On Mo, 02.12.19 10:44, John M. Harris Jr (joh...@splentity.com) wrote:

> On Monday, December 2, 2019 9:48:05 AM MST Przemek Klosowski via devel wrote:
> > On 11/27/19 2:59 AM, Zbigniew Jędrzejewski-Szmek wrote:
> > > On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote:
> > >> Mayyyybee systemd-homed is in
> > >> a position to solve this by having early enough authentication
> > >> capability by rescue.target time that any admin user can login?
> > >
> > > Actually, it may. Things are confusing here, because systemd-homed is
> > > implemented together with changes to how user metadata querying is done:
> > > instead of using dbus, a brokerless and much simpler varlink query is
> > > used.
> > > That last part is what would be relevant to early-boot logins, because
> > > less services need to be up to bring up the user session.
> >
> > There's one tricky feature of homed : remote login (ssh) is only
> > possible after an initial local login. It is OK for his intended use (a
> > personal laptop/tablet client), except for corner cases like a remotely
> > accessed personal desktop in the basement that might get rebooted e.g.
> > for updates, resulting in an accidental lockout.
> Basically, systemd-homed is useless for any power user, but might be useful
> for people just getting into GNU/Linux, who don't use ssh yet or don't have
> more than one system.

You can SSH into a systemd-homed account just fine, you just need to
unlock the home directory once first, for example by logging in
locally. The key to unlock the home directory needs to come from
somewhere, hence a PAM authentication has to take place once, so that
systemd-homed can derive the LUKS key once from the pw you
enter. However, if you never authenticated via PAM (but via ssh
authorized keys only) then there's no pw to unlock the volume with.

It's exactly the same as with LUKS encrypted traditional /home or root
btw, except that the unlocking is moved a bit later: i.e. things are
just much worse there, because you have to enter the pw at boot
already and thus your secrets are already unlocked when you haven't
even logged in.

Also note that on Fedora Workstation we default to suspend-on-idle
these days. i.e. when you don't actually work on the laptop the laptop
is suspended and not reachable via SSH at all, hence adding
systemd-homed doesn't make anything worse in that regard...


Lennart Poettering, Berlin
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to