On Mon, 2019-12-02 at 18:16 +0000, Zbigniew Jędrzejewski-Szmek wrote:
On Mon, Dec 02, 2019 at 10:44:46AM -0700, John M. Harris Jr wrote:
> On Monday, December 2, 2019 9:48:05 AM MST Przemek Klosowski via devel wrote:
> > On 11/27/19 2:59 AM, Zbigniew Jędrzejewski-Szmek wrote:
> > > On Tue, Nov 26, 2019 at 09:39:59AM -0700, Chris Murphy wrote:
> > > > Mayyyybee systemd-homed is in
> > > > a position to solve this by having early enough authentication
> > > > capability by rescue.target time that any admin user can login?
> > >
> > > Actually, it may. Things are confusing here, because systemd-homed is
> > > implemented together with changes to how user metadata querying is done:
> > > instead of using dbus, a brokerless and much simpler varlink query is
> > > used.
> > > That last part is what would be relevant to early-boot logins, because
> > > less services need to be up to bring up the user session.
> >
> > There's one tricky feature of homed : remote login (ssh) is only
> > possible after an initial local login. It is OK for his intended use (a
> > personal laptop/tablet client), except for corner cases like a remotely
> > accessed personal desktop in the basement that might get rebooted e.g.
> > for updates, resulting in an accidental lockout.
>
> Basically, systemd-homed is useless for any power user, but might be useful
> for people just getting into GNU/Linux, who don't use ssh yet or don't have
> more than one system.
How often do you ssh *into* your laptop?
Actually all the time - my (personal home)
laptop is where my hobby projects
live, where various SSH private keys are, etc. So I SSH there to connect to another
machine using the SSH keys, to work an my hobby projects from a workstation computer
at home, etc.
And this is just "human" SSH sessions, various automated rsync/scp connections
might
happen as well.
I occasionally do, but more
because I can than because I really need to. systemd-homed is most
suited for the case of a portable personal device, and this is exactly
the type of device one is relatively unlikely to access from the
network. So I don't think this limitation is so terrible.
Nevertheless, I'm pretty sure that a workaround for this will be made
anyway. I think the latest version of the patchset allows exporting
the authorized_keys content in the non-encrypted metadata for the user.
Zbyszek
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org