New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos: add optional pam_kwallet5 integration #22813
Conversation
@benley, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @abbradar and @markus2342 to be potential reviewers. |
@@ -212,6 +212,15 @@ let | |||
''; | |||
}; | |||
|
|||
enableKwallet = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the name of this option, it would seem necessary to enable it to use kwallet at all, which is not true. The description does not contradict that interpretation. Please either change the name or mention this in the description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done - I've kept the option name but made the description much more explicit.
nixos/modules/security/pam.nix
Outdated
type = types.bool; | ||
description = '' | ||
Enable pam_kwallet to automatically unlock user KDE Wallets | ||
upon login (if their wallet password matches their login password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if this is enabled, but my wallet password does not match my login password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your wallet just won't be auto-unlocked, and KDE will prompt you for the wallet password when it is needed. I will make sure to test things like that prior to merging this change.
nixos/modules/security/pam.nix
Outdated
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth | ||
${optionalString config.security.pam.enableEcryptfs | ||
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} | ||
${optionalString cfg.pamMount | ||
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} | ||
${optionalString cfg.enableKwallet | ||
"auth optional ${pkgs.kde5.kwallet-pam}/lib/security/pam_kwallet5.so auto_start"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the docs say the auth optional
bit doesn't need the auto_start
option: https://wiki.archlinux.org/index.php/KDE_Wallet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoops, you are right. Fixing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even better, it turns out that auto_start
does absolutely nothing with pam_kwallet. It appears that it was accidentally copied over from the pam_gnome_keyring config at some point, and that tidbit has been repeated in many places around the net ever since.
This should be ready for another look now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, @ttuegel?
Motivation for this change
https://wiki.archlinux.org/index.php/KDE_Wallet
Nice-to-have KDE wallet integration.