KWallet: Unterschied zwischen den Versionen

Aus Foxwiki
Keine Bearbeitungszusammenfassung
Zeile 1: Zeile 1:
=SDDM/Plasma5: KWallet automatisch beim Login öffnen=
Linux:Sicherheit:SingleLogin
 
= Ziel =
= Voraussetzungen =
= Vorgehen =
== Installation ==
== Konfiguration ==
= Hintergründe =
 
* Der KDE Wallet Manager ist eine Passwortverwaltung mit der man Zugangsdaten und Passwörter, mit allen Programmen (Network Manager, KMail usw.) die mit KWallet interagieren, unter Plasma5 zentral sichern und verwalten kann.  
* Der KDE Wallet Manager ist eine Passwortverwaltung mit der man Zugangsdaten und Passwörter, mit allen Programmen (Network Manager, KMail usw.) die mit KWallet interagieren, unter Plasma5 zentral sichern und verwalten kann.  
* Dieser Beitrag beschreibt die Integration in SDDM (Simple Desktop Display Manager), dem Standard Display Manager des Plasma5 Desktop auf openSUSE Leap 42.1.
* Dieser Beitrag beschreibt die Integration in SDDM (Simple Desktop Display Manager), dem Standard Display Manager des Plasma5 Desktop
* KWallet wird bei einer Standard-Installation bereits mit installiert.  
* KWallet wird bei einer Standard-Installation bereits mit installiert.  
* Im aktuellem Repository fehlt jedoch pam_kwallet, welches zwingend erforderlich ist.
* Ein RPM-Paket ist in folgendem Repository verfügbar: KDE_Unstable_Extra_openSUSE_Leap_42.1.
== EDIT, 17.05.2019==
* Seit Plasma 5.6.4 ist pam_kwallet im KF5 Frameworks Repository enthalten.
* Nach der Installation von pam_kwallet muss noch die Konfigurationsdatei von SDDM in /etc/pam.d/sddm angepasst werden. Zum bearbeiten der Datei werden root Rechte benötigt.  
* Nach der Installation von pam_kwallet muss noch die Konfigurationsdatei von SDDM in /etc/pam.d/sddm angepasst werden. Zum bearbeiten der Datei werden root Rechte benötigt.  
* Folgende Zeilen werden der Konfigurationsdatei hinzugefügt:  
 
Folgende Zeilen werden der Konfigurationsdatei hinzugefügt:  
  auth optional pam_kwallet5.so  
  auth optional pam_kwallet5.so  
  session optional pam_kwallet5.so auto_start  
  session optional pam_kwallet5.so auto_start  


Beispiel /etc/pam.d/sddm:  
Beispiel /etc/pam.d/sddm:  
#%PAM-1.0  
  #%PAM-1.0  
auth include common-auth  
  auth include common-auth  
auth optional pam_kwallet5.so  
  auth optional pam_kwallet5.so  
account include common-account  
  account include common-account  
password include common-password  
  password include common-password  
session required pam_loginuid.so  
  session required pam_loginuid.so  
session include common-session  
  session include common-session  
session optional pam_kwallet5.so auto_start  
  session optional pam_kwallet5.so auto_start  
* Wichtig: Damit die Passwortverwaltung nach dem anmelden automatisch geöffnet wird, müssen das Benutzerpasswort und das KWallet-Passwort identisch sein.
 
'''Wichtig'''
Damit die Passwortverwaltung nach dem anmelden automatisch geöffnet wird, müssen das Benutzerpasswort und das KWallet-Passwort identisch sein.


=Beispiele=
=Beispiele=
Zeile 37: Zeile 44:
  kwallet-query -f 'volumes' -r 'privat' kdewallet | sirikali -b stdin -d /media/daten/.privat/ -z /home/dirkwagner/privat/ &
  kwallet-query -f 'volumes' -r 'privat' kdewallet | sirikali -b stdin -d /media/daten/.privat/ -z /home/dirkwagner/privat/ &


