[Solved] systemd-homed: user/homedir on different/multiple machines

DrJ · 2024-02-13 10:45:46

Dear Community!

I would like to give homed a try. My intension is to set up a user on an usb stick, that can be used on muttiple computers, i.e. I want to carry my home dir around.

Now I get as far as setting up a user on a usb-stick using luks and can successfully log in with that ... but only on the machine where I have created that user.

Sticking that usb stick into another computer shows that user, but reports it as "unfixated" (homectl list). Trying homectl activate on that results in

Operation on home XXX failed: User record XXX is not signed by any known key, refusing.

Well, no surprise there. I haven't introduced any key ...

Does that mean one needs to install the public key of the system creating the user beforehand on the target machine? Actually I would have expected some mechanism telling the system that the usb-stick is "all right" and accept the user without any further fuzz.

I would have expected these type of questions to be more frequent, alas, I did not find to many homed related ones in this forum. Is it that there is some ingenuine guide out there that I am missing? (I know systemd.io, but could not sort it out with the information given there.)

Cheers

Last edited by DrJ (2024-03-01 22:08:58)

progandy · 2024-02-13 12:34:16

Yes, you need a shared key to verify the image. As I do not use homed, I have no idea how exactly it works, though.

https://systemd.io/HOME_DIRECTORY/

Rationale for including the encrypted user record in the LUKS2 header: Linux kernel file system implementations are generally not robust towards maliciously formatted file systems; there’s a good chance that file system images can be used as attack vectors, exploiting the kernel. Thus it is necessary to validate the home directory image before mounting it and establishing a minimal level of trust. Since the user record data is cryptographically signed and user records not signed with a recognized private key are not accepted, a minimal level of trust between the system and the home directory image is established.

Edit: https://www.freedesktop.org/software/sy … rvice.html

Additional public keys. Any users whose user records are signed with any of these keys are permitted to log in locally. An arbitrary number of keys may be installed this way.

Last edited by progandy (2024-02-13 12:36:05)

swsnr · 2024-02-13 12:38:37

Homed has good documentation in its manpages. See https://man.archlinux.org/man/systemd-h … MANAGEMENT for key management specifically which is the mechanism to "bless" home areas for login.

Essentially you need to distribute the public key to all systems where the USB stick should be permitted for login

DrJ · 2024-02-13 22:28:16

Thank you very much ... will distribute the source machine's key ... and will report.

Last edited by DrJ (2024-02-13 22:29:22)

DrJ · 2024-02-22 09:38:41

Dear Community!

I am a step further but still cannot log in successfully. So I have transferred the public key of the primary machine to the second one. Now it is possible to activate the user via homectl activate XXX .

But as mentioned above I cannot log in ... this results in a pretty bizarre error message:

sudo login XXX
Password: 
date: invalid date '2023-11-31'

Cannot make/remove an entry for the specified session

The log shows the following

Feb 22 01:45:40 XXX login[4808]: pam_systemd_home(login:auth): Home for user XXX successfully acquired.
Feb 22 01:45:40 XXX login[4808]: pam_loginuid(login:session): error: login user-name 'XXX' does not exist.

I was under the impression that this step, i.e. making the user known to the system, was taken care of by systemd-homed. Any further suggestions?

Cheers

Last edited by DrJ (2024-02-22 09:43:10)

DrJ · 2024-03-01 21:48:13

Got further, so a quick follow up.

Mounting the user dir on a different computer works fine, if that computer runs on arch. The problems with the system I experienced where obviously due to a a misconfiguration of that system (debian 12, bookworm).
As the debian community seems to be sort of ... err .. hostile to people they do not know, could not get hold of the pieces of information necessary to track the error down (I got instantly branded as a spammer and locked out from the bbs). There are indications that they never got systemd-homed in place in a decent fashion.

What I did - and what I would recommend to others encountering the same problems - just do not waste your time on the debian system and turn to something decently supported.

As mentioned above arch works like charme. Even the efforts that are needed to get arch running on rpi are negligible compared to the debug jihad on debian without anyone willing to lend a helping hand.

So I guess a big "thank you" is in place to the arch developers for all the efforts spent getting the more recent features of systemd in place.

Cheers

Arch Linux

#1 2024-02-13 10:45:46

[Solved] systemd-homed: user/homedir on different/multiple machines

#2 2024-02-13 12:34:16

Re: [Solved] systemd-homed: user/homedir on different/multiple machines

#3 2024-02-13 12:38:37

Re: [Solved] systemd-homed: user/homedir on different/multiple machines

#4 2024-02-13 22:28:16

Re: [Solved] systemd-homed: user/homedir on different/multiple machines

#5 2024-02-22 09:38:41

Re: [Solved] systemd-homed: user/homedir on different/multiple machines

#6 2024-03-01 21:48:13

Re: [Solved] systemd-homed: user/homedir on different/multiple machines

Board footer