Open-source News

Manage Linux users' home directories with systemd-homed David Both Wed, 03/09/2022 - 02:00 Up 1 reader likes this

The entire systemd concept and implementation have introduced many changes since it began to replace the old SystemV startup and init tools. Over time, systemd has been extended into many other segments of the Linux environment.

One relatively new service, systemd-homed, extends the reach of systemd into the management of users' home directories. The feature enforces human user access only and restricts system users in the User ID (UID) range between 0 and 999. I support the systemd plan to take over the world, but I wondered if this was a bit excessive. Then I did some research.

More for sysadmins Enable Sysadmin blog The Automated Enterprise: A guide to managing IT with automation eBook: Ansible automation for Sysadmins Tales from the field: A system administrator's guide to IT automation eBook: A guide to Kubernetes for SREs and sysadmins Latest sysadmin articles What is systemd-homed?

The systemd-homed service supports user account portability independent of the underlying computer system. A practical example is to carry around your home directory on a USB thumb drive and plug it into any system which would automatically recognize and mount it. According to Lennart Poettering, lead developer of systemd, access to a user's home directory should not be allowed to anyone unless the user is logged in. The systemd-homed service is designed to enhance security, especially for mobile devices such as laptops. It also seems like a tool that might be useful with containers.

This objective can only be achieved if the home directory contains all user metadata. The ~/.identity file stores user account information, which is only accessible to systemd-homed when the password is entered. This file holds all of the account metadata, including everything Linux needs to know about you, so that the home directory is portable to any Linux host that uses systemd-homed. This approach prevents having an account with a stored password on every system you might need to use.

The home directory can also be encrypted using your password. Under systemd-homed, your home directory stores your password with all of your user metadata. Your encrypted password is not stored anywhere else thus cannot be accessed by anyone. Although the methods used to encrypt and store passwords for modern Linux systems are considered to be unbreakable, the best safeguard is to prevent them from being accessed in the first place. Assumptions about the invulnerability of their security have led many to ruin.

This service is primarily intended for use with portable devices such as laptops. Poettering states, "Homed is intended primarily for client machines, i.e., laptops and thus machines you typically ssh from a lot more than ssh to, if you follow what I mean." It is not intended for use on servers or workstations that are tethered to a single location by cables or locked into a server room.

The systemd-homed service is enabled by default on new installations—at least for Fedora, which is the distro that I use. This configuration is by design, and I don't expect that to change. User accounts are not affected or altered in any way on systems with existing filesystems, upgrades or reinstallations that keep the existing partitions, and logical volumes.

Creating controlled users

Traditional tools such as useradd create accounts and home directories that systemd-homed does not manage. Therefore, if you continue to use the conventional user management tools, the home directories on your home directories are not managed by systemd-homed. This is also the case with the non-root user account created during a new installation.

The homectl command

The homectl command creates user accounts that systemd-homed manages. Using the homectl command to create a new account generates the metadata needed to make the home directory portable.

The homectl command man page has a good explanation of the objectives and function of the systemd-homed service. However, reading the homectl man page is quite interesting, especially the Example section. Of the five examples, three show how to create user accounts with specific limits imposed, such as a maximum number of concurrent processes or a maximum amount of disk space.

In a non-homectl setup, the /etc/security/limits.conf file imposes these limits. The only advantage I can see to this is that it adds a user and applies the limits with a single command. With the traditional method, the sysadmin must configure the limits.conf file manually.

Limitations

The only significant limitation I am aware of is that it is not possible to access a user home directory remotely using OpenSSH. This limitation is due to the current inability of PAM to provide access to a home directory managed by homectl. Poettering seems doubtful that this can be overcome. This issue would prevent me from using systemd-homed for my home directory on my primary workstation or even my laptop. I typically log into both computers remotely several times per day using SSH, so this is a showstopper for me.

The other concern I can see is that you still need a Linux computer for use with a USB thumb drive with your home directory on it, and that computer needs to have systemd-homed running.

It is optional

You don't have to use it, however. I plan to continue using the traditional tools for user management to support my workflow. The default for the few distros I have some little knowledge of, including Fedora, is for the systemd-homed service to be enabled and running. You can disable and stop the systemd-homed service without impacting traditional user accounts.

Final thoughts

Sysadmins can use the systemd-homed service for a secure form of management of roaming users' home directories. It is useful on portable devices like laptops and can be especially useful for users who carry a thumb drive containing only their home directories to plug it into any convenient Linux computer.

The primary limitation of using systemd-homed is that it is impossible to log in remotely using SSH. And even though the systemd-homed is enabled by default, it does not affect home directories created with the useradd command. I do need to point out that—like many systemd tools—systemd-homed is optional. So I just stopped and disabled the service.

