Using pam_kwallet with openSUSE

In recent tests with openSUSE Leap 15.0 and with Tumbleweed, I have been testing out pam_kwallet.  It seems to work pretty well.  So I have since converted another Tumbleweed system to using pam_kwallet.  However, I am not using pam_kwallet with Leap 42.3, on the grand principle that if it ain’t broke,  don’t fix it.

Leap 15.0 should be released some time in May.  So pam_kwallet is something you might want to think about when you install it.

What is pam_kwallet?

First things first, so I should first explain “kwallet”, sometimes called “kdewallet”.  It is a protected place for storing passwords that are used by KDE applications.  Typically, it is used for the WiFi passphrase, for web password and email passwords.  This, of course, depends on what applications you are using for web browing and for email.

The package pam_kwallet provides a pam module (pluggable authentication module) that automatically opens kwallet during login.  This is supposed to simplify use of “kwallet”.  This works by using your login password to protect (encrypt) “kwallet”.  During login processing, while your login password is still available to PAM modules, it is used to unlock “kwallet”.

Autologin

If you use autologin, so that when you boot your computer you are automatically logged into KDE, then you probably won’t want pam_kwallet.  Using it depends on your password being available during login.  So, if you login without giving a password, you will probably find that you are still prompted for the “kwallet” password.

Using pam_kwallet

I’ll get to installing a little later in this post.

Once pam_kwallet is properly installed and working, then using it is simple.  I just login to KDE, and I find that “kwallet” has already been opened.  I am never prompted for a password to open “kwallet”.  It just works.

If using WiFi, and if it is set to automatically connect, then by the time I am logged in, the WiFi connection should already be up and running.  This, of course, assumes that the network connection has already been configured.

Installing

Here I’ll discuss installing with a clean install.  Later in this post, I’ll discuss switching to “pam_kwallet” on an existing system.

The one difficulty with installing pam_kwallet, is that it is not on the install DVD for Leap 15.0.  Perhaps that will change by the time that 15.0 is officially released.  So, after completing a clean install, I was careful to avoid using any application that required “kwallet”.  I went straight to running Yast Software Management, and installed pam_kwallet.  I then logged out, and logged back in.  And, presto, “kwallet” was already opened after that login.  So that’s all there is to it.

Some people might need to use “kwallet” before installing “pam_kwallet”.  So I have also tested this in a KVM virtual machine, with Leap 15.0.  After installing, I ran a command that required “kwallet”.  And that was before installing “pam_kwallet”.

When I ran the command, I was prompted for setup of “kwallet”.  The first prompt asks whether to use “gpg” encryption or “blowfish” encryption.  The default is “gpg”, and that box is already checked.  I instead checked the box for “blowfish” encryption (because “gpg” encryption probably won’t work with “pam_kwallet”).  I went with the defaults for everything else in “kwallet” setup.  And, when prompted for a password to encrypt “kwallet”, I used my login password.

With those settings, “kwallet” opened.  I later installed “pam_kwallet”.  And then, after logout and login again, I could see that “kwallet” was opening automatically during login.

Switching

With Tumbleweed on my laptop, I had already been using “kwallet” with “gpg” encryption.  Since “pam_kwallet” seemed to work well with Leap 15.0, I wanted to switch this to also use the PAM module.  So here’s what I did:

I first installed “pam_kwallet”.

Next, I opened “KWalletManager”.  There, in the file menu, I asked it to export the wallet content to an “xml” file.  Note that the “xml” file will not be encrypted.

I then logged out of KDE, and logged into Icewm.  This is because Icewm does not use “kwallet” (unless I open a KDE application).  In Icewm, I did

cd ~/.config
rm kwallet*
cd ~/.local/share
rm -rf kwalletd

Those commands removed the “kwallet” configuration and data, so that they would be recreated on my next KDE login.

I now logged out of Icewm, and back into KDE.  I opened “KWalletManager”, and imported from the save “xml” file.  Finally, I used “shred” to remove that saved “xml” file, so as to not leave an unencrypted copy around.

And now “pam_kwallet” is working nicely on that Tumbleweed system.

The downside

There’s one disadvantage to this change.  Previously using “gpg” encryption with “kwallet” meant that I was using my “gpg” passphrase often enough that I am unlikely to forget it.  Now, with “pam_kwallet” I won’t get as much practice with using that passphrase.  I may have to occasionally send some “gpg” signed email so as to keep up the practice.

A note on 42.3

For Leap 42.3, I did try installing pam_kwallet on one system.  It didn’t do anything.  Apparently, the PAM configuration is not automatically updated on 42.3, and thus the installed pam_kwallet isn’t used.  I decided to leave things that way.

Tags: ,

About Neil Rickert

Retired mathematician and computer scientist who dabbles in cognitive science.

One response to “Using pam_kwallet with openSUSE”

  1. Anthony Accioly says :

    Yeah, chaining kwallet and Ksshaskpass is great. In Leap 42.3 we need to jump through some hoops (see: https://gist.github.com/Trucido/b788017a18e1189e6703e42315e8829c). Leap 15.0 and Tumbleweed packages have been updated to do it for us (https://forums.opensuse.org/showthread.php/521376-unlocking-kwallet-by-login-process?p=2838483#post28384830)

    Liked by 1 person

%d bloggers like this: