Portable home directory with state-of-the-art security

Home, Sweet Home

Getting Started with Homed

The various desktop distributions are sufficiently up-to-date as to include Homed. The situation might not be as easy for more exotic systems such as Raspberry Pi OS. Often older systems such as Debian GNU/Linux "Buster" serve as a foundation, and the Homed version included is outdated and less than satisfactory. Of course, Debian GNU/Linux 11, alias "Bullseye," has been released in the meantime, so there is hope of updates for these systems in the near future.

A sufficiently recent systemd automatically includes Homed; the homectl utility [1], which creates users, and the userdbctl query tool should be in place on the system. Clearly, systemd does not find the username automatically on the basis of plugged-in devices. Theoretically, it would be quite conceivable for Homed to create a suitable user account as soon as a device is plugged in, which would mean total flexibility for the home directory because it would then even be available on public terminals that support Homed. However, the developers have deliberately not taken this approach. Instead, Homed waits for the user to create the account,

homectl create <user>

for which you need the rights of the root system administrator. Homed, therefore, is primarily designed for use cases in which the user is only sharing their personal directory between several systems over which they have full control.

Handling User IDs

Homed implements the process of creating and deleting user accounts, bypassing the existing system mechanisms (e.g., /etc/passwd and /etc/group). Instead, it taps into the dynamic authentication mechanisms with a separate pluggable authentication module (PAM), complementing the existing login system in the process. For the administrator, this means if they want to use Homed on several systems to manage a central home directory, they can influence the user IDs with homectl parameters. In this way, you can ensure that the IDs of the users in question match on all participating systems, which is expressly recommended; otherwise, Homed will use a crude hack to keep things tidy. After logging in, Homed simply runs chown over the entire home directory and changes its contents to the user ID and group ID that the user has on the system.

Assuming the user ID needs to be 2000 on all systems, the following command creates the user and adds some background information:

$ homectl create martin --real-name="Martin Loschwitz" --uid=2000

In this case, a user named martin is a member of a group with the same name. Unlike before, however, the UID is not randomly selected by Homed but defined manually. Still unsolved is the problem with the user's home directory. Homed has created this directory and encrypted it with Linux Unified Key Setup (LUKS), but this by no means makes it mobile.

Unless the user specifies otherwise, Homed uses LUKS to create an encrypted home directory and a loop device in /home/<user>.homedir/ and mounts it in /home/<user>/ after successfully logging in to the system – and only then. This process is basically programmatic with Homed: A user's personal directory is only accessible while the user is logged in. As soon as the user's last login session expires, systemd automatically unmounts the directory containing the user's personal data. A new login is mandatory to put it back into operation.

Truly Mobile Home Directories

Anyone who has ever dealt with encrypted volumes on Linux knows that working with LUKS and the like is not necessarily a pleasant experience. Homed takes a large part of the work off your hands by configuring LUKS in the background in line with your specifications – but without forcing them into direct contact with the LUKS tools themselves. Again, it is just a question of the right parameters for homectl to avoid loading the user directory created by Homed locally and putting it on a USB stick instead.

From the homectl command used before, the following command uses a USB stick to store the home directory:

$ homectl create martin --real-name="Martin Loschwitz" --uid=2000 --image-path=/dev/disk/by-id/usb-SanDisk_Ultra_4C530000060908106243-0:0

You need to modify the part after --image-path if the USB stick is referenced by its unique device ID, as in the example. Homed again takes care of all the administrative work by first deleting all the existing files on the USB stick. Then it creates a partition table and proceeds to create a LUKS-encrypted device. The USB stick is now genuinely portable. If the owner of the directory logs out of the system so that there is no longer a current session, Homed automatically logs off the LUKS device. The user then simply unplugs the USB stick on which it resides and takes it to another device to log in with an account managed by Homed, which recognizes the home directory from the USB stick and automatically enables it on the new system.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus