On Mon, Dec 2, 2019 at 10:45 AM John M. Harris Jr <johnmh@xxxxxxxxxxxxx> wrote: > > On Monday, December 2, 2019 9:48:05 AM MST Przemek Klosowski via devel wrote: > > On 11/27/19 2:59 AM, Zbigniew Jędrzejewski-Szmek wrote: > > > On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote: > > >> Mayyyybee systemd-homed is in > > >> a position to solve this by having early enough authentication > > >> capability by rescue.target time that any admin user can login? > > > > > > Actually, it may. Things are confusing here, because systemd-homed is > > > implemented together with changes to how user metadata querying is done: > > > instead of using dbus, a brokerless and much simpler varlink query is > > > used. > > > That last part is what would be relevant to early-boot logins, because > > > less services need to be up to bring up the user session. > > > > There's one tricky feature of homed : remote login (ssh) is only > > possible after an initial local login. It is OK for his intended use (a > > personal laptop/tablet client), except for corner cases like a remotely > > accessed personal desktop in the basement that might get rebooted e.g. > > for updates, resulting in an accidental lockout. > > Basically, systemd-homed is useless for any power user, but might be useful > for people just getting into GNU/Linux, who don't use ssh yet or don't have > more than one system. I disagree with all of this, including the predisposition that this limitation can't be worked around somehow. I ssh into various laptops around the home office on a daily basis, I'm not going to give that up. Based on the systemd-homed presentation, slides, and the early code review happening, it addresses a number of concerns the Workstation WG has in making forward progress to secure user data by default. It's almost 2020, and I shouldn't have to pick and choose between remote access and securing user data at rest by default. We surely can have our cake and eat it too. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
