[systemd-devel] Preventing home activation with user password

Michael Cassaniti michael at cassaniti.id.au
Thu Aug 25 11:28:34 UTC 2022


Hi,
I would like to know if it is feasible to do the following for a user 
home directory managed with systemd-homed:
   - Activate and unlock with a FIDO2 token (or TPM2)
   - Unlock with a password but not activate
   - Activate (or at least decrypt) with a recovery key

The idea is that once a user has been activated they can unlock their 
desktop session using just a password which might not be too complex. To 
actually activate their account they would require either a FIDO2 token 
or TPM2 depending on their setup. As a fallback they can access their 
data for recovery purposes with a recovery key, but that should not be 
used in general.

The recovery key might not actually be the recovery key option of 
homectl. For example, the recovery key might be entered using 
'cryptsetup luksAddKey ...'.

I'm wondering if this is feasible rather than if it is implemented. I'll 
raise an RFE as required.

Thanks,
Michael Cassaniti, Australia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220825/06c3be5e/attachment-0001.sig>


More information about the systemd-devel mailing list