Ancestors

Written by Lennart Poettering on 2024-12-16 at 08:49

3️⃣5️⃣ Here's the 35th post highlighting key new features of the current v257 release of systemd. #systemd257

systemd-homed is the user/home area managed service of systemd. It's designed to provide very secure home directory management on Linux OSes. One fundamental idea is that the user's provided unlock credential (password, FIDO token, PKCS11 token) are actually what the encryption key for the home directory is derived of. This is of course fundamentally different from traditional UNIX, …

=> More informations about this toot | More toots from pid_eins@mastodon.social

Written by Lennart Poettering on 2024-12-16 at 08:52

…where user data is at best encrypted with a per-system/admin encryption key, and access control to user accounts is just something that protects the ability to log in, but not the user's data.

In continuation of this security focused theme, user records managed by systemd-homed are cryptographically signed: only accounts properly signed by a system-owned key pair can actually log into a specific system.

That means two things: first of all the user's data is protected by the user's…

=> More informations about this toot | More toots from pid_eins@mastodon.social

Written by Nik | Klampfradler 🎸🚲 on 2024-12-16 at 09:07

@pid_eins I still fail to understand how these accounts are portable if they can only be used on the system that signed them.

=> More informations about this toot | More toots from nik@toot.teckids.org

Written by Lennart Poettering on 2024-12-16 at 09:10

@nik There are three options:

1. have the same account validation public key on multiple systems, so that you while only one system can sign them, many can accept such accounts

2. you can also copy the account validation key pair to multiple systems, they can then accept each other's accounts.

3. you can sign accounts multiple times with different keys.

a mixture between 1 + 2 is also possible.

(tooling of all this is a bit manual currently, though)

=> More informations about this toot | More toots from pid_eins@mastodon.social

Written by Nik | Klampfradler 🎸🚲 on 2024-12-16 at 09:27

@pid_eins I'd like 3. most, but couldn't find out how to sign an existing homedir.

=> More informations about this toot | More toots from nik@toot.teckids.org

Toot

Written by Lennart Poettering on 2024-12-16 at 09:35

@nik tooling around doing that is shit, as mentioned. But basically you do "homectl create --identity=" and pass the already signed JSON user record from some system in. Which will then sign it with the local key after admin auth.

=> More informations about this toot | More toots from pid_eins@mastodon.social

Descendants

Written by Nik | Klampfradler 🎸🚲 on 2024-12-16 at 09:41

@pid_eins Ah, I always thought that'd create a local copy of the record, so I then have two copies on two systems that will get out of sync if one system makes changes.

Are local records updated from the data in the user home when it becomes available, e.g. as a USB drive?

=> More informations about this toot | More toots from nik@toot.teckids.org

Written by Lennart Poettering on 2024-12-16 at 09:42

@nik yes.

=> More informations about this toot | More toots from pid_eins@mastodon.social