If I need to take my home directory in a package smaller than my laptop, I can just use a live USB with persistent storage.

Resources

• https://systemd.io/HOME_DIRECTORY/
• https://www.freedesktop.org/software/systemd/man/homectl.html
• https://www.freedesktop.org/software/systemd/man/systemd-homed.service.html
• https://wiki.archlinux.org/title/Systemd-homed

Sysadmins can use the systemd-homed service for a secure form of management of roaming users' home directories.

Image by:

Opensource.com

Sysadmin Linux What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

Good News! Apex Legends Now Officially Works on Steam Deck and Linux  It's FOSS News

The post NordVPN Installation and Review On Linux first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

Downloading and utilizing VPNs (Virtual Private Networks) is theoretically the norm nowadays. If you aren’t with a VPN already, you’re still in the majority but with a gradual increase in privacy and security concerns

The post NordVPN Installation and Review On Linux first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

The post How to Install WordPress on RHEL 8 with Apache first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

WordPress is an immensely popular CMS (Content Management System) that accounts for nearly 43% of all the websites according to W3techs.com. From powering high-traffic sites such as eCommerce, and news websites to simple blogs,

The post How to Install WordPress on RHEL 8 with Apache first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

Godot 4.0 continues marching closer to its much anticipated release with today marking the fourth release candidate already for this open-source game engine...

Valve does what FromSoftware don’t, thanks to Steam Deck’s precaching update  Ars Technica

Dirty Pipeline Is an Awful Linux Mess – The New Stack  thenewstack.io

Lilbits: Archiving Android apps, postmarketOS for the F(x)tec Pro1, and the Dirty Pipe Linux vulnerability  Liliputing

Lilbits: Archiving Android apps, postmarketOS for the F(x)tec Pro1, and the Dirty Pipe Linux vulnerability  Liliputing

96Boards CE SBC runs Linux on Renesas RZ/G2L or RZ/V2L  LinuxGizmos.com

Within minutes of the BHI speculative execution vulnerability going public, patches were merged into the mainline Linux kernel Git tree for mitigating this offshoot from Spectre V2. The Intel and Arm processors affected by BHI (also referred to as Spectre-BHB) have mitigation work plus a change also impacts AMD processors too...

Registration opens for FINOS’ Open Source in Finance Forum (OSFF) London, taking place alongside partner event Fintech Week London 

London, UK – March 8, 2022 – FINOS, the Fintech Open Source Foundation and financial sector arm of the Linux Foundation, and The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced its partnership with Fintech Week London. Their annual event, Open Source in Finance Forum (OSFF), will take place in London on 13 July, during Fintech Week London, which will run from 11 – 14 July.

This partnership highlights the elevated presence of open source software and open collaboration in the financial services industry, and will allow attendees of both conferences an opportunity to learn more about integrating open source software into their technology strategies. Through partnering with Fintech Week London, FINOS bolsters its European footprint – one it is focused on expanding over the course of 2022.

“Partnering with Fintech Week London signifies the growing recognition and appetite for financial services and fintechs to adopt and contribute to open source,” said Gabriele Columbro, Executive Director of FINOS. “Each year, our goal with OSFF is to not only inspire attendees to foster the open source community within financial services, but also bring industry leaders from financial institutions, fintechs and the regulatory space together to discuss how open source can drive innovation across the industry. This partnership is a natural way to bridge the efforts of Fintech Week London and FINOS in fostering technological innovation in the financial services industry.”

The Open Source in Finance Forum is dedicated to driving collaboration and innovation in financial services through open source software and standards. The first iteration of this conference, previously known as the Open Source Strategy Forum, took place in 2017, and it has since then grown to become the flagship event for the fast growing open source movement in financial services and its unique challenges. OSFF will also be held in New York City, USA on 8 December. The call for proposals is open for both events – view suggested topics and submit talks for each event at the links provided here: 

• Submit to speak at OSFF London (deadline is 10 April)
• Submit to speak at OSFF New York City (deadline is 12 September)

“The momentum of financial institutions looking to and relying on open source technology to scale and grow their businesses is growing at a rapid rate.” said Jim Zemlin, Executive Director, The Linux Foundation. “Holding Open Source in Finance Forum London as part of Fintech Week London will allow us to make even more financial institutions – especially in the UK – open source ready.”

Fintech Week London shines a light on the most interesting topics in financial

technology. Traditional financial institutions come together with fintechs and other financial services companies, in one of the world’s oldest leading financial districts. The event brings together high-street banks, challengers, technology giants, and disruptors, to discuss and showcase fintech’s global presence and the forces driving innovation in the industry. 

