KWallet
Opening KeePass securely and automatically in KDE
So I use KeePass a lot as my password manager. Why you should use a password manager is a little beyond this post, but it’s a great way to securely store individual passwords for every use you have, so you can use more secure passwords that you’ll never remember, and when one password is compromised, the other accounts you have remain secure. Keepass works good in Ubuntu Linux using the Mono library, and it also works with Android, windows, which I need. There is a KeePassX project for a native port, but the normal version works well enough for me. So when I logged into KDE4 I would have to type in my Kwallet password (kwallet is the password manager built into KDE – if anyone builds a plugin to read Keepass files, I will send you money) so I could connect to the WIFI, then I would have to type in the master password for KeePass, and then occasionally KOrganizer will ask for my gmail password to sync the calendar. This sucks, so I wrote a quick little script to store my KeePass master password in Kwallet, and when KDE starts, retrieve it and start KeePass automatically from the file in my Dropbox folder.
#!/bin/bash # startup keepass with a password from KWallet walletkey=$(/usr/bin/kwalletcli -f Passwords \ -e KeePass) #open Keepass mono /opt/KeePass2/KeePass.exe --lock & #give keepass enough time to actually open, otherwise results are inconsistent sleep 3 # Tell keypass to open your password database mono /opt/KeePass2/KeePass.exe \ "/home/user/Dropbox/keepass/passwords.kdbx" \ -pw:$walletkey
- Then save this script somewhere (I put it in /usr/local/bin/) and then go into Settings -> startup/shutdown and tag it as a script to start when you log into KDE.
*So now I just log in, type in my Kwallet password, and KeePass opens as well.
EDIT – 2015-04-06
- Thanks to everyone who commented below with their ideas on improving this script.
- As mentioned, there’s a security issue with this script, which can be reduced by not using the password directly on the comment line.
- There are two methods below, YMMV, but I ended up with this hybrid:
#!/bin/bash # startup keepass with a password from KWallet walletkey=$(/usr/bin/kwalletcli -f Passwords -e KeePass) dbpath="/home/user/Dropbox/keepass/passwords.kdbx" echo "$walletkey" | mono /opt/KeePass2/KeePass.exe $dbpath \ --pw-stdin
- This works really well, and the password is only available briefly, really reducing the ease at which it can be sniffed.
- Still not 100%, but security is always a tradeoff between ease of use and effectiveness. Thanks for everyone’s help!
Quelle
SDDM/Plasma5: KWallet automatisch beim Login öffnen
- Der KDE Wallet Manager ist eine Passwortverwaltung mit der man Zugangsdaten und Passwörter, mit allen Programmen (Network Manager, KMail usw.) die mit KWallet interagieren, unter Plasma5 zentral sichern und verwalten kann.
- Dieser Beitrag beschreibt die Integration in SDDM (Simple Desktop Display Manager), dem Standard Display Manager des Plasma5 Desktop auf openSUSE Leap 42.1.
- KWallet wird bei einer Standard-Installation bereits mit installiert.
- Im aktuellem Repository fehlt jedoch pam_kwallet, welches zwingend erforderlich ist.
- Ein RPM-Paket ist in folgendem Repository verfügbar: KDE_Unstable_Extra_openSUSE_Leap_42.1.
EDIT, 17.05.2019
- Seit Plasma 5.6.4 ist pam_kwallet im KF5 Frameworks Repository enthalten.
- Nach der Installation von pam_kwallet muss noch die Konfigurationsdatei von SDDM in /etc/pam.d/sddm angepasst werden. Zum bearbeiten der Datei werden root Rechte benötigt.
- Folgende Zeilen werden der Konfigurationsdatei hinzugefügt:
auth optional pam_kwallet5.so session optional pam_kwallet5.so auto_start
Beispiel /etc/pam.d/sddm:
#%PAM-1.0 auth include common-auth auth optional pam_kwallet5.so account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_kwallet5.so auto_start
- Wichtig: Damit die Passwortverwaltung nach dem anmelden automatisch geöffnet wird, müssen das Benutzerpasswort und das KWallet-Passwort identisch sein.
Quelle
- file:///home/dirkwagner/geschaeftlich/services/sicherheit/passwoerter/kwallet/KWalletAutomatischBeimLoginOeffnen.html
Links
Intern
Extern
kwallet-query -f 'Passwords' -r 'KPDB' kdewallet | keepassxc --pw-stdin ~/passwd.kdbx #!/usr/bin/env bash # set -xv # exec 1>~/keepass.sh.log 2>&1 echo opening KeepassXC ... kwallet-query -f 'keepass' -r 'keepass' kdewallet | keepassxc –pw-stdin \ ~/cloud/pwd/pwd.kdbx & echo opening volume geschäftlich ... kwallet-query -f 'volumes' -r 'geschaeftlich' kdewallet | sirikali -b stdin \ -d /media/daten/.geschaeftlich/ -z /home/dirkwagner/geschaeftlich/ & echo opening volume privat ... kwallet-query -f 'volumes' -r 'privat' kdewallet | sirikali -b stdin -d /media/daten/.privat/ -z /home/dirkwagner/privat/ &