 
== KeePassXC ==
=Opening KeePass securely and automatically in KDE=
=== Opening KeePass securely and automatically in KDE===
* So I use KeePass a lot as my password manager.  
* So I use KeePass a lot as my password manager.  
* Why you should use a password manager is a little beyond this post, but it’s a great way to securely store individual passwords for every use you have, so you can use more secure passwords that you’ll never remember, and when one password is compromised, the other accounts you have remain secure.
* Why you should use a password manager is a little beyond this post, but it’s a great way to securely store individual passwords for every use you have, so you can use more secure passwords that you’ll never remember, and when one password is compromised, the other accounts you have remain secure.
* Keepass works good in Ubuntu Linux using the Mono library, and it also works with Android, windows, which I need.  
* Keepass works good in Ubuntu Linux using the Mono library, and it also works with Android, windows, which I need.  
* There is a KeePassX project for a native port, but the normal version works well enough for me.
* There is a KeePassX project for a native port, but the normal version works well enough for me.
* So when I logged into KDE4 I would have to type in my Kwallet password (kwallet is the password manager built into KDE – if anyone builds a plugin to read Keepass files, I will send you money) so I could connect to the WIFI, then I would have to type in the master password for KeePass, and then occasionally KOrganizer will ask for my gmail password to sync the calendar.
* So when I logged into KDE4 I would have to type in my Kwallet password (kwallet is the password manager built into KDE – if anyone builds a plugin to read Keepass files, I will send you money) so I could connect to the WIFI, then I would have to type in the master password for KeePass, and then occasionally KOrganizer will ask for my gmail password to sync the calendar.
* This sucks, so I wrote a quick little script to store my KeePass master password in Kwallet, and when KDE starts, retrieve it and start KeePass automatically from the file in my Dropbox folder.
* This sucks, so I wrote a quick little script to store my KeePass master password in Kwallet, and when KDE starts, retrieve it and start KeePass automatically from the file in my Dropbox folder.
  #!/bin/bash
  #!/bin/bash
  # startup keepass with a password from KWallet
  # startup keepass with a password from KWallet
Zeile 57: Zeile 65:
  # Tell keypass to open your password database
  # Tell keypass to open your password database
  mono /opt/KeePass2/KeePass.exe \ "/home/user/Dropbox/keepass/passwords.kdbx" \ -pw:$walletkey
  mono /opt/KeePass2/KeePass.exe \ "/home/user/Dropbox/keepass/passwords.kdbx" \ -pw:$walletkey
* Then save this script somewhere (I put it in /usr/local/bin/) and then go into Settings -> startup/shutdown and tag it as a script to start when you log into KDE.
* Then save this script somewhere (I put it in /usr/local/bin/) and then go into Settings -> startup/shutdown and tag it as a script to start when you log into KDE.
*So now I just log in, type in my Kwallet password, and KeePass opens as well.
* So now I just log in, type in my Kwallet password, and KeePass opens as well.


==EDIT – 2015-04-06==
====EDIT – 2015-04-06====
* Thanks to everyone who commented below with their ideas on improving this script.  
* Thanks to everyone who commented below with their ideas on improving this script.  
* As mentioned, there’s a security issue with this script, which can be reduced by not using the password directly on the comment line.  
* As mentioned, there’s a security issue with this script, which can be reduced by not using the password directly on the comment line.  
Zeile 68: Zeile 77:
  walletkey=$(/usr/bin/kwalletcli -f Passwords -e KeePass)
  walletkey=$(/usr/bin/kwalletcli -f Passwords -e KeePass)
  dbpath="/home/user/Dropbox/keepass/passwords.kdbx"
  dbpath="/home/user/Dropbox/keepass/passwords.kdbx"
  echo "$walletkey" | mono /opt/KeePass2/KeePass.exe $dbpath \
  echo "$walletkey" | mono /opt/KeePass2/KeePass.exe $dbpath --pw-stdin
--pw-stdin
* This works really well, and the password is only available briefly, really reducing the ease at which it can be sniffed.  
* This works really well, and the password is only available briefly, really reducing the ease at which it can be sniffed.  
* Still not 100%, but security is always a tradeoff between ease of use and effectiveness. Thanks for everyone’s help!
* Still not 100%, but security is always a tradeoff between ease of use and effectiveness. Thanks for everyone’s help!
==Quelle==
# http://thisisnt.com/opening-keepass-securely-and-automatically-in-kde/


=Links=
=Links=
Zeile 81: Zeile 88:
# http://thisisnt.com/opening-keepass-securely-and-automatically-in-kde/
# http://thisisnt.com/opening-keepass-securely-and-automatically-in-kde/


[[Category:Linux:Plasma]]
[[Category:Linux:Sicherheit]]
[[Category:Linux:Plasma5]]
[[Category:Sicherheit:Passwörter]]
[[Category:Sicherheit:Passwörter]]

Version vom 18. Oktober 2020, 09:20 Uhr

Linux:Sicherheit:SingleLogin

Ziel

Voraussetzungen

Vorgehen

Installation

Konfiguration

Hintergründe

  • Der KDE Wallet Manager ist eine Passwortverwaltung mit der man Zugangsdaten und Passwörter, mit allen Programmen (Network Manager, KMail usw.) die mit KWallet interagieren, unter Plasma5 zentral sichern und verwalten kann.
  • Dieser Beitrag beschreibt die Integration in SDDM (Simple Desktop Display Manager), dem Standard Display Manager des Plasma5 Desktop
  • KWallet wird bei einer Standard-Installation bereits mit installiert.
  • Nach der Installation von pam_kwallet muss noch die Konfigurationsdatei von SDDM in /etc/pam.d/sddm angepasst werden. Zum bearbeiten der Datei werden root Rechte benötigt.

