Lennart Poettering () at the All Systems Go 2019 conference, a new component of the systemd system manager - , aimed at ensuring the portability of user home directories and their separation from system settings. The main idea of the project is to create self-sufficient environments for user data that can be transferred between different systems without worrying about the synchronization of identifiers and confidentiality.
The home directory environment comes in the form of a mountable image file, the data in which is encrypted. User credentials are tied to the home directory, not to system settings - instead of /etc/passwd and /etc/shadow is used in JSON format, stored in the ~/.identity directory. The profile contains the parameters necessary for the user's work, including information about the name, password hash, encryption keys, quotas, and provided resources. The profile can be authenticated with a digital signature stored on an external Yubikey token.
Parameters can also include additional information such as SSH keys, biometric authentication data, image, email, address, time zone, language, process and memory limits, additional mount flags (nodev, noexec, nosuid), information about applied user's IMAP/SMTP servers, information about enabling parental controls, backup settings, etc. An API is provided for requesting and parsing parameters .
UID/GID assignment and handling is done dynamically on each local system to which the home directory is mounted. Using the proposed system, the user can keep his home directory with him, for example, on a Flash drive, and get a working environment on any computer without explicitly creating an account on it (the presence of a file with the image of the home directory leads to user synthesis).
It is proposed to use the LUKS2 subsystem for data encryption, but systemd-homed also allows you to use other backends, for example, for unencrypted directories, Btrfs, Fscrypt, and CIFS network partitions. To manage portable directories, the homectl utility is proposed, which allows you to create and activate images of home directories, as well as change their size and set a password.
At the system level, work is provided by the following components:
- systemd-homed.service - manages the home directory and embeds JSON entries directly into home directory images
- pam_systemd - processes parameters from the JSON profile when the user logs in and applies them in the context of the activated session (authenticates, sets environment variables, etc.);
- systemd-logind.service - processes parameters from the JSON profile when the user logs in, applies various resource management settings and sets limits;
- nss-systemd - NSS module for glibc, synthesizes classic NSS entries based on a JSON profile, providing backward compatibility with the UNIX API for handling users (/etc/password);
- PID 1 - dynamically creates users (synthesizes by analogy with using the DynamicUser directive in units) and makes them visible to the rest of the system;
- systemd-userdbd.service - Translates UNIX/glibc NSS accounts into JSON entries and provides a unified Varlink API for querying and iterating over entries.
The advantages of the proposed system include the ability to manage users when mounting the /etc directory in read-only mode, the absence of the need to synchronize identifiers (UID / GID) between systems, user independence from a particular computer, blocking user data during the transition to sleep mode, the use of encryption and modern authentication methods. systemd-homed is planned to be included in the main systemd in release 244 or 245.
User profile JSON example:
"autologin" : true,
"binding" : {
«15e19cd24e004b949ddaac60c74aa165» : {
"fileSystemType" : "ext4",
«fileSystemUUID» : «758e88c8-5851-4a2a-b98f-e7474279c111»,
"gid" : 60232,
"homeDirectory" : "/home/test",
"imagePath" : "/home/test.home",
"luksCipher" : "aes",
"luksCipherMode" : "xts-plain64",
«luksUUID» : «e63581ba-79fa-4226-b9de-1888393f7573»,
"luksVolumeKeySize" : 32,
«partitionUUID» : «41f9ce04-c927-4b74-a981-c669f93eb4dc»,
"storage" : "luks",
"uid" : 60233
}
},
"disposition" : "regular",
"enforcePasswordPolicy" : false,
"lastChangeUSec" : 1565951024279735,
"memberOf" : [
wheel
],
"privileged" : {
"hashedPassword" : [
«$6$WHBKvAFFT9jKPA4k$OPY4D5…/»
] },
"signature" : [
{
"data" : "LU/HeVrPZSzi3M3J…==",
"key" : "——BEGIN PUBLIC KEY——\nMCowBQADK2VwAy…=\n——END PUBLIC KEY——\n"
}
],
"userName" : "test",
"status" : {
«15e19cf24e004b949dfaac60c74aa165» : {
"goodAuthenticationCounter" : 16,
"lastGoodAuthenticationUSec" : 1566309343044322,
"rateLimitBeginUSec" : 1566309342341723,
"rateLimitCount" : 1,
"state" : "inactive",
"service" : "io.systemd.home",
"diskSize" : 161218667776,
"diskCeiling" : 191371729408,
"diskFloor" : 5242780,
"signedLocally" : true
}
}
Source: opennet.ru