Requests to unlock KWallet automatically on login (assuming the wallet password and user password are the same), like gnome-keyring can do, have been going on for years: in fact, bug reports requesting this feature are quite old. Recently, thanks to the efforts of Alex Fiestas, a PAM module, which interfaces KWallet to the system authentication methods, has been developed. In parallel, the necessary glue code has been also added to the various parts of the KDE workspace so that it could make use of it.
While the module itself has not been released yet officially, it’s been used already by some distributions (Kubuntu). However documentation is lacking, so it could be hard to set it up for anyone else. This post provides some indications on how to set KWallet up with PAM.
Before we begin, a disclaimer: as we’re deailng with pre-release software, do everything at your own risk! Errors with PAM can lock you out of your system!
Also, ther’s no guarantee that these instructions, although they worked for me, will work for you. YMMV.
Prerequisites
You need to have libgcrypt and its development headers installed, and at least version 1.5.0 (earlier versions won’t work), along with the PAM development headers. Before beginning, change your wallet password to be the same as your login password (you chose a strong password, didn’t you ;).
Building pam-kwallet
Clone the git repository holding pam-kwallet (NOTE for posterity: the URL may change in the future once the code moves properly inside KDE’s official modules):
Then compile:
You may have to add -DLIB_SUFFIX=64 if you are using a 64 bit system or the library may get installed in the wrong path.
Install either as root or using sudo:
Hooking pam-kwallet to PAM
Once this is done, we need to hook pam-kwallet to PAM proper. These instructions have been made with inspiration from the Arch Linux Wiki entry on GNOME keyring and should be your reference in case of issues.
We’ll have to tell PAM that it can use our freshly built module as an authentication mechanism. We will be doing so by editing specific files under /etc/pam.d. All operations should be done as root or using sudo.
First, we edit /etc/pam.d/login (added lines are with). This is how it looks in my system (note: depending on your distro, it may and will look different)
Then we change /etc/pam.d/passwd. Notice that there is a caveat described below:
It is essential now that you notice whether you are using a default .kde for your KDE applications settings, or another name (for example .kde4 in openSUSE). If it is different from .kde, you must add an option which tells the PAM module where it is (it only involves modifications in /etc/pam.d/passwd):
Wrapping it up
After these changes, log out and back in. If everything is correct, you will not see password requests from KWallet, but you will see your wallet properly unlocked!
And if it doesn’t work?
I warned you. ;) More seriously, look in the authentication logs for clues to see whether there were PAM errors.