[feature] autologin with cached password from systemd-cryptsetup

[SebastianS90]

I have a feature proposal regarding autologin:

It is currently not possible to automatically unlock kwallet when using autologin and a non-empty wallet password.
When booting a luks-encrypted system, then systemd prompts for a password. This password is cached in the kernel keyring for user root.
When autologin is enabled, then SDDM should retrieve the password from there and inject it into the pam stack, such that pam_kwallet5.so can use it. With that addition, the following scenario will be possible:

• When booting the machine, I am prompted for the hard disk encryption password
• After entering that password, the system starts up including starting my desktop session and unlocking the wallet (using the same password as provided during boot) without any further interruption
• With the open kwallet, I can also unlock other applications

GDM already has that feature and it doesn't look very complicated.

[Vincent43]

What's practical difference between this and using an empty password?

[SebastianS90]

I have checked the Promt when an application accesses a wallet option in kwallet, so evil processes cannot just query my open wallet for secret data. But an evil process running under my user account could steal the wallet file from disk. If I have a password set for the wallet and my user account, then the wallet file is encrypted. If the password is empty, then the wallet is not encrypted.

So the difference is added security for the case that something bad happens in my user account.

[Vincent43]

I think you greatly overestimate kwallet security. It's barely maintained tool with outdated encryption algorithms. It's better to treat it as management tool not security tool. For protecting user account you can try solutions like selinux,apparmor,firejail,flatpak etc. For secure password manager check pass.

https://news.ycombinator.com/item?id=9715432
https://bbs.archlinux.org/viewtopic.php?id=233278

[Grief]

@Vincent43 kwallet is on an encrypted partition, this is the question of the usability only. If the feature @SebastianS90 was asking is implemented then it would be possible to have a single password to securely boot the system from start until unlocked session and kwallet/gnome-keyring.

[Vincent43]

@Grief My point is that you can achieve the same thing with empty kwallet password without writing single line of code.

[Grief]

@Vincent43 for me it would be useful to protect the whole disk with the strong encryption to save the data from an unauthorized access if I lose my device or it is stolen. Also, I'd like to benefit from sddm password protection, kwallet password, and gnome-keyring password to keep the information hidden from my colleges who have psychical access to the device while I go out to smoke a cigarette. If it doesn't make sense to you, I also have keepass with the database stored in dropbox. It has the same long password and it is annoying to type it twice. To avoid that I have to keep the password in a plain text file inside the encrypted partition and use a simple script which unlocks keepass with the password from that file. While the proposed solution is not more secure, it would be much more straightforward to transfer the password from the moment when it is typed first to all apps which need it without storing it anywhere.

[Vincent43]

Well, we are talking only about kwallet here. Sddm password protection is fully compatible with autologin. I don't know if pam plugin for keepass even exist. For your usecase perhaps locking screen give you more protection than just locking kwallet.

[Grief]

Not quite correct. The issue is for taking kernel keyring into account when loggin in. It is not the same as auto login because auto login, well, works unconditionally (and has the issues with locking the workstation later) while using kernel keyring is not different from other types of authentication like raw password or fingerprint

[Vincent43]

I assume when you want to use password only once for unlocking encrypted volume and logging into desktop session you want it to work unconditionally. The only difference with using keyring is option to unlock kwallet which was discussed extensively already.

I don't know about any locking issues. I you found a bug please open new issue about it.

[Grief]

@Vincent43 ok, I got your point. If you have objections to kwallet and keepass, how about gnome-keyring? It is not outdated and pam_gnome_keyring exists. Your proposal to use autologin would require removing password protection from the gnome keystore or typing it every time after the login.

[Vincent43]

You are right , however using gnome-keyring with sddm is a weird choice when gdm exist 😄 .

I'm not opposing systemd keyring integration but keeping in mind that sddm development is rather slow I wouldn't hold my breath while waiting for it.

Meanwhile having empty kwallet password is reasonable workaround.

[Grief]

@Vincent43 Using gnome-keyring at the same time with sddm is a compelled action. Skype for linux and some other applications use it without an option to switch to kwallet or other keystore.

[jinliu]

Found a workaround. This functionality in gdm is in a single pam module. It has no dependency to rest of gdm, so I can use it in sddm as well:

1. copy pam_gdm.so from gdm to /usr/lib/security
2. modify /etc/pam.d/sddm-autologin, add "auth optional pam_gdm.so" before "-auth optional pam_gnome_keyring.so" line.
3. systemctl edit sddm.service, add:

[Service]
KeyringMode=inherit

so it can read the kernel keyring of root user (systemd forbids this by default).
4. your initrd should be based on systemd: https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Using_sd-encrypt_hook

[lf-]

FYI this has been basically done by systemd now so we don't even need a new pam module. Just use pam_systemd_loadkey.