they are stored in a file readable only by root, so I do not see this as a serious security issue. I prefer this, because NetworkManager can then connect before login, and this works better (at least in my experience). -- You are receiving this mail because: You are on the CC list for the bug.