[systemd-devel] Preventing home activation with user password
Michael Cassaniti
michael at cassaniti.id.au
Thu Aug 25 11:28:34 UTC 2022
Hi,
I would like to know if it is feasible to do the following for a user
home directory managed with systemd-homed:
- Activate and unlock with a FIDO2 token (or TPM2)
- Unlock with a password but not activate
- Activate (or at least decrypt) with a recovery key
The idea is that once a user has been activated they can unlock their
desktop session using just a password which might not be too complex. To
actually activate their account they would require either a FIDO2 token
or TPM2 depending on their setup. As a fallback they can access their
data for recovery purposes with a recovery key, but that should not be
used in general.
The recovery key might not actually be the recovery key option of
homectl. For example, the recovery key might be entered using
'cryptsetup luksAddKey ...'.
I'm wondering if this is feasible rather than if it is implemented. I'll
raise an RFE as required.
Thanks,
Michael Cassaniti, Australia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220825/06c3be5e/attachment-0001.sig>
More information about the systemd-devel
mailing list