thoughts on systemd-homed

do not recommend systemd-homed

SEAN K.H. LIAO

thoughts on systemd-homed

do not recommend systemd-homed

systemd-homed

I have systemd-homed setup to use a subvolume (btrfs). Unfortunately, even though it uses no encryption it still means that your home directory data is in /home/user.homedir which gets mounted on /home/user on login. This breaks some things, such as ssh login which is expected.

What isn't expected is for it to break my single factor yubikey login flow. I already moved the authorized keys list to somewhere in /etc. The first login on boot will always fail, requiring me to type my password, subsequent logins work fine. Attached are the logs for one such login:

 1Nov 18 20:14:10 eevee systemd-homed[473]: arccy: changing state inactive → activating-for-acquire
 2Nov 18 20:14:10 eevee systemd-homework[582]: None of the supplied plaintext passwords unlocks the user record's hashed passwords.
 3Nov 18 20:14:10 eevee systemd-homed[473]: Activation failed: Required key not available
 4Nov 18 20:14:10 eevee systemd-homed[473]: arccy: changing state activating-for-acquire → inactive
 5Nov 18 20:14:10 eevee systemd-homed[473]: Got notification that all sessions of user arccy ended, deactivating automatically.
 6Nov 18 20:14:10 eevee systemd-homed[473]: Home arccy already deactivated, no automatic deactivation needed.
 7Nov 18 20:14:13 eevee systemd-homed[473]: arccy: changing state inactive → activating-for-acquire
 8Nov 18 20:14:13 eevee systemd-homework[583]: Provided password unlocks user record.
 9Nov 18 20:14:13 eevee systemd-homework[583]: Read embedded .identity file.
10Nov 18 20:14:13 eevee systemd-homework[583]: Provided password unlocks user record.
11Nov 18 20:14:13 eevee systemd-homework[583]: Reconciling embedded user identity completed (host and embedded version were identical).
12Nov 18 20:14:13 eevee systemd-homework[583]: Recursive changing of ownership not necessary, skipped.
13Nov 18 20:14:13 eevee systemd-homework[583]: Synchronized disk.
14Nov 18 20:14:13 eevee systemd-homework[583]: Everything completed.
15Nov 18 20:14:13 eevee systemd-homed[473]: Home arccy is signed exclusively by our key, accepting.
16Nov 18 20:14:13 eevee systemd-homed[473]: arccy: changing state activating-for-acquire → active

The other thing that broke was groups. The usual usermod -a -G docker arccy seemed to half work, so does homectl update arccy --member-of docker,adm,sudo,arccy since it doesn't have a append flag. userdbctl will happily report that I am now a member of the docker group, but groups doesn't and neither do other processes. Relogin doesn't work, maybe a restart of systemd-homed might have fixed it, but it was easier to just reboot.

All in all, not a pleasant experience.