“I’m very excited that we have the Open Source in Finance Forum as part of the official programme this year,” said Raf De Kimpe, CEO of Fintech Week London. The overall theme for #FTWLondon 2022 is ‘The Coming of Age of the Fintech Industry’; the industry is moving past its infancy to be a full-blown player in finance services. With so many mergers, acquisitions and partnerships taking place, collaboration and innovation are cornerstones of our programme. A day dedicated to open source software and standards is essential to have a well rounded view on evolutions in the Fintech Industry for all our attendees. On the third day of Fintech Week London, etc. Venues 133 Houndsditch will be transformed into the place to be for our attendees to learn how to best and safely leverage open source software to solve industry challenges”

FINOS’ commitment to fostering the adoption of open source reaches beyond US institutions, with an even distribution of contributors in both the United States and Europe. In recognition of its strong European grassroots, FINOS actively invests in nurturing its relationships across seas. Partnerships such as this bring an increased awareness to the collaborative work of developers, contributors and financial institutions driving adoption around the world.    

“Collaborative efforts through open source adoption go far beyond US financial institutions,” said James McLeod, Director of Community for FINOS. “FINOS recognizes the potential power that world-wide collaboration possesses to drive innovation on a grand scale, and that’s why we continue to nurture relationships with our established European developers, financial organizations and fintechs. To continue this progression, we invest in forming new connections to support and expand the work being done by our community.”

Click here to learn more about and register for Open Source in Finance Forum London. To learn more about and register for Fintech Week London, please click here.

About FINOS

FINOS (The Fintech Open Source Foundation) is a nonprofit whose mission is to foster adoption of open source, open standards and collaborative software development practices in financial services. It is the center for open source developers and the financial services industry to build new technology projects that have a lasting impact on business operations. As a regulatory compliant platform, the foundation enables developers from these competing organizations to collaborate on projects with a strong propensity for mutualization. It has enabled codebase contributions from both the buy- and sell-side firms and counts over 50 major financial institutions, fintechs and technology consultancies as part of its membership. FINOS is also part of the Linux Foundation, the largest shared technology organization in the world. Get involved and join FINOS as a Member.

About the Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 2,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

Linux Foundation Events are where the world’s leading technologists meet, collaborate, learn and network in order to advance innovations that support the world’s largest shared technologies.

Visit our website and follow us on Twitter, Linkedin, and Facebook for all the latest event updates and announcements.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds. 

About Fintech Week London

The Coming of Age of The Fintech Industry

Fintech Week London shines a light on the most interesting topics in financial

technology, with a 2-day conference at its core. Traditional financial institutions come together with fintechs and other financial services companies, in one of the world’s oldest leading financial districts: London. From high-street banks to challengers, technology giants to disruptors, this five-day event showcases some of the best that London and global fintech has to offer. 

Mark your calendars for the second edition on July 11-15, 2022. 

To learn more about Fintech Week London please visit our website : www.fintechweek.london

FINOS Media Contact:
Ross Stevens
Caliber Corporate Advisers for FINOS
ross@calibercorporate.com

Fintech Week London Media Contact:
Raf De Kimpe
Fintech Week London 
raf@fintechweek.london

The post FINOS and The Linux Foundation Partner with Fintech Week London, Strengthening European Presence appeared first on Linux Foundation.

Apple is at it again with further showing off the potential of their Arm-based Apple Silicon with today rolling out the M1 Ultra SoC...

Linux Engineer at Sabenza IT  IT-Online

How to install the OTRS community edition help desktop platform on Ubuntu Server 20.04  TechRepublic

The VUSec security researchers are today -- in cooperation with Intel -- disclosing another new speculative execution vulnerability... BHI is the name and it's an offshoot from Spectre V2...

The DENT project is an open source network operating system utilizing the Linux Kernel, Switchdev, and other Linux based projects, hosted under the Linux Foundation. The project has announced DENT 2.0 is available for immediate download. 

The “Beeblebrox” release adds key features utilized by distributed enterprises in retail and remote facilities, providing a secure and scalable Linux-based Network Operating System (NOS) for disaggregated switches adaptable to edge deployment. This means DENT provides a smaller, more lightweight NOS for use at the small, remote edges of enterprise networks.

DENT 2.0 adds secure scaling with Internet Protocol version 6 (IPv6) and Network Address Translation (NAT) to support a broader community of enterprise customers. It also adds Power over Ethernet (PoE) control to allow remote switching, monitoring, and shutting down. Connectivity of IoT, Point of Sale (POS), and other devices is highly valuable to retail storefronts, early adopters of DENT. DENT 2.0 also adds traffic policing, helping mitigate attack situations that overload the CPU. 

“DENT has made great strides this past year and with its edge and native Linux approach, with a rich feature set for distributed enterprises like retail or remote facilities. DENT continues to expand into new use cases and welcomes community input with an open technical community, under the Linux Foundation,” said Arpit Joshipura, GM of Networking & Edge at The Linux Foundation.

DENT 2.0 Main Features to enable secure and scalable development

• Secure scaling with IPv6 and NAT to appeal to a broader community of SME customers
• PoE control to allow remote switching, monitoring, and shutting down
• Rate limiting to protect against broadcast storms, creating a stronger OS under erroneous BUM (Broadcast, Unicast, Multicast) traffic

DENT enables enterprises to transition to disaggregated network switches and use cases available with the distributed enterprise and edge networking. The open source NOS provides key technology leverage in retail, a sector that is leading innovation in digital transformation. The Amazon public showcase of DENT hardware at re:Invent in November 2021 reached 20,000+ attendees.

“This new release of DENT 2.0 adds critical updates focused on smaller enterprise needs. This was the goal of DENT all along, and I would like to thank our members and the wider community for this broad, concerted effort to move DENT significantly forward,” said Steven Noble, DENT Technical Steering Committee Chair. “It’s not easy building a flexible, accessible network OS, and this is why I’m proud of all the effort and coordination by so many talented individuals. If you are looking for an open source disaggregated network OS, now is great timing for looking at DENT.”

Retail stores, warehousing, remote locations, enterprise, and Small and Mid-Size Enterprises are all ideal environments for DENT deployment. Wiring closets in many facilities are small. Staff expertise may be limited, and branch-office switches from leading suppliers can require costly contracts. DENT is easily deployed on white-box hardware in small spaces. It can be set up to support dozens of wireless access points and IoT sensors, creating a manageable network to track inventory, monitor shelf real estate, scan customer activity, and perform automated checkouts.

DENT premier members include Amazon, Delta Electronics Inc, Edgecore Networks, and Marvell. Important contributions to the DENT project have come from NVIDIA, Keysight Technologies, and Sartura.

“Delta has built complete white box networking platforms based on DENT technology, helping drive a disaggregation model in edge that offers cost and flexibility benefits to customers looking for OEM solutions,” said Charlie Wu, Vice President, Solution Center at Delta Networks. “The deployment of our 1G and 10G Ethernet switch boxes with Marvell’s Prestera® devices and the DENT OS in real world applications demonstrates the power of open source to accelerate technology innovation in networking.” 

“Edgecore Networks, as the premier member of DENT, is pleased to see the groundbreaking second release of DENT 2.0, enabling DENT community members to use the DENT’s simplified abstracts, APIs, drivers, to lessen development and deployment overhead,” said Taskin Ucpinar, Senior Director of SW Development. “This innovative product development approach enables the community to build robust solutions with minimal effort and immediately help System Integrators deploy a networking solution to remote campuses and retail stores.”

“As the chairing company for DENT Test Working Group, Keysight has partnered with the open-source community to host the system integration test bed in Keysight labs,” said Dean Lee, Senior Director Cloud Solution Team. “Being a neutral test vendor, we have worked with the community to harden the DENT NOS in multi-vendor interoperability, performance, and resiliency. We are delighted to contribute to the success and wide adoption of DENT.”

“Marvell is accelerating the build-out of Ethernet switching infrastructure in emerging edge and borderless enterprise applications, and DENT is a key component to our offerings,” said Guy Azrad, Senior Vice President and General Manager, Switch Business Unit at Marvell. “With DENT incorporated on our Prestera® switch platforms, we are currently enabling retailers to transform physical stores to smart retail connected environments that benefit consumers through easy and efficient in-store experiences.”

Download and test DENT 2.0: https://github.com/dentproject/dentOS

Additional DENT Resources

• Main repo: https://github.com/dentproject/dentOS 
• Supported Hardware (DNI, Edge-core, WNC platforms): https://dent.dev/dentos/  
• Getting Started Guide: https://github.com/dentproject/dentOS/wiki 
• Video demo: https://youtu.be/ZGstgS9d4p0 
• DENT Market Leadership Brief: https://dent.dev (email registration required)

The post DENT 2.0, Secure and Scalable Open Source Network Operating System Aimed at Small and Mid-Size Enterprises, Released appeared first on Linux Foundation.

Simple Network Management Protocol - Not As Simple As You Would Suggest  Linux Journal

System76 Launch review: Linux-friendly keyboard with a USB hub  Ars Technica

DENT 2.0, Secure and Scalable Open Source Network Operating System Aimed at Small and Mid-Size Enterprises, Available Now  PR Newswire