On Mo, 02.12.19 10:44, John M. Harris Jr (johnmh@xxxxxxxxxxxxx) wrote: > On Monday, December 2, 2019 9:48:05 AM MST Przemek Klosowski via devel wrote: > > On 11/27/19 2:59 AM, Zbigniew Jędrzejewski-Szmek wrote: > > > On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote: > > >> Mayyyybee systemd-homed is in > > >> a position to solve this by having early enough authentication > > >> capability by rescue.target time that any admin user can login? > > > > > > Actually, it may. Things are confusing here, because systemd-homed is > > > implemented together with changes to how user metadata querying is done: > > > instead of using dbus, a brokerless and much simpler varlink query is > > > used. > > > That last part is what would be relevant to early-boot logins, because > > > less services need to be up to bring up the user session. > > > > There's one tricky feature of homed : remote login (ssh) is only > > possible after an initial local login. It is OK for his intended use (a > > personal laptop/tablet client), except for corner cases like a remotely > > accessed personal desktop in the basement that might get rebooted e.g. > > for updates, resulting in an accidental lockout. > > Basically, systemd-homed is useless for any power user, but might be useful > for people just getting into GNU/Linux, who don't use ssh yet or don't have > more than one system. You can SSH into a systemd-homed account just fine, you just need to unlock the home directory once first, for example by logging in locally. The key to unlock the home directory needs to come from somewhere, hence a PAM authentication has to take place once, so that systemd-homed can derive the LUKS key once from the pw you enter. However, if you never authenticated via PAM (but via ssh authorized keys only) then there's no pw to unlock the volume with. It's exactly the same as with LUKS encrypted traditional /home or root btw, except that the unlocking is moved a bit later: i.e. things are just much worse there, because you have to enter the pw at boot already and thus your secrets are already unlocked when you haven't even logged in. Also note that on Fedora Workstation we default to suspend-on-idle these days. i.e. when you don't actually work on the laptop the laptop is suspended and not reachable via SSH at all, hence adding systemd-homed doesn't make anything worse in that regard... Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
