Oct 262013
 

…at least with KDE4 on openSUSE 12.2.

In a previous post I mentioned that there are single-sign-on methods available for KDE to open the wallet right on login, but they do not work when you’re using NIS accounts.

Turns out they do work after all, you just need make sure that the references to the pam_kwallet module is after pam_unix2.so in common-auth, like this:

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_unix2.so
auth optional pam_kwalletopener.so use_first_pass
auth optional pam_gnome_keyring.so

After this, you just add the two modules pam_dbus_launch and pam_kwallet in common-session like this (pam_dbus_launch needs to be before pam_systemd, and pam_kwallet at the end):

#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_umask.so
session optional        pam_dbus_launch.so dbus-launch=/usr/bin/dbus-launch
session optional        pam_systemd.so
session optional        pam_kwalletopener.so    maxwait=60 session_timeout=360 localwallet start_daemon kwalletopener=/usr/bin/kwalletopener
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,gdm-password,lxdm,lightdm

With these settings the pam modules work with any kind of useraccounts. Keep in mind that it will not work for automated logins where the system doesn’t actually prompt for a password.

The required pam modules can be installed from this OBS project.

Nov 142011
 

It seems that “the community” consists of three separate groups of people:

  1. the people who loudly demand features
  2. the developers who loudly debate the ethic, moral, technical religious impacts if the features demanded by 1. would be implemented
  3. the small group of developers who watch 1. and 2. and at some point say “Oh for crying out loud. What a noise over 5 lines of code.”

As an example, look at the discussion over the feature request in kmail where someone wants kmail to be able to remove attachments from mails.

As another example, look at this one. Some people would like to see single-sign-on in KDE4. The discussion was long and loud.

And, if you Google a bit, you find that the wallet daemon has had the required dbus call since KDE 4.4.2, for crying out loud!

Just that noone has bothered to point a finger at the required pam modules and helpers.

I’ve packaged them for openSUSE, get them from my OBS project and configure them as described in the readme files included in the packages, and you have single sign on.

Note: single sign on only happens if you actually enter a password on login. The typical suse setup with an user session starting automatically on boot can’t work with this.

Note: this seems to work only for local useraccounts, but not in a NIS environment.

Optimization WordPress Plugins & Solutions by W3 EDGE
%d bloggers like this: