…at least with KDE4 on openSUSE 12.2.
In a previous post I mentioned that there are single-sign-on methods available for KDE to open the wallet right on login, but they do not work when you’re using NIS accounts.
Turns out they do work after all, you just need make sure that the references to the pam_kwallet module is after pam_unix2.so in common-auth, like this:
#%PAM-1.0 # # This file is autogenerated by pam-config. All changes # will be overwritten. # # Authentication-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_env.so auth required pam_unix2.so auth optional pam_kwalletopener.so use_first_pass auth optional pam_gnome_keyring.so
After this, you just add the two modules pam_dbus_launch and pam_kwallet in common-session like this (pam_dbus_launch needs to be before pam_systemd, and pam_kwallet at the end):
#%PAM-1.0 # # This file is autogenerated by pam-config. All changes # will be overwritten. # # Session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive # session required pam_limits.so session required pam_unix2.so session optional pam_umask.so session optional pam_dbus_launch.so dbus-launch=/usr/bin/dbus-launch session optional pam_systemd.so session optional pam_kwalletopener.so maxwait=60 session_timeout=360 localwallet start_daemon kwalletopener=/usr/bin/kwalletopener session optional pam_gnome_keyring.so auto_start only_if=gdm,gdm-password,lxdm,lightdm
With these settings the pam modules work with any kind of useraccounts. Keep in mind that it will not work for automated logins where the system doesn’t actually prompt for a password.
The required pam modules can be installed from this OBS project.
4 thoughts on “KWallet Single-Sign-On, at last!”
Just installed the pam_kwallet and work flawlessly (with my local account). Finally I won’t have to repeat my password again and again. Thanks!
A quick note; the common-auth and common-session configuration files in OpenSuse 13.1 RC1 changed a bit and refer to pam_unix.so instead of pam_unix2.so. Also the order changed a bit. I haven’t been able to figure out a configuration that works…
Also doesn’t work for me anymore since upgrading to openSUSE 13.1 and changing from pam_unix2.so to pam_unix.so