« Previous 1 2 3 4 Next »
Portable home directory with state-of-the-art security
Home, Sweet Home
PKCS and Tokens
Users created as shown by the examples in this article still do not have passwords, and no alternative login methods are specified, so they can't log in at all. Fortunately, systemd offers far more options than mere passwords. The team led by Poettering has much to offer, and the biggest hurdle might be to combine the respective authentication device with the appropriate option when creating the user in Homed. For once, however, this is not down to systemd itself but to the multitude of standards and their options that already exist on the market for this task.
The two best known representatives of crypto keys are probably PKCS#11 and FIDO2. PKCS#11 is a slightly different standard; older YubiKeys (Figure 2) use it, but it will primarily be familiar from classic smartcards (Figure 3). If a smartcard or an older YubiKey is to be used to unlock the account, the biggest challenge is to identify the path (i.e., the URI) to the device on the system. Homectl at least offers a way out. The command
homectl --pkcs11-token-uri=list
displays a list of all available devices. In order for the command to find the device, it must be mounted at the time of the call.
If you use an authenticator according to the FIDO2 standard instead (Figure 4), you need the --fido2-device=
parameter, which also supports the list
keyword, which brings to light a list of available devices along with their URIs on the system. Additionally, the auto
keyword works if only one device fits the bill. The entire call is then:
$ homectl create martin --real-name="Martin Loschwitz" --uid=2000 --image-path=/dev/disk/by-id/usb-SanDisk_Ultra_4C530000060908106243-0:0 --fido2-device=auto
The user created in this way has a personal directory on a USB stick and logs on to the system with an authentication device.
PKCS#11 Special Case
If you opt for PKCS as your login method, you definitely need to remember that the YubiKey has to be set up before the Homed configuration. The ykman
commands
ykman piv reset ykman piv generate-key -m RSA4096:*9d pubkey.pm ykman piv generate-certificate --subject "Homed" 9d pubkey.pem
delete old keys from the device, create a new key, generate the certificate required for the key, and load it onto the YubiKey. Then,
rm pubkey.pem
removes the key file from the filesystem. After that, the login can be configured as described earlier.
Playing It Safe
The homectl
command also supports the --recovery-key
parameter. If you have ever dealt extensively with cryptography, you will be aware that if you lose the device for generating tokens or the original key, you can't access the data, no matter what you try. Good practice dictates generating an emergency key with the device and keeping it in a safe place. It is essential to protect the key against access by unauthorized persons because anyone who has the key can decrypt the encrypted volume; therefore, you should keep the key as a hard copy on paper in a safe place (e.g., a safe).
By appending the parameter --recovery-key=yes
to the command for creating the user, you can make sure that Homed automatically creates a suitable key. The key is then displayed onscreen and can be copied from there.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.