The D in Systemd is for Directories: Poettering says his creation will phone /home in future

The startup folders managed by Systemd are secure, portable, extensible … although with a broken SSH login

  Linux startup folders: ready for a review?

Linux startup folders: ready for a review?

Todo Systems Go Systemd inventor Lennart Poettering told the crowd at the All Systems Go Linux user space event in Berlin that he intends to reinvent home directories to solve problems with the model current that otherwise would be insoluble.

Specifically, he wants Systemd or, rather, systemd-homed, to manage and organize home directories.

On Linux systems, each user generally has a directory in / home for documents and personal data. Users are identified by a user name and user identification number (UID) which, by default, is in a text database called /etc/passwd.[19659005font>HablandoeneleventoenAlemaniaaprincipiosdeestemesPoetteringidentificóvariosproblemasconesteenfoquedelargadataFilosóficamentedijocombinaestadoyconfiguraciónporqueensuopiniónelregistrodeusuarioesestadoenlugardeconfiguraciónyporlotantonopertenecea/etc[19659005font>Labasededatos/etc/passwdisnotextensibleandhasalargenumberoflinesthathaveevolvedinnumerousdatabasesofsecondarydatathatarestoredinotherplacessuchas/etc/aprivilegedlocationusedforencryptedpasswordsandotherfieldsthatarelockedinthememorywhenasecuritysystemisalsointerruptedwhenapasswordisalsocompromisedwhenapasswordisalsointerruptedofmodorthatifalaptopisstolenwhileitissuspendeditwouldbepossibletoaccessthedataApasswordprotectedlockscreenisinsufficientforstrongsecurity

The idea of ​​Poettering is to have autonomous startup folders, where the system automatically assigns a UID if it detects that the folder exists. All information about the user is in that directory, including the password hash, stored as extensible JSON user records.

Does that mean you can log in to any Linux system armed with a boot folder on a USB stick? No, said Poettering, answering a question after his talk. A privileged process on that machine would have to sign the security-sensitive part of a user's data before being recognized. This would prevent users from being added to groups, for example, by editing their own data.

LUK & # 39; d

The inventor of Systemd is a fan of LUKS encryption, which can be used to encrypt a complete file, partition or hard drive. It also intends to unify the user's password and encryption key. , under the presumption that most users encrypt their portable disks. This means that when the system is suspended, the decryption key can be deleted from memory. When you resume, the same password will log in and decrypt the startup folder. This means that the decryption key can be deleted from memory when suspended, as it is re-entered upon resume.

All this will be enabled by a new demon called systemd-homed, to be a component of Systemd. The new component will also support other forms of authentication, such as Yubikeys and other security devices that support FIDO2 and U2F (Universal Second Factor) authentication.

There are some complications, one of which is remote access through SSH.

"If you authenticate through SSH, it is done through authorized keys in the home directory. Then, if you want to authenticate something that is inside the home directory, so you can access the home directory, from where the decryption key comes, to access "What is a chicken and egg problem?" said Poettering.

  An anchovy pasta place

You love Systemd, but you still don't know it, winks the bodies from Red Hat

READ MORE

Your solution is that the user must have already logged in for SSH to work.A person in the session asked what a college student should do, for example, who wanted to log in to a machine Linux that rebooted overnight from 200 miles away. The answer: "If you really want this system to emerge on its own, don't use these things. It is about security. "

However, it may not be a problem in practice, since the focus of this solution is for end users with laptops instead of servers, and remote login on a computer laptop is not common.

Poettering expects that by having your home folder in a container encrypted with LUKS, that file is all you need, either for backup or to switch to another laptop. "User registration and The home directory become a single file. You can take that file from one laptop to another. It simply appears and is there. "

It is a radical change and there will be compatibility problems. As well as the opposition to changing a part of the system that has worked well enough for years, but for Poettering it is worth it if only for security. "I want my laptop to be finally safe so I can suspend it. I want these problems to be resolved, finally, because we could never solve them, "he said.

You can see the presentation here. ®

Sponsored:
How to process, discuss, analyze and visualize your data with three complementary tools

For More Updates Check out Blog, Windows Softwares Drivers, Antivirus, Ms Office, Graphic Design Don’t Forget to Look Our Facebook Page Get Into Pc like us & follow on Twitter- @getinpc

Please Note: This content is provided and hosted by a 3rd party server. Sometimes these servers may include advertisements. igetintopc.com does not host or upload this material and is not responsible for the content.