Difference between revisions of "KDE Wallet"

From ArchWiki
Jump to navigation Jump to search
(clearly not all passwords do land in the KDE-wallet. KDE is misleading its users.)
 
(30 intermediate revisions by 12 users not shown)
Line 4: Line 4:
 
[[ja:KDE Wallet]]
 
[[ja:KDE Wallet]]
 
[[zh-hans:KDE Wallet]]
 
[[zh-hans:KDE Wallet]]
[http://utils.kde.org/projects/kwalletmanager/ KDE Wallet Manager] is a tool to manage some passwords on your KDE Plasma system (others may be managed by seahorse and e.g. gksu). By using the KWallet subsystem it not only allows you to keep your own secrets but also to access and manage the passwords of every application that integrates with KWallet.
+
[http://utils.kde.org/projects/kwalletmanager/ KDE Wallet Manager] is a tool to manage passwords on the [[KDE]] Plasma system. By using the KWallet subsystem it not only allows you to keep your own secrets but also to access and manage the passwords of every application that integrates with KWallet.
  
 
== Unlock KDE Wallet automatically on login ==
 
== Unlock KDE Wallet automatically on login ==
  
If your KWallet password is the same as your username password, you can unlock your wallet automatically on login.
+
{{Note|
 +
* {{Pkg|kwallet-pam}} is not compatible with [[GnuPG]] keys, the KDE Wallet must use the standard {{ic|blowfish}} encryption.
 +
* The chosen KWallet password must be the same as the current [[user]] password.
 +
* The wallet cannot be unlocked when using autologin.
 +
* The wallet cannot be unlocked when using a fingerprint reader to login
 +
* The wallet must be named {{ic|kdewallet}} (default name). It does not unlock any other wallet(s).
 +
* If using [[KDE]], one may want to disable ''Close when last application stops using it'' in KDE Wallet settings to prevent the wallet from being closed after each usage ([[WiFi]]-passphrase unlock, etc.).
 +
* It may be needed to remove the default created wallet first, thus removing all stored entries.
 +
* If the kwallet Migration Assistant asks for a password after every login, rename or delete the {{ic|~/.kde4/share/apps/kwallet}} folder.
 +
}}
 +
 
 +
[[Install]] {{Pkg|kwallet-pam}} for the [[PAM]] compatible module.
 +
 
 +
Optional [[install]] {{Pkg|kwalletmanager}} for the wallet management tool. This tool can be used to create a KDE Wallet with {{ic|blowfish}} encryption and more settings not provided by the ''kcm-module''.
  
[[Install]] {{Pkg|kwallet-pam}} package.
+
{{Tip|An alternative is to use KWalletManager and set an empty Kwallet-password, thus preventing the need of entering a password to unlock a wallet. Simple don't enter a password on both fields in ''Change Password..''. This may however lead to unwanted (read/write) access to the user's wallet. Enabling ''Prompt when an application accesses a wallet'' under ''Access Control'' is highly recommended to prevent unwanted access to the wallet.}}
Then edit your login manager pam file and add the lines under their corresponding sections:
+
 
 +
=== Configure display manager ===
 +
 
 +
The following lines must be present under their corresponding sections:
  
 
{{bc|1=
 
{{bc|1=
Line 18: Line 34:
 
}}
 
}}
  
For [[LightDM]], for example, edit {{ic|/etc/pam.d/lightdm}} and {{ic|/etc/pam.d/lightdm-greeter}} files:
+
It may be needed to edit the [[display manager]] configuration:
 +
* For [[SDDM]] no further edits should be needed because the lines are already present in {{ic|/etc/pam.d/sddm}}.
 +
* For [[GDM]] edit {{ic|/etc/pam.d/gdm-password}} accordingly.
 +
* For [[LightDM]] edit {{ic|/etc/pam.d/lightdm}} and {{ic|/etc/pam.d/lightdm-greeter}} files:
 +
 
 
{{hc|/etc/pam.d/lightdm|2=
 
{{hc|/etc/pam.d/lightdm|2=
 
#%PAM-1.0
 
#%PAM-1.0
Line 32: Line 52:
 
}}
 
}}
  
For [[GDM]], edit {{ic|/etc/pam.d/gdm-password}} accordingly.
+
== Using the KDE Wallet to store ssh key passphrases ==
 
+
{{Note|A [[SSH agent]] should be up and running.}}
For [[SDDM]], the right lines should already be present in {{ic|/etc/pam.d/sddm}}.
 
 
 
After restarting your wallet should unlock automatically if your user password is the same as your KWallet password.
 
