+1

We're going to try to get this in place for F40, but also we want to make sure KWallet is a secrets service provider, so that we can stop shipping gnome-keyring...

Arch Wiki documentation on this: https://wiki.archlinux.org/title/KDE_Wallet

I don't know what sets it but SSH_ASKPASS is already /usr/bin/ksshaskpass

This is a bit weird imo because when you create a new ssh key it won't be added to kwallet until you logout and re-login

secrets API was tracked here: https://pagure.io/fedora-kde/SIG/issue/340

and it's still blocked on https://bugs.kde.org/show_bug.cgi?id=466197 for flatpaks

secrets API was tracked here: https://pagure.io/fedora-kde/SIG/issue/340

and it's still blocked on https://bugs.kde.org/show_bug.cgi?id=466197 for flatpaks

hey @aleasto it looks like https://bugs.kde.org/show_bug.cgi?id=466197 was fixed. what does that mean for https://pagure.io/fedora-kde/SIG/issue/340 ?

It sounds like there might need to be some testing required here before release to close this out. We were able to confirm on #340 that kwallet is working with the Secrets api now.

@kinghat do you mind testing this on a vm with the latest updates to see if ksshaskpass can unlock automatically if the login passwords match and Remember password has been checked when using ssh the first time?

@kinghat do you mind testing this on a vm with the latest updates to see if ksshaskpass can unlock automatically if the login passwords match and Remember password has been checked when using ssh the first time?

in a fresh updated vm i created an ed25519 key with password, inserted that pub key to a separate machines authorized keys file, and tried to connect via user@ip of the separate machine. i was only able to get it to ask me for the keys password in the terminal and not via prompt with a "remember password" option.

tangential:

if the login passwords match

do the passwords really need to match if its going to remember the password for you? it would just auto unlock via kwallet with the keys different but saved password.

Sorry, I didn't mean the SSH password. I meant the kwallet password. From arch wiki:

The chosen KWallet password must be the same as the current user password.
An alternative is to use KWalletManager and set an empty Kwallet-password, thus preventing the need of entering a password to unlock a wallet.

I'll see what it looks like in my VM to confirm as well

Alright so in the brand new VM, SSH_ASKPASS is set to gnome_ssh_askpass and SSH_ASKPASS_REQUIRE is blank

SSH_ASKPASS is set via /etc/profile.d/gnome-ssh-askpass.sh so it seems like something that would need to be removed and replaced with an equivalent script for ksshaskpass that exports both SSH_ASKPASS and SSH_ASKPASS_REQUIRE

Does anyone know if there is a repo that generates what's in the profile.d folder? cc: @aleasto

So it appears that /etc/profile.d/gnome-ssh-askpass.sh is provided by the package openssh-askpass

It sounds like a new package needs to be created. lxqt has a package called lxqt-openssh-askpass that kde could mimic but the sig would need someone to own that package

Getting this in for F41 is cutting it really close but is technically still possible.

We can put it in kde-settings for now.

Alright, I'll attempt it on kde-settings
I don't have it exporting SSH_ASKPASS_REQUIRE here because the reference scripts didn't.

https://pagure.io/fedora-kde/kde-settings/pull-request/19#

We'll also have to make sure that ksshaskpass is in the comps groups / in Kinoite as well.

We'll also have to make sure that ksshaskpass is in the comps groups / in Kinoite as well.

https://pagure.io/fedora-comps/blob/7155a848970fba2b0d482d9ac8708cc8a05ddf6e/f/comps-f41.xml.in#_3034

It's in comps for F41 though I'm not sure about Kinoite