[opensuse-kde] howto use pam_kwallet with Plasma 5.9
What need I to do to get pam_kwallet doing it's task, opening kwallet after login? I have installed: pam_kwallet 5.9.1-1.1 from openSUSE-Tumbleweed-Oss kwalletd5 5.30.0 from openSUSE-Tumbleweed-Oss libkwalletbackend5-5 5.30.0 from openSUSE-Tumbleweed-Oss kwalletmanager5 16.12.1 from openSUSE-Tumbleweed-Oss My Wallet password is equal to my login password. -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Am Sonntag, 12. Februar 2017, 15:46:28 CET schrieb Cisbug:
What need I to do to get pam_kwallet doing it's task, opening kwallet after login?
I have installed: pam_kwallet 5.9.1-1.1 from openSUSE-Tumbleweed-Oss kwalletd5 5.30.0 from openSUSE-Tumbleweed-Oss libkwalletbackend5-5 5.30.0 from openSUSE-Tumbleweed-Oss kwalletmanager5 16.12.1 from openSUSE-Tumbleweed-Oss
My Wallet password is equal to my login password.
You have to edit /etc/pamd.d/sddm to
#%PAM-1.0 auth substack common-auth auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_kwallet5.so session optional pam_kwallet.so
The interesting part here is to use "substack" instead of "include", else the optional entries will not be executed if common-auth has a "sufficient" entry. Herbert -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Am Sonntag, 12. Februar 2017, 22:47:45 CET schrieb Herbert Graeber:
You have to edit /etc/pamd.d/sddm to
#%PAM-1.0 auth substack common-auth auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_kwallet5.so session optional pam_kwallet.so
The interesting part here is to use "substack" instead of "include", else the optional entries will not be executed if common-auth has a "sufficient" entry.
Thank you, it should be written anywhere on OpenSuse documentation. -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
On Sun, Feb 12, 2017 at 4:47 PM, Herbert Graeber <lists@graeber-clan.de> wrote:
Am Sonntag, 12. Februar 2017, 15:46:28 CET schrieb Cisbug:
What need I to do to get pam_kwallet doing it's task, opening kwallet after login?
I have installed: pam_kwallet 5.9.1-1.1 from openSUSE-Tumbleweed-Oss kwalletd5 5.30.0 from openSUSE-Tumbleweed-Oss libkwalletbackend5-5 5.30.0 from openSUSE-Tumbleweed-Oss kwalletmanager5 16.12.1 from openSUSE-Tumbleweed-Oss
My Wallet password is equal to my login password.
You have to edit /etc/pamd.d/sddm to
#%PAM-1.0 auth substack common-auth auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_kwallet5.so session optional pam_kwallet.so
The interesting part here is to use "substack" instead of "include", else the optional entries will not be executed if common-auth has a "sufficient" entry.
Herbert -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Is there a way to have this added automatically when pam-kwallet is installed? I would think if someone installs pam-kwallet they want it to "just work". Or at least have a subpackage they can install that includes it. -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
On dimanche, 19 février 2017 16.15:18 h CET Todd Rme wrote:
On Sun, Feb 12, 2017 at 4:47 PM, Herbert Graeber <lists@graeber-clan.de> wrote:
Am Sonntag, 12. Februar 2017, 15:46:28 CET schrieb Cisbug:
What need I to do to get pam_kwallet doing it's task, opening kwallet after login?
I have installed: pam_kwallet
5.9.1-1.1 from openSUSE-Tumbleweed-Oss
kwalletd5
5.30.0 from openSUSE-Tumbleweed-Oss
libkwalletbackend5-5
5.30.0 from openSUSE-Tumbleweed-Oss
kwalletmanager5
16.12.1 from openSUSE-Tumbleweed-Oss
My Wallet password is equal to my login password.
You have to edit /etc/pamd.d/sddm to
#%PAM-1.0 auth substack common-auth auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_kwallet5.so session optional pam_kwallet.so
The interesting part here is to use "substack" instead of "include", else the optional entries will not be executed if common-auth has a "sufficient" entry.
Herbert -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Is there a way to have this added automatically when pam-kwallet is installed? I would think if someone installs pam-kwallet they want it to "just work". Or at least have a subpackage they can install that includes it.
Well it doesn't work for autologin here's the logs I get systemd[1]: Starting X Display Manager... root[3908]: /etc/init.d/xdm: No changes for /etc/X11/xdm/Xservers root[3908]: /etc/init.d/xdm: No changes for /etc/X11/xdm/xdm-config sddm[3944]: Initializing... sddm[3944]: Starting... sddm[3944]: Adding new display on vt 1 ... sddm[3944]: Display server starting... sddm[3944]: Running: /usr/bin/X -nolisten tcp -auth /run/sddm/{f10a6913- ff92-4a5c-aa0d-0d2eb8949826} -background none -noreset -displayfd 18 vt1 acpid[1531]: client connected from 3946[0:0] acpid[1531]: 1 client rule loaded display-manager[3899]: Starting service sddm..done systemd[1]: Started X Display Manager. sddm[3944]: Running display setup script "/usr/share/sddm/scripts/Xsetup" sddm[3944]: Display server started. sddm[3944]: Reading from "/usr/share/xsessions/plasma5.desktop" sddm[3944]: Reading from "/usr/share/xsessions/plasma5.desktop" sddm[3944]: Session "/usr/share/xsessions/plasma5.desktop" selected, command: "/usr/bin/startkde" sddm[3944]: Adding cookie to "/run/sddm/{f10a6913-ff92-4a5c- aa0d-0d2eb8949826}" sddm-helper[3953]: PAM unable to dlopen(/lib64/security/pam_kwallet.so): / lib64/security/pam_kwallet.so: cannot open shared object file: No such file or d sddm-helper[3953]: PAM adding faulty module: /lib64/security/pam_kwallet.so sddm-helper[3953]: [PAM] Starting... sddm-helper[3953]: [PAM] Authenticating... sddm-helper[3953]: [PAM] Preparing to converse... sddm-helper[3953]: [PAM] Conversation with 1 messages sddm-helper[3953]: pam_unix(sddm-autologin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=bruno sddm-helper[3953]: pam_kwallet5(sddm-autologin:auth): (null): pam_sm_authenticate sddm-helper[3953]: [PAM] authenticate: Authentication failure sddm-helper[3953]: [PAM] returning. sddm[3944]: Authentication error: "Authentication failure" sddm-helper[3953]: [PAM] Ended. sddm[3944]: Auth: sddm-helper exited with 1 /etc/pam.d/sddm and /etc/pam.d/sddm-autologin are now identical like this #%PAM-1.0 auth substack common-auth auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_kwallet5.so session optional pam_kwallet.so From the error above I guess that pam_kwallet.so can be removed as the file doesn't exist ? -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Also perhaps we need like gnome-keyring a -32bits package to have /lib/ security/pam_kwallet5.so ? -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Am Sonntag, 19. Februar 2017, 16:35:26 schrieb Bruno Friedmann:
Well it doesn't work for autologin
Correct. The reason is that pam_kwallet5 is unable to get the login password in that case AFAIK. Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
In data domenica 19 febbraio 2017 16:15:18 CET, Todd Rme ha scritto:
Is there a way to have this added automatically when pam-kwallet is installed? I would think if someone installs pam-kwallet they want it to "just work". Or at least have a subpackage they can install that includes it.
Apparently this is possible with pam-config: however I'm not sure how to use it properly in a package. -- Luca Beltrame - KDE Forums team GPG key ID: A29D259B -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Am Sonntag, 19. Februar 2017, 18:01:38 CET schrieb Luca Beltrame:
Apparently this is possible with pam-config: however I'm not sure how to use it properly in a package.
Maybe you could explain how to do it in pam-config, Luca, and another person could explain how to call pam-config at installation time. -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
Am Sonntag, 19. Februar 2017, 18:01:38 schrieb Luca Beltrame:
In data domenica 19 febbraio 2017 16:15:18 CET, Todd Rme ha scritto:
Is there a way to have this added automatically when pam-kwallet is installed? I would think if someone installs pam-kwallet they want it to "just work". Or at least have a subpackage they can install that includes it.
Apparently this is possible with pam-config: however I'm not sure how to use it properly in a package.
I'm not sure, but I think support for pam_kwallet5 would need to be added to pam-config first. For sddm we could add the necessary lines to the shipped /etc/pam.d/sddm. This has been done upstream already btw: https://github.com/sddm/sddm/commit/1dccfe7a1b9583090f5b3118c766ef12b04d4c55 https://github.com/sddm/sddm/commit/892422ef3445e0189fc4402d9c17187b0b3bf43f The second one is rather pointless IMHO though. According to the commit message it only works with an empty kwallet password, but in that case there's no need for pam_kwallet5 in the first place anyway. Kind Regards, Wolfgang -- To unsubscribe, e-mail: opensuse-kde+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kde+owner@opensuse.org
participants (6)
-
Bruno Friedmann -
Cisbug -
Herbert Graeber -
Luca Beltrame -
Todd Rme -
Wolfgang Bauer