I did an update today and now the kwallet unlock popup comes on each login, no wifi access or any other app password access before I re-enter my login password.
What I have tried already:
- Set my password to the same password as my login (it was that prior the update too)
- Check that /etc/pam.d/sddm has the correct lines. I noticed they had a dash before, while arch wiki shows them without dash, i tried to remove them and restart, didn't help
- Check that the .so file those lines reference exists in /usr/lib/security
I can't disable it or undo the password as I use it and store some sensitive info in it.
Sorry I don't have an answer to your problem. You seem to be thinking along the right lines though.
If you use startx and pipe all output to a file there’s a possibility you might see relevant errors in there?
eg:
startx -- -keeptty >~/.local/share/xorg/xorg.log 2>&1
No idea with wayland.
I don't think it a good idea to use kwallet for sensitive information.
Any process running as your user, that knows how to talk to kwallet, can read all the keys when the wallet is unlocked.
So imho it's only marginally better than storing sensitive info in a plaintext file that is only readable by your user.
Edit: If you use a display manager you can probably set that up to produce a similar log.
First I wanted to check if it happens on X at all, since I don't use it. A regular login from sddm completely froze on the splash screen.
I will need a physical keyboard to test that command, so in some hours will do.
One more thing I tried was changing the user password, it prompted to also change the wallet password, which I did again, all same passwords, did not help
Same for me here … after the latest updates, kwallet-pam doesn't work anymore. KWallet isn't unlocked anymore after logging in.
All help on how to debug this would be greatly appreciated!
Just for the record: This seems to be a general problem. I have 4 Artix machines running, all with kwallet-pam installed. All opened kwallet as expected automatically when logging in – until recenty. Now kwallet-pam doesn't work anymore on any of them.
Any idea about this? This really sucks :-(
What I can tell, I have upgrade my desktop, which then also did the same thing, but I saved the list of packages and saw that kwallet got upgraded from 6.17.0-1 to 6.18.0-1, I downgraded it back and it no longer does it. If you have downgrade from AUR, you can do
sudo downgrade kwallet
or if you do not, you can use
sudo pacman -U /var/cache/pacman/pkg/kwallet-6.17.0-1-x86_64.pkg.tar.zst
or whatever the highest version you have, that isn't 6.18.0-1. However, would be good if this got solved instead.
I checked kwallet-git and kwallet-pam-git from the AUR, they did not solve it
Upstream added this file: org.freedesktop.impl.portal.desktop.kwallet.service (https://invent.kde.org/frameworks/kwallet/-/commit/ecf9e2ec7fceca538a9266f5bb9488b4dced1d09)
Running: rm /usr/share/dbus-1/services/org.freedesktop.impl.portal.desktop.kwallet.service seems to be a workaround.
This seems to be the only real change since v6.17.0: https://invent.kde.org/frameworks/kwallet/-/compare/v6.17.0...v6.18.0
Maybe this runs before kwallet-pam and so the auto unlock does not work? Since it trys to access/start kwallet before kwallet-pam opens, it automatically. But since it comes first we need to type our password in again?
The commit body of the commit which added this file:
Related Bug which triggered this new Bug: https://bugs.kde.org/show_bug.cgi?id=508870 and https://github.com/mozilla-mobile/mozilla-vpn-client/issues/10728
Maybe this file is only needed when not using kwallet-pam?
Thanks for the hint! I can confirm that both downgrading to kwallet-6.17.0-1 and removing /usr/share/dbus-1/services/org.freedesktop.impl.portal.desktop.kwallet.service from an installed 6.18.0 fixes the issue.
IMO this is a clear upstream bug. I filed the following bug report: https://bugs.kde.org/show_bug.cgi?id=509680
At least on my machine, it's indeed a race condition.
Before moving the dbus service file:
$ pgrep -la ksecretd
12886 /usr/bin/ksecretd
After moving the dbus service file:
$ pgrep -la ksecretd
8441 /usr/bin/ksecretd --pam-login 13 14
With a tool that logs what processes spawn what, I found that in the first case ksecretd is spawned by D-Bus, while in the second it's by sddm-helper (which seems to what SDDM uses as a vessel for PAM modules)
I hacked the dbus service files for Turnstile in order to enable logging and found a likely culprit:
dbus-daemon[5289]: [session uid=1000 pid=5289 pidfd=5] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.11' (uid=1000 pid=5345 comm="/usr/bin/kcminit_startup")
[...]
dbus-daemon[5289]: [session uid=1000 pid=5289 pidfd=5] Activating service name='org.freedesktop.impl.portal.desktop.kwallet' requested by ':1.12' (uid=1000 pid=5348 comm="/usr/lib/xdg-desktop-portal")
It seems xdg-desktop-portal (which is started by KDE's login procedure) starts kwallet before the PAM module does.