Description of problem: pam-kwallet is starting kwalletd but is failing to pass the hash to it. From kwalletd main.cpp: hash = waitForHash(); if (hash == NULL || waitForEnvironment() == -1) { I see kwalletd stuck in waitForEnvironment(), presumably because hash == NULL. (gdb) bt #0 0x00007f5f48f38400 in __accept_nocancel () at /lib64/libpthread.so.0 #1 0x00007f5f4a667dd0 in waitForEnvironment() () at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:77 #2 0x00007f5f4a668067 in checkPamModule(int, char**) (argc=argc@entry=4, argv=argv@entry=0x7fff94baf978) at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:135 #3 0x00007f5f4a66813d in kdemain(int, char**) (argc=4, argv=0x7fff94baf978) at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:147 #2 0x00007f5f4a668067 in checkPamModule (argc=argc@entry=4, argv=argv@entry=0x7fff94baf978) at /usr/src/debug/kde-runtime-4.14.2/kwalletd/main.cpp:135 135 if (hash == NULL || waitForEnvironment() == -1) { (gdb) print hash $2 = <optimized out> I don't know if any compiler optimization could conceivable cause waitForEnvironment() to be called without hash == NULL. I'm also not sure why waitForEnvironment() is called by kwalletd if it called with --pam-login, but I suppose that's not a big issue. I think we need some more debugging from pam-kwallet and/or kwalletd as to what is going wrong. Version-Release number of selected component (if applicable): pam-kwallet-0-0.6.20140508git49a5bc0.fc21.x86_64
Found this reference googling, https://www.redhat.com/archives/pam-list/2014-October/msg00000.html which may be relevant
Sheesh, I think I found the problem, from startkde: # At this point all the environment is ready, let's send it to kwalletd if running if test -n "$PAM_KWALLET_LOGIN" ; then env | socat STDIN UNIX-CONNECT:$PAM_KWALLET_LOGIN fi We don't have any dependency pulling in socat :( I'll test to see if that being present magically fixes everything.
Did help on my f20/kdm setup @work, as a matter of fact: $ echo $PAM_KWALLET_LOGIN <empty>
Sorry "Did help" => "Did *not* help"
In my case, it looks like NFS $HOME is getting in the way (in journal): Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: Couldn't create directory: /Net/mathstat/Users/Staff/rdieter/.kde because: 13-Permission denied Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: Couldn't open file: /Net/mathstat/Users/Staff/rdieter/.kde/share/apps/kwallet/kdewallet.salt because: 13-Permission denied Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: kwalletd: Couldn't create or read the salt file Dec 05 09:39:39 math-171.unl.edu kdm[11969]: :0[11969]: pam_kwallet(kdm:auth): pam_kwallet: Fail into creating the hash
FWIW - I have a local, unencrypted home directory.
pam-kwallet-0-0.7.20140508git49a5bc0.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/pam-kwallet-0-0.7.20140508git49a5bc0.fc21
pam-kwallet-0-0.7.20140508git49a5bc0.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/pam-kwallet-0-0.7.20140508git49a5bc0.fc20
Actually, I think we've just papered things over a bit here. So now we no longer hang on waitForEnvironment() as it is sent, but I think we're still supposed to pass the hash directly via a pipe.
Also, doesn't: /tmp/<user>.socket seem a bit lousy/insecure for PAM_KWALLET_LOGIN?
Well, I'm an idiot apparently and can't parse the logic - we always run waitForEnvironment(), and the hash is being passed fine.
But more to the point - if the hash is passed in via pam_kwalletd, why do we need the environment passed in?
Package pam-kwallet-0-0.7.20140508git49a5bc0.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pam-kwallet-0-0.7.20140508git49a5bc0.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-16364/pam-kwallet-0-0.7.20140508git49a5bc0.fc20 then log in and leave karma (feedback).
pam-kwallet-0-0.7.20140508git49a5bc0.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
pam-kwallet-0-0.7.20140508git49a5bc0.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
I am still being asked to enter gpg password after I have already entered my password at the login screen. I am using sddm on F21. My username and gpg key passwords are same. I have set a gpg wallet as default in system settings.
My understanding is pam_kwallet does not work with gpg-encrypted wallets
It looks like both gpg and blue-fish encrypted wallets are asking for password after the login. pam-kwallet-0-0.7.20140508git49a5bc0.fc21.x86_64