SoylentNews is people
SoylentNews
from the resistance-is-futile.-/home-will-be-assimilated dept.
Good News:
Linux home directory management is about to undergo major change:
With systemd 245 comes systemd-homed. Along with that, Linux admins will have to change the way they manage users and users' home directories.
[...] Prior to systemd every system and resource was managed by its own tool, which was clumsy and inefficient. Now? Controlling and managing systems on Linux is incredibly easy.
But one of the creators, Leannart Poettering, has always considered systemd to be incomplete. With the upcoming release of systemd 245, Poettering will take his system one step closer to completion. That step is by way of homed.
[...] let's take a look at the /home directory. This is a crucial directory in the Linux filesystem hierarchy, as it contains all user data and configurations. For some admins, this directory is so important, it is often placed on a separate partition or drive than the operating system. By doing this, user data is safe, even if the operating system were to implode.
However, the way /home is handled within the operating system makes migrating the /home directory not nearly as easy as it should be. Why? With the current iteration of systemd, user information (such as ID, full name, home directory, and shell) is stored in /etc/passwd and the password associated with that user is stored in /etc/shadow. The /etc/passwd file can be viewed by anyone, whereas /etc/shadow can only be viewed by those with admin or sudo privileges.
[...] Poettering has decided to make a drastic change. That change is homed. With homed, all information will be placed in a cryptographically signed JSON record for each user. That record will contain all user information such as username, group membership, and password hashes.
Each user home directory will be linked as LUKS-encrypted containers, with the encryption directly coupled to user login. Once systemd-homed detects a user has logged in, the associated home directory is decrypted. Once that user logs out, the home directory is automatically encrypted.
[...] Of course, such a major change doesn't come without its share of caveats. In the case of systemd-homed, that caveat comes by way of SSH. If a systemd-homed home directory is encrypted until a user successfully logs in, how will users be able to log in to a remote machine with SSH?
The big problem with that is the .ssh directory (where SSH stores known_hosts and authorized_keys) would be inaccessible while the user's home directory is encrypted. Of course Poettering knows of this shortcoming. To date, all of the work done with systemd-homed has been with the standard authentication process. You can be sure that Poettering will come up with a solution that takes SSH into consideration.
Older articles:
- Pack Your Bags – Systemd Is Taking You To A New Home
- Systemd-Homed Merged As A Fundamental Change To Linux Home Directories
Will systemd be considered complete once the kernel and boot loader have been absorbed into systemd?
(Score: 5, Insightful) by Anonymous Coward on Friday May 01 2020, @11:46AM (2 children)
This exists only to create problems, add pointless complexity, and cause incompatibilities. Imaginary "improvements" are the fig leaf, breaking things is the real purpose.
(Score: 3, Interesting) by EEMac on Friday May 01 2020, @07:49PM (1 child)
We're seeing (continued, growing) tension between:
* Linux users/hobbyists who were the core of the movement at the beginning
* Large copmanies who fund Red Hat and a lot of Linux development
Linux hobbyists want a computer that's fully open and that they control. That was the promise of Linux in the beginning, after all: completely open source, no corporate jerks interfering with you, you're completely in charge of your own computer.
Large organizations want things locked down, remotely manageable, and they have security concerns that just don't make sense at the hobbyist level.
Will Linux end up as another corporate OS, with a few distros like Slackware available to meet hobbyist needs? Can hobbyist distros still run the software people want without including corporate-friendly stuff like systemd? It will be interesting to see how this plays out.
(Score: 1, Interesting) by Anonymous Coward on Friday May 01 2020, @09:42PM
Haha, "security concerns".
The large organization I work for insists on monthly password changes using large restrictive password requirements, forcing everyone to write them down on sticky notes. Then the very same security department wants to implement a new threat management tool that they downloaded off github and comes as Debian packages. But all our Linux servers run Red Hat. So they can't get it to work on Red Hat because nobody knows how the threat management tool even works, and the developers don't know jack shit about anything other than installing it on the latest Ubuntu with the latest bleeding edge dev libraries of everything. So nobody can make this work on Red Hat, even though the application advertises itself as Red Hat ready. So instead of recognizing the red flags that are flying up everywhere, security doubles down and runs the application in a container, that will never see a security update again in it's lifetime. All the while the "threat management tool " needs to be able to contact servers all over the world to update it's threat identifiers punching huge holes in our firewall.
So now we have an application, downloaded from the internet with no vendor support, frozen in time with what ever security vulnerabilities may be found in the future, scanning our internal networks and communicating with unknown and uncontrolled external servers outside of our networks. For all I know it's mining bitcoin. AND OUR SECURITY DEPARTMENT DEMANDED THIS TOOL.
So no, large organizations are not driving security concerns. They want their Linux servers to act more like point and click windowish tools.