On Wed, Dec 4, 2019 at 6:01 AM Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > (One thinkable extension of homed's current model btw is to support > logind lingering by asking for the user pw using plymouth. this would > then mean you'd be asked to unlock your user during early boot like as > with classic disk encryption, and then it remains unlocked for the > entire lifetime of the system. But I am not sure it's worth it, if you > are happy with such a much weaker model you might as well use regular > full disk encryption and have the home dirs themselves just be plain > directories) > > Lennart If someone wants to spend that much of their resources on homedir security, they need to decide whether they want SSH key based access. That is manageable by configuring SSH to store SSH public keys in an alternate location and inform the users of the modified sshd_config and its modified, accessible "AuthorizedKeysFile" setting. Or the user can spend the time and effort to activate Kerberos based logins, or use password based logins. I'd avoid trying to rewrite SSH for such an OS-specific and non-portable need as homedir decryption mounting. In common usage, very few people encrypt their home directories separately from their basic disk image. It makes system management for administrators or even a local root user very awkward. I could see it for home directories in "/home", and it would only cost SSH key based access, not ordinary password or Kerberos ticket based login. But it sounds quite risky and destabilizing, much as the "kill dangling processes when people log out". That caused a lot of shock when it was activated by default and started killing processes with no logging. Let's not repeat a surprise like that and avoid killing SSH key access by default. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