Folgende Zeilen werden der Konfigurationsdatei hinzugefügt:

auth optional pam_kwallet5.so 
session optional pam_kwallet5.so auto_start 
Beispiel /etc/pam.d/sddm: 
 #%PAM-1.0 
 auth include common-auth 
 auth optional pam_kwallet5.so 
 account include common-account 
 password include common-password 
 session required pam_loginuid.so 
 session include common-session 
 session optional pam_kwallet5.so auto_start 
Wichtig
Damit die Passwortverwaltung nach dem anmelden automatisch geöffnet wird, müssen das Benutzerpasswort und das KWallet-Passwort identisch sein.

Beispiele

#!/usr/bin/env bash
# set -xv
# exec 1>~/keepass.sh.log 2>&1

echo opening KeepassXC ...
kwallet-query -f 'keepass' -r 'keepass' kdewallet | keepassxc –pw-stdin ~/cloud/pwd/pwd.kdbx &

echo opening volume geschäftlich ...
kwallet-query -f 'volumes' -r 'geschaeftlich' kdewallet | sirikali -b stdin -d /media/daten/.geschaeftlich/ -z /home/dirkwagner/geschaeftlich/ &

echo opening volume privat ...
kwallet-query -f 'volumes' -r 'privat' kdewallet | sirikali -b stdin -d /media/daten/.privat/ -z /home/dirkwagner/privat/ &

KeePassXC

Opening KeePass securely and automatically in KDE

  • So I use KeePass a lot as my password manager.
  • Why you should use a password manager is a little beyond this post, but it’s a great way to securely store individual passwords for every use you have, so you can use more secure passwords that you’ll never remember, and when one password is compromised, the other accounts you have remain secure.
  • Keepass works good in Ubuntu Linux using the Mono library, and it also works with Android, windows, which I need.
  • There is a KeePassX project for a native port, but the normal version works well enough for me.
  • So when I logged into KDE4 I would have to type in my Kwallet password (kwallet is the password manager built into KDE – if anyone builds a plugin to read Keepass files, I will send you money) so I could connect to the WIFI, then I would have to type in the master password for KeePass, and then occasionally KOrganizer will ask for my gmail password to sync the calendar.
  • This sucks, so I wrote a quick little script to store my KeePass master password in Kwallet, and when KDE starts, retrieve it and start KeePass automatically from the file in my Dropbox folder.
#!/bin/bash
# startup keepass with a password from KWallet
walletkey=$(/usr/bin/kwalletcli -f Passwords \
-e KeePass)
#open Keepass
mono /opt/KeePass2/KeePass.exe --lock &

#give keepass enough time to actually open, otherwise results are inconsistent
sleep 3

# Tell keypass to open your password database
mono /opt/KeePass2/KeePass.exe \ "/home/user/Dropbox/keepass/passwords.kdbx" \ -pw:$walletkey
  • Then save this script somewhere (I put it in /usr/local/bin/) and then go into Settings -> startup/shutdown and tag it as a script to start when you log into KDE.
  • So now I just log in, type in my Kwallet password, and KeePass opens as well.

EDIT – 2015-04-06

  • Thanks to everyone who commented below with their ideas on improving this script.
  • As mentioned, there’s a security issue with this script, which can be reduced by not using the password directly on the comment line.
  • There are two methods below, YMMV, but I ended up with this hybrid:
#!/bin/bash
# startup keepass with a password from KWallet
walletkey=$(/usr/bin/kwalletcli -f Passwords -e KeePass)
dbpath="/home/user/Dropbox/keepass/passwords.kdbx"
echo "$walletkey" | mono /opt/KeePass2/KeePass.exe $dbpath --pw-stdin

  • This works really well, and the password is only available briefly, really reducing the ease at which it can be sniffed.
  • Still not 100%, but security is always a tradeoff between ease of use and effectiveness. Thanks for everyone’s help!

Links

Intern

Extern

  1. https://wiki.ubuntuusers.de/KDE_Passwortspeicher/
  2. http://thisisnt.com/opening-keepass-securely-and-automatically-in-kde/