Home, Sweet Home

PKCS and Tokens

Users created as shown by the examples in this article still do not have passwords, and no alternative login methods are specified, so they can't log in at all. Fortunately, systemd offers far more options than mere passwords. The team led by Poettering has much to offer, and the biggest hurdle might be to combine the respective authentication device with the appropriate option when creating the user in Homed. For once, however, this is not down to systemd itself but to the multitude of standards and their options that already exist on the market for this task.

The two best known representatives of crypto keys are probably PKCS#11 and FIDO2. PKCS#11 is a slightly different standard; older YubiKeys (Figure 2) use it, but it will primarily be familiar from classic smartcards (Figure 3). If a smartcard or an older YubiKey is to be used to unlock the account, the biggest challenge is to identify the path (i.e., the URI) to the device on the system. Homectl at least offers a way out. The command

Figure 2: Older YubiKeys use older versions of authentication tokens. © YubiKey

Figure 3: PKCS#11-based authentication usually relies on physical smartcards. © Cardomatic

homectl --pkcs11-token-uri=list

displays a list of all available devices. In order for the command to find the device, it must be mounted at the time of the call.

If you use an authenticator according to the FIDO2 standard instead (Figure 4), you need the --fido2-device= parameter, which also supports the list keyword, which brings to light a list of available devices along with their URIs on the system. Additionally, the auto keyword works if only one device fits the bill. The entire call is then:

Figure 4: More modern FIDO2 tokens can also be connected to Homed. If you specify the right parameter when creating the user, the FIDO2 key then unlocks the account, including the home directory. © Feitian

$ homectl create martin --real-name="Martin Loschwitz" --uid=2000 --image-path=/dev/disk/by-id/usb-SanDisk_Ultra_4C530000060908106243-0:0 --fido2-device=auto

The user created in this way has a personal directory on a USB stick and logs on to the system with an authentication device.

PKCS#11 Special Case

If you opt for PKCS as your login method, you definitely need to remember that the YubiKey has to be set up before the Homed configuration. The ykman commands

ykman piv reset
ykman piv generate-key -m RSA4096:*9d pubkey.pm
ykman piv generate-certificate --subject "Homed" 9d pubkey.pem

delete old keys from the device, create a new key, generate the certificate required for the key, and load it onto the YubiKey. Then,

rm pubkey.pem

removes the key file from the filesystem. After that, the login can be configured as described earlier.

Playing It Safe

The homectl command also supports the --recovery-key parameter. If you have ever dealt extensively with cryptography, you will be aware that if you lose the device for generating tokens or the original key, you can't access the data, no matter what you try. Good practice dictates generating an emergency key with the device and keeping it in a safe place. It is essential to protect the key against access by unauthorized persons because anyone who has the key can decrypt the encrypted volume; therefore, you should keep the key as a hard copy on paper in a safe place (e.g., a safe).

By appending the parameter --recovery-key=yes to the command for creating the user, you can make sure that Homed automatically creates a suitable key. The key is then displayed onscreen and can be copied from there.