![]() ![]() ![]() # homectl create username -storage=fscryptĬreate a user with a specific UID, shell and groups: # homectl update username - property= VALUEĬreate a user with fscrypt encryption (make sure that fscrypt is enabled on the file system): You can modify or add to the user record with: The local password of the user is used to log into the CIFS service. Use -storage=cifs on the homectl command line. Note that CIFS is implemented via the Samba protocol. Here, the home directory is mounted from a CIFS ( Common Internet File System) server at login. To use this mechanism provide -storage=directory or -storage=subvolume to homectl. When this method is used no encryption is provided. Directory or Btrfs subvolumeĪ user home directory is stored in /home/ dir and mounted to /home/ username using bind mount on unlocking. Tip: Filesystems with fscrypt support include ext4 and F2FS. To use this mechanism provide -storage=fscrypt to homectl. It contains a second copy of the user record in the ~/.identity file, like in the other storage mechanisms.Ī user home directory is stored the same way as when using the above method, but this time a native filesystem encryption is used. ![]() This directory will become the home directory of the user when activated. This file system should contain a single directory named after the user.The file system label must be the user name. Inside of this LUKS2 volume must be a Linux file system, one of ext4, btrfs and XFS.The encryption used is the same as the LUKS2 volume itself uses, unlocked by the same volume key, but based on its own IV. The JSON data of this token must also have an iv field, which contains a base64-encoded binary initialization vector for the encryption. This data is the JSON user record, in the same serialization as in ~/.identity, though encrypted. The JSON data of this token must have a record field, containing a string with base64-encoded data. The LUKS2 volume must contain a LUKS2 token field of type systemd-homed. This partition must contain a LUKS2 volume, whose label must be the user name.Its partition label must be the user name. For now it should only contain a single partition, and that partition must have the type UUID 773f91ef-66d4-49b5-bd83-d683bf40ad16. The image contains a GPT partition table.If you are using a removable media, make sure that these conditions are met: To use this mechanism provide -storage=luks to homectl. (Discuss in Talk:Systemd-homed)Ī user home directory is stored in a Linux file system, inside an encrypted LUKS ( Linux Unified Key Setup) volume inside a loopback file or any removable media. homectl create wipes the partition table of the block device specified by -image-path. Reason: It does not have to be removable media. The directory path for the directory mechanism is set to /home/ dir. The image path for the LUKS mechanism is set to /home/. directory if none of the above is supported and no other manual option is specified.subvolume if LUKS is not supported and subvolume is supported.The storage mechanism is chosen in this order: The home directory mount point is set to /home/ username. This command will create a user with the specified username, a free UID in range 60001–60513, create a group with the same name and a GID equal to the chosen UID, set the specified user as its member, and set the user's default shell to /bin/bash. With it, you can create, update, and inspect users their home directories and their ~/.identity files controlled by the systemd-homed(8) service. Homectl is the main utility you will use for homed. However, you must enable and start the rvice. The pambase package since version 20200721.1-2 comes with the necessary PAM configuration to allow systemd-homed user sessions. Systemd-homed is part of and packaged with systemd. This approach allows not only for a home directory portability, but also provides security by automatically managing a home directory encryption on login and locking it if the system is suspended. It achieves portability by moving all user-related information into a storage medium, optionally encrypted, and creating an ~/.identity file that contains signed information about the user, password, what groups they belong to, UID/GID and other information that would typically be scattered over multiple files in /. Systemd-homed(8) is a systemd service providing portable human-user accounts that are not dependent on current system configuration. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |