New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
can't login with homectl user; homectl indicates key is revoked #15178
Comments
What are the errors you get? Anything in syslog? |
Logged in as root:
complete journald contents over the course of this action:
|
hmm, can you provide "homectl inspect -j" of the user? Your user has no password defined and no PKCS#11 module either, so it cannot be authenticated. How did you create it? |
I created this user using:
and then used this user for several days, before experimenting with muqss put this VM into an unusable state where I never managed to reach a login prompt; when I eventually did (by going back to a mainline kernel), I kept on failing to authenticate. I second guessed my memory of my password, but then verified I was not going mad by manually opening the home volume with cryptsetup |
I am seeing similar issues for a home area on an external USB device. It works okay on the machine with which it was created, at least at first. If I remove the user, and then attempt to re-fixate the user on the same machine it fails. Likewise, it fails if I attempt to fixate it on a different machine (having copied the I am also on Arch Linux, using systemd 245.2-2 (and everything else up to date). |
@matthewwardrop Thank you for directing me to /var/lib/systemd/home/
The host is running xfs on /, and as mentioned, the VM in question was hard power cycled a couple of times which I have seen in the past result in zero length files |
So if we don't create a user home dir with --pkcs11-token-uri=... this can't be migrated? |
Awesome: /root [root@beast] [13:57]
I just managed to hit this again, now on a different machine. This time my machine froze on GDM login when I tried to boot into 5.7 rc2; I was forced to hard reset the machine and on boot it was behaving exactly the way the VM this was initