On Mon, 2019-12-02 at 18:16 +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Mon, Dec 02, 2019 at 10:44:46AM -0700, John M. Harris Jr wrote: > > On Monday, December 2, 2019 9:48:05 AM MST Przemek Klosowski via devel wrote: > > > On 11/27/19 2:59 AM, Zbigniew Jędrzejewski-Szmek wrote: > > > > On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote: > > > > > Mayyyybee systemd-homed is in > > > > > a position to solve this by having early enough authentication > > > > > capability by rescue.target time that any admin user can login? > > > > > > > > Actually, it may. Things are confusing here, because systemd-homed is > > > > implemented together with changes to how user metadata querying is done: > > > > instead of using dbus, a brokerless and much simpler varlink query is > > > > used. > > > > That last part is what would be relevant to early-boot logins, because > > > > less services need to be up to bring up the user session. > > > > > > There's one tricky feature of homed : remote login (ssh) is only > > > possible after an initial local login. It is OK for his intended use (a > > > personal laptop/tablet client), except for corner cases like a remotely > > > accessed personal desktop in the basement that might get rebooted e.g. > > > for updates, resulting in an accidental lockout. > > > > Basically, systemd-homed is useless for any power user, but might be useful > > for people just getting into GNU/Linux, who don't use ssh yet or don't have > > more than one system. > > How often do you ssh *into* your laptop? Actually all the time - my (personal home) laptop is where my hobby projects live, where various SSH private keys are, etc. So I SSH there to connect to another machine using the SSH keys, to work an my hobby projects from a workstation computer at home, etc. And this is just "human" SSH sessions, various automated rsync/scp connections might happen as well. > I occasionally do, but more > because I can than because I really need to. systemd-homed is most > suited for the case of a portable personal device, and this is exactly > the type of device one is relatively unlikely to access from the > network. So I don't think this limitation is so terrible. > > Nevertheless, I'm pretty sure that a workaround for this will be made > anyway. I think the latest version of the patchset allows exporting > the authorized_keys content in the non-encrypted metadata for the user. > > Zbyszek > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
