On Mon, Dec 2, 2019 at 9:48 AM Przemek Klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 11/27/19 2:59 AM, Zbigniew Jędrzejewski-Szmek wrote: > > On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote: > > Mayyyybee systemd-homed is in > a position to solve this by having early enough authentication > capability by rescue.target time that any admin user can login? > > Actually, it may. Things are confusing here, because systemd-homed is > implemented together with changes to how user metadata querying is done: > instead of using dbus, a brokerless and much simpler varlink query is used. > That last part is what would be relevant to early-boot logins, because > less services need to be up to bring up the user session. > > There's one tricky feature of homed : remote login (ssh) is only possible after an initial local login. It is OK for his intended use (a personal laptop/tablet client), except for corner cases like a remotely accessed personal desktop in the basement that might get rebooted e.g. for updates, resulting in an accidental lockout. It's not just an issue for systemd-homed, this problem applies to any user home encryption implementation when the user has not first authenticated/unlocked their user home. e.g. if you install with /home encrypted in Anaconda, in fact your boot stops at plymouth in the initramfs so sshd is thwarted from even starting in the first place; and even if GNOME Shell's login were to be enhanced to do this unlock, still requires unlock. Basically you have to choose between user home security (or more specifically privacy) and remote logins. However, there are some ideas that could possibly work around this, to varying degrees of inelegance, which I'll gratuitously copy from a related Workstation WG issue [1]. 1. Enhance openssh's PAM support 2. Stub account to ssh into, whereby the user is prompted to authenticate+unlock the real account; and now ssh into the real account. 3. Same as 2 but maybe it's possible to bind mount the real home dir over the stub home dir, eliminating the 2nd login? (Vaguely recall reading about this somewhere, maybe Ubuntu's use of ecryptfs based home, now since deprecated in favor of LUKS) 4. If based on any fscrypt implementation, exclude ~/.ssh/ from encryption [1] https://pagure.io/fedora-workstation/issue/82#comment-614193 -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