 
 
{{Note|Currently, kwallet-pam has at least two limitations: first, it's not compatible with [[GnuPG]] keys, so KDE Wallet must use the standard blowfish encryption. Also, the wallet name must be "kdewallet" (that's the default name). If, for some reason, you create a new wallet, you need to use this name (so you will probably need to rename the old wallet too).}}
 
 
 
== Using the KDE Wallet to store ssh key passhprases ==
 
  
First, make sure that you have an [[SSH agent]] running.
+
[[Install]] {{Pkg|ksshaskpass}} package.
  
[[Install]] the {{Pkg|ksshaskpass}} package.
+
[[Create]] an [[KDE#Autostart|autostart script file]] and mark it as [[executable]]:
 
 
[[Create]] an autostart file and mark it executable with [[chmod]]:
 
 
{{hc|~/.config/autostart-scripts/ssh-add.sh|
 
{{hc|~/.config/autostart-scripts/ssh-add.sh|
 
#!/bin/sh
 
#!/bin/sh
 
ssh-add </dev/null
 
ssh-add </dev/null
 
}}
 
}}
 
{{Move|KDE#Autostarting applications|General autostarting instructions belong there}}
 
  
 
{{Tip|The above ssh-add.sh script will only add the default key {{ic|~/.ssh/id_rsa}}. Assuming you have different SSH keys named {{ic|key1}}, {{ic|key2}}, {{ic|key3}} in {{ic|~/.ssh/}}, you may add them automatically on login by changing the above script to:
 
{{Tip|The above ssh-add.sh script will only add the default key {{ic|~/.ssh/id_rsa}}. Assuming you have different SSH keys named {{ic|key1}}, {{ic|key2}}, {{ic|key3}} in {{ic|~/.ssh/}}, you may add them automatically on login by changing the above script to:
Line 62: Line 71:
 
}}
 
}}
  
You also have to set the {{ic|SSH_ASKPASS}} [[environment variable]], see [[Environment variables#Defining variables]]. E.g.:
+
You also have to set the {{ic|SSH_ASKPASS}} [[environment variable]] to {{ic|ksshaskpass}}. For example, create the following [[KDE#Autostart|autostart script file]] and mark it [[executable]]:
  
{{bc|<nowiki>
+
{{hc|~/.config/plasma-workspace/env/ssh-askpass.sh|2=
export SSH_ASKPASS="/usr/bin/ksshaskpass"
+
#!/bin/sh
</nowiki>}}
+
 
 +
SSH_ASKPASS='/usr/bin/ksshaskpass'
 +
export SSH_ASKPASS
 +
}}
  
 
It will ask for your password and unlock your SSH keys. Upon restart your SSH keys should be unlocked once you give your kwallet password.  
 
It will ask for your password and unlock your SSH keys. Upon restart your SSH keys should be unlocked once you give your kwallet password.  
Line 76: Line 88:
 
and append the key to the list of keys in {{ic|~/.config/autostart-scripts/ssh-add.sh}} as explained above to have it unlocked upon providing the kwallet password.
 
and append the key to the list of keys in {{ic|~/.config/autostart-scripts/ssh-add.sh}} as explained above to have it unlocked upon providing the kwallet password.
  
== KDE Wallet for Firefox ==
+
== Using the KDE Wallet to store Git http/https credentials ==
  
There is an addon to make Firefox store passwords with [https://addons.mozilla.org/addon/kde5-wallet-password-integrati/ KDE5 Wallet].
+
[[Git]] can delegate credentials handling to KDE Wallet using a helper like {{Pkg|ksshaskpass}}
  
{{Note|As of Firefox 57 this addon is not supported anymore. Make sure to set up a masterpassword in order to get a basic protection for your stored passwords.}}
+
[[Install]] the {{Pkg|ksshaskpass}} package.
  
== KDE Wallet for Chrome and Chromium ==
+
Run the following command to configure Git:
  
Chrome/Chromium has built in wallet integration. To enable it, run Chromium with the {{ic|1=--password-store=kwallet}} or {{ic|1=--password-store=detect}} argument. To make the change persistent, see [[Chromium/Tips and tricks#Making flags persistent]]. (Setting CHROMIUM_USER_FLAGS will not work.)
+
$ git config --global core.askpass /usr/bin/ksshaskpass
  
== Troubleshooting ==
+
See {{man|7|gitcredentials}} for details.
  
=== Inotify folder watch limit ===
+
== KDE Wallet for Chrome and Chromium ==
  
If you get the following error:
+
Chrome/Chromium has built in wallet integration. To enable it, run Chromium with the {{ic|1=--password-store=kwallet}} or {{ic|1=--password-store=detect}} argument. To make the change persistent, see [[Chromium/Tips and tricks#Making flags persistent]]. (Setting CHROMIUM_USER_FLAGS will not work.)
 
 
KDE Baloo Filewatch service reached the inotify folder watch limit. File changes may be ignored.
 
 
 
Then you will need to increase the inotify folder watch limit:
 
 
 
# echo 524288 > /proc/sys/fs/inotify/max_user_watches
 
 
 
To make changes permanent, create a {{ic|40-max-user-watches.conf}} file:
 
 
 
{{hc|/etc/sysctl.d/40-max-user-watches.conf|2=
 
fs.inotify.max_user_watches=524288
 
}}
 
  
 
== See also ==
 
== See also ==
  
 
* [https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/ Unlocking KWallet with PAM]
 
* [https://www.dennogumi.org/2014/04/unlocking-kwallet-with-pam/ Unlocking KWallet with PAM]

Latest revision as of 02:52, 19 September 2019

KDE Wallet Manager is a tool to manage passwords on the KDE Plasma system. By using the KWallet subsystem it not only allows you to keep your own secrets but also to access and manage the passwords of every application that integrates with KWallet.

Unlock KDE Wallet automatically on login

Note:
  • kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard blowfish encryption.
  • The chosen KWallet password must be the same as the current user password.
  • The wallet cannot be unlocked when using autologin.
  • The wallet cannot be unlocked when using a fingerprint reader to login
  • The wallet must be named kdewallet (default name). It does not unlock any other wallet(s).
  • If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (WiFi-passphrase unlock, etc.).
  • It may be needed to remove the default created wallet first, thus removing all stored entries.
  • If the kwallet Migration Assistant asks for a password after every login, rename or delete the ~/.kde4/share/apps/kwallet folder.

Install kwallet-pam for the PAM compatible module.

Optional install kwalletmanager for the wallet management tool. This tool can be used to create a KDE Wallet with blowfish encryption and more settings not provided by the kcm-module.

Tip: An alternative is to use KWalletManager and set an empty Kwallet-password, thus preventing the need of entering a password to unlock a wallet. Simple don't enter a password on both fields in Change Password... This may however lead to unwanted (read/write) access to the user's wallet. Enabling Prompt when an application accesses a wallet under Access Control is highly recommended to prevent unwanted access to the wallet.

Configure display manager

The following lines must be present under their corresponding sections:

auth            optional        pam_kwallet5.so
session         optional        pam_kwallet5.so auto_start

It may be needed to edit the display manager configuration:

  • For SDDM no further edits should be needed because the lines are already present in /etc/pam.d/sddm.
  • For GDM edit /etc/pam.d/gdm-password accordingly.
  • For LightDM edit /etc/pam.d/lightdm and /etc/pam.d/lightdm-greeter files:
/etc/pam.d/lightdm
#%PAM-1.0
auth            include         system-login
auth            optional        pam_kwallet5.so

account         include         system-login

password        include         system-login

session         include         system-login
session         optional        pam_kwallet5.so auto_start

Using the KDE Wallet to store ssh key passphrases

Note: A SSH agent should be up and running.

Install ksshaskpass package.

Create an autostart script file and mark it as executable:

~/.config/autostart-scripts/ssh-add.sh
#!/bin/sh
ssh-add </dev/null
Tip: The above ssh-add.sh script will only add the default key ~/.ssh/id_rsa. Assuming you have different SSH keys named key1, key2, key3 in ~/.ssh/, you may add them automatically on login by changing the above script to:
~/.config/autostart-scripts/ssh-add.sh
#!/bin/sh
ssh-add $HOME/.ssh/key1 $HOME/.ssh/key2 $HOME/.ssh/key3 </dev/null

You also have to set the SSH_ASKPASS environment variable to ksshaskpass. For example, create the following autostart script file and mark it executable:

~/.config/plasma-workspace/env/ssh-askpass.sh
#!/bin/sh

SSH_ASKPASS='/usr/bin/ksshaskpass'
export SSH_ASKPASS

It will ask for your password and unlock your SSH keys. Upon restart your SSH keys should be unlocked once you give your kwallet password.

To add a new key and store the password with kwallet use the following command

$ ssh-add /path/to/new/key </dev/null

and append the key to the list of keys in ~/.config/autostart-scripts/ssh-add.sh as explained above to have it unlocked upon providing the kwallet password.

Using the KDE Wallet to store Git http/https credentials

Git can delegate credentials handling to KDE Wallet using a helper like ksshaskpass

Install the ksshaskpass package.

Run the following command to configure Git:

$ git config --global core.askpass /usr/bin/ksshaskpass

See gitcredentials(7) for details.

KDE Wallet for Chrome and Chromium

Chrome/Chromium has built in wallet integration. To enable it, run Chromium with the --password-store=kwallet or --password-store=detect argument. To make the change persistent, see Chromium/Tips and tricks#Making flags persistent. (Setting CHROMIUM_USER_FLAGS will not work.)

See also