Re: [systemd-devel] Creating a roaming USB home area using homectl
Hello everybody, when trying a portable user, I also do not get to the goal. I created the user archie on the computer 1, modified PAM as described in the wiki (https://wiki.archlinux.org/index.php/Systemd-homed#Enabling_PAM_modules) and I was able to successfully log on to computer 1. Then I copied (as described above) /var/lib/systemd/home/local.public to computer 2 (as computer1.public) and also inserted the usb-stick there. Despite reboot, the login does not work. Systemd-homed.service issues the following message: systemd-homed[509]: Failed to query quota on /home/, ignoring. systemd-homed[509]: Discovered new home for user archie through image /dev/disk/by-uuid/9564fd15-5077-4827-bf45-6b123035c1b4 systemd[1]: Started Home Area Manager. systemd-homed[509]: archie: changing state unfixated → fixating-for-acquire systemd-homed[509]: Fixation failed: Key has been revoked systemd-homed[509]: archie: changing state fixating-for-acquire → unfixated systemd-homed[509]: Got notification that all sessions of user archie ended, deactivating automa> systemd-homed[509]: Home archie already deactivated, no automatic deactivation needed. homectl list shows the user archie next to the other locally (on computer 2) created as unfixed. archie 60022 60022 unfixated archie /home/archie /bin/bash fred 60001 60001 inactive fred /home/fred /bin/bash janski 60497 60497 inactive janski /home/janski /bin/bash Am I missing another important step here that homed can be used on computer 2 with the portable user? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating a roaming USB home area using homectl
Thanks for your response, Lennart! I've created the requisite public keys to /var/lib/systemd/home; but things still aren't working. Based on issue https://github.com/systemd/systemd/issues/15178 am I correct in understanding that the key revocation warning also covers instances where the identity has not been locally created (or is empty)? Is there a way to "re-fixate" a home area (setting up group membership / etc) using homectl, or do you need to manually create the appropriate "*.identity" file? Best, M On Tue, 31 Mar 2020 at 07:21, Lennart Poettering wrote: > On So, 08.03.20 22:07, Matthew Wardrop (mpward...@gmail.com) wrote: > > > Greetings all, > > > > When I heard news of systemd-homed I was excited, since it was my > > understanding I'd be able to ferry only my external hard drive between > home > > and work during my bicycle commute, and be able to forget about user id > > issues/etc. I tried to set it up, but must be missing something. > > > > On one machine I ran: > > $ sudo homectl create mawardrop --storage=luks -G docker -G wheel -G > input > > --image-path=/dev/sdc --shell=/usr/bin/zsh > > (where /dev/sdc was my external hard drive). > > > > Everything works well locally. I can log in, and out, and the luks image > > successfully mounts and unmounts; but when I attempt to login in on a > > different machine also configured with systemd-homed, I come across two > > issues. > > > > 1) In order for `homectl list` to show my new home folder, I need to > > restart the homed service after plugging in the hard drive. That means I > > need to have it plugged in on machine boot, or log in as a different user > > and restart the service, for it to show up in in the login manager. > > Hmm, this is a bug. This should just work... homed subscribes to udev > events to see everything plugged in. Can you file a bug about this. > > > 2) Even once visible, it appears as "unfixated". Any operations on the > home > > area such as `authenticate` or `activate` result in the error: "Operation > > on home mawardrop failed: Failed to execute operation: Key has been > > revoked". > > homed doesn't allow just anyone to login. It signs user records with a > cryptographic key, and only allows users signed by a key known locally > to log in. > > This needs better documentation, but the essence is that homed uses > > a private key stored in /var/lib/systemd/home/local.private to sign > records with, and accepts all records signed by public keys matching > /var/lib/systemd/home/*.public. If you create a local user and > /var/lib/systemd/home/local.private does not exist yet a new key is > automatically generated and stored there, and its public key stored in > /var/lib/systemd/home/local.public. > > This means, if you want users created on machine quux to be able to > log into machine waldo, make sure to copy quux's > /var/lib/systemd/home/local.public file to waldo, maybe into a file > /var/lib/systemd/home/quux.public. > > > Am I just too early to the game, in that multi-machine setups are not yet > > supported? Or is there something obvious I am missing? > > They are supported, just underdocumented ;-) > > Lennart > > -- > Lennart Poettering, Berlin > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Creating a roaming USB home area using homectl
On So, 08.03.20 22:07, Matthew Wardrop (mpward...@gmail.com) wrote: > Greetings all, > > When I heard news of systemd-homed I was excited, since it was my > understanding I'd be able to ferry only my external hard drive between home > and work during my bicycle commute, and be able to forget about user id > issues/etc. I tried to set it up, but must be missing something. > > On one machine I ran: > $ sudo homectl create mawardrop --storage=luks -G docker -G wheel -G input > --image-path=/dev/sdc --shell=/usr/bin/zsh > (where /dev/sdc was my external hard drive). > > Everything works well locally. I can log in, and out, and the luks image > successfully mounts and unmounts; but when I attempt to login in on a > different machine also configured with systemd-homed, I come across two > issues. > > 1) In order for `homectl list` to show my new home folder, I need to > restart the homed service after plugging in the hard drive. That means I > need to have it plugged in on machine boot, or log in as a different user > and restart the service, for it to show up in in the login manager. Hmm, this is a bug. This should just work... homed subscribes to udev events to see everything plugged in. Can you file a bug about this. > 2) Even once visible, it appears as "unfixated". Any operations on the home > area such as `authenticate` or `activate` result in the error: "Operation > on home mawardrop failed: Failed to execute operation: Key has been > revoked". homed doesn't allow just anyone to login. It signs user records with a cryptographic key, and only allows users signed by a key known locally to log in. This needs better documentation, but the essence is that homed uses a private key stored in /var/lib/systemd/home/local.private to sign records with, and accepts all records signed by public keys matching /var/lib/systemd/home/*.public. If you create a local user and /var/lib/systemd/home/local.private does not exist yet a new key is automatically generated and stored there, and its public key stored in /var/lib/systemd/home/local.public. This means, if you want users created on machine quux to be able to log into machine waldo, make sure to copy quux's /var/lib/systemd/home/local.public file to waldo, maybe into a file /var/lib/systemd/home/quux.public. > Am I just too early to the game, in that multi-machine setups are not yet > supported? Or is there something obvious I am missing? They are supported, just underdocumented ;-) Lennart -- Lennart Poettering, Berlin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Creating a roaming USB home area using homectl
Greetings all, When I heard news of systemd-homed I was excited, since it was my understanding I'd be able to ferry only my external hard drive between home and work during my bicycle commute, and be able to forget about user id issues/etc. I tried to set it up, but must be missing something. On one machine I ran: $ sudo homectl create mawardrop --storage=luks -G docker -G wheel -G input --image-path=/dev/sdc --shell=/usr/bin/zsh (where /dev/sdc was my external hard drive). Everything works well locally. I can log in, and out, and the luks image successfully mounts and unmounts; but when I attempt to login in on a different machine also configured with systemd-homed, I come across two issues. 1) In order for `homectl list` to show my new home folder, I need to restart the homed service after plugging in the hard drive. That means I need to have it plugged in on machine boot, or log in as a different user and restart the service, for it to show up in in the login manager. 2) Even once visible, it appears as "unfixated". Any operations on the home area such as `authenticate` or `activate` result in the error: "Operation on home mawardrop failed: Failed to execute operation: Key has been revoked". Am I just too early to the game, in that multi-machine setups are not yet supported? Or is there something obvious I am missing? Best, M ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel