After the update to 6, when i connect to wifi now I get two wallet access prompts.
First kded6 wants to access the wallet, then kwalletmanager wants to access the wallet. Why is that?
You get the request from kded6 due to this bug:
https://bugzilla.opensuse.org/show_bug.cgi?id=1221371
https://bugs.kde.org/show_bug.cgi?id=480380
If you have the wallet set up to use the same password as your login password and you have the PAM module installed, the wallet should open automatically at login.
If you’re on Tumbleweed, try reinstalling pam_kwallet (was replaced by pam_kwallet6 for Plasma 6). On Neon you need libpam-kwallet5 apparently. For Arch etc. I’m not sure what the modules are called.
Why KWalletManager has to access the wallet too I don’t know, I only get the single access prompt from kded6.
The Arch package seems to be kwallet-pam (now upgraded to 6.0 together with the rest of Plasma).
Why would I want my wallet open as I login?! Is that the common usecase? everyone should already have encryption at rest filesystems, what extra protection this gives you in a single user system?
I want to authorize or deny each request because i’m a control freak and want to know when something is misbehaving.
neither of those two bugs apply to my case. I do not open it at login, and force close it after x minutes.
…actually, after reading the bugs i realize the fix to the first bug actually got me. now the wallet is open at login.
If I manually close it, then turning on wifi only gives me the kded6 prompt, not the one for kwalletmanager… hum. That’s even weirder. Sucks that those prompt have so little info to begin with.
interesting. never installed it myself (i only install meta/group/virtual packages for KDE stuff) and I had it installed on my system. but I don’t seem to be using it.
I will probably have to read more about kwallet. I don’t give it much thought as I don’t think it is an active safety for any threat i care about.
But with the wallet “closed” whatever that means, i can login to wifi only answering yes to the kded6 request if the wallet is closed. if the wallet is open (i don’t think i even have a password to it. or i am unwittingly using the pam stuff to unlock with my login) then i get one prompt for kded6 and another for kwalletmanager. If i deny the second one, it will show a second time and then go away (wifi connects after saying yes to the kded6 so not sure what the second prompts are even doing).
the only other use cases i have for the kwallet system is to mark “deny” for ksshaskpass thing and okular, because i do not whish to store password for those things and don’t want a prompt at all.
edit: by wallet closed i mean, when it shows on kwalletmanager “the wallet is closed” at the top. I dont’ know if the manager being open means it is some level of open or not.
edit2: i guess i am using pam module
$ grep kwallet /etc/pam.d/*
/etc/pam.d/sddm:5:-auth optional pam_kwallet5.so
/etc/pam.d/sddm:15:-session optional pam_kwallet5.so auto_start
/etc/pam.d/sddm-autologin:8:-auth optional pam_kwallet5.so
/etc/pam.d/sddm-autologin:13:-session optional pam_kwallet5.so auto_start
Ok. Reading some more, and going back to my first message.
I Do want to get the prompt for kded6. because i’d like to authorize every access to my passwords. and networkmanager wants the wifi password. so i do want to see that prompt. That is OK.
The problem is the subsequent prompts for kwalletmanager. Why do i get those?!
solved this by treating kde wallet subsystem as a nuisance rather than a feature.
Since I already have encryption at rest, and following the only sane use case possible with kdewallet implementation, which is to unlock it at login and mostly allow everything access to it; it adds zero security whatsoever.
So, i only leave wifi passwords there. Allow kded6 to always access it, and kdemanager5 to never access it (i have no idea why it even asks for access in the first place). and will not even consider using it for anything slightly serious, ever.