How do i correctly set up PAM for kdewallet?

I got tired of chromium nagging on every start about a wallet - so i tried to create one and setting up PAM by following the arch wiki instructions

Then on next boot, system doesn’t connect to wifi - i presume this is because the credentials have been stuffed into the wallet (which it never told me it would do) and it fails to open quickly enough or not at all, i’m not sure. (I typically start the pc then do something else for a few minutes before returning)

I tried to look for some logs, but that doesn’t seem to shed much light on the issue.

I have tried various steps described here, but no combination seems to work:

Do you use autologin or do you login by typing in your password on the login screen?

currently i let kde auto-login on boot - it doesn’t autologin on “resume from sleep”

Sometimes it is nice to have autologin, but other times I don’t really care for it.

I just needed to know because the process is different depending on that one factor. If you don’t use autologin. Then all you need to do is install the package kwallet-pam and make sure that your kwallet password is the same as your user password and that is it.

If you do use autologin then the login screen never gets a chance to open kwallet because you don’t actually see the login screen. In this case, you could set the kwallet password to be blank, but that is considered to be insecure.

The arch wiki article you linked to mentioned pam_autologin, but I’ll need to read more into that to see how that is supposed to work. Also you know that article you linked to is from 2014 right?

I’m aware but thought it might be worth a shot because I couldn’t get the steps in the first link to work.

Sorry it took so long. I was looking into the pam_autologin thing when I came across a feature request and merge request in sddm here and here.

Basically if you are already encrypting your disks then systemd already has a way to do this and we just need to use it.

Unlock kwallet on autologin

  1. suedit /etc/pam.d/sddm-autologin.

    Add the line:

    -auth optional

    above the line

    -auth optional

  2. sudo systemctl edit sddm.service.

    Add the following content

  3. Reboot

I tried it out myself, and after rebooting, then sure enough kwallet was opened on autologin. Apparently, Fedora was already using this trick with Gnome.

Of course, you still need things to line up. Meaning that the disk encryption password, the login password, and the kdewallet password all need to be the same for this to work.

Lastly, thanks for asking this question. Otherwise, I never would have looked into this issue and solved the problem on my system. I had just decided to live with the fact that autologin and automatic keyring unlocking couldn’t coexist.

1 Like

I do not have disk encryption enabled, how would that affect things?

And no worries. The response has been quicker than my expectations :+1:

Well without disk encryption that means there is no point in the process in which you type in your password, so this method wouldn’t work for you. This basically puts you back to the starting block. Most techniques depend on you entering your password at least once. The idea is to make it so you don’t have to do it multiple times.

This leaves you with the options of setting an empty password in kwallet which is insecure because all of your passwords are now saved in plain text or getting pam_autologin working which if I understand correctly will save the password in a root location. Not the most secure but definitely better than the no password at all option.

given the pros and cons i can think of; it seems sacrificing autologin is the easiest way out. Not ideal, but acceptable.

For pam_autologin, I found this thread on the forums. Maybe it will help:

Sorry, forget that last comment. I looked at the conclusion of that thread and it turns out pam_autologin is for automatically logging into tty’s it wasn’t meant to be used with desktop environments.