The D in Systemd is for Directories: Poettering says his creation will phone /home in future
Systemd-managed home folders are secure, portable, extensible... albeit with broken SSH login
All Systems Go Systemd inventor Lennart Poettering told the crowds at the All Systems Go Linux user-space event in Berlin he intends to reinvent home directories to fix issues with the current model that are otherwise insoluble.
Specifically, he wants Systemd, or rather systemd-homed, to manage and organize home directories.
In Linux systems, each user typically has a directory under /home for personal documents and data. Users are identified by a username and user ID (UID) number which by default is in a text database called /etc/passwd.
Speaking at the event in Germany earlier this month, Poettering identified several problems with this long-standing approach. Philosophically, he said, it mixes state and configuration, because in his view the user record is state rather than configuration, and therefore does not belong in /etc.
The /etc/passwd database is not extensible, and therefore Linux has evolved numerous secondary databases that are stored elsewhere, such as /etc/shadow, a privileged location used for encrypted password hashes and other password-related fields, such as the maximum time before a password expires.
He is also much concerned with a security issue, which is that even when full-disk encryption is in use, when the system is suspended the decryption key is held in memory, so that if a laptop is stolen while suspended it would be possible to access the data. A password-protected lock screen is insufficient for strong security.
Poettering's idea is to have self-contained home folders, where the system assigns an UID automatically if it detects that the folder exists. All the information about the user is in that directory, password hash included, stored as extensible JSON user records.
Does that mean that you can log into any Linux system armed with a home folder on a USB stick? No, said Poettering, answering a question after his talk. A privileged process on that machine would have to sign the security-sensitive part of a user's data before it would be recognised. This would prevent users adding themselves to groups, for example, by editing their own data.
The Systemd inventor is a fan of LUKS encryption, which can be used to encrypt a file, partition, or entire hard drive. He also intends to unify the user password and the encryption key, on the presumption that most users encrypt their laptop disks. This means that when the system is suspended, the decryption key can be removed from memory. On resume, the same password will both log-in and decrypt the home folder. This means that the decryption key can be removed from memory on suspend, since it is re-input on resume.
All of this will be enabled by a new daemon called systemd-homed, to be a component of Systemd. The new component will also support other forms of authentication such as Yubikeys and other security devices that support FIDO2 and U2F (Universal Second Factor) authentication.
There are some complications, one of which is remote access via SSH.
"If you authenticate via SSH it goes via authorized keys in the home directory. So if you want to authenticate something that is inside of the home directory, so that it can access the home directory, where does the decryption key come from, to access the home directory? It is a chicken-and-egg problem," said Poettering.
You love Systemd – you just don't know it yet, wink Red Hat bodsREAD MORE
His solution is that the user must already be logged in, for SSH to work. A person at the session asked what should be done by a university student, for example, who wanted to log in to a Linux machine that was rebooted overnight from 200 miles away. The answer: "If you really want that this system can come up on its own, don't use this stuff. This is about security."
However, it may not be such a problem in practice, since the focus of this solution is end users with laptops rather than servers, and remote login to a laptop is not common.
Poettering envisages that by having your home folder in a LUKS-encrypted container, then that file is all you need either for backup or to switch to another laptop. "The user record and the home directory all become one file. You can just take that file from one laptop to another laptop. It just pops up and it's there."
It is a radical change, and there will be compatibility issues, as well as opposition to changing a part of the system that has worked well enough for years, but for Poettering it is worth it if only for security. "I want my own laptop finally secure so I can suspend. I want these problems to be solved, finally, because we never could solve them," he said.
You can view the presentation right here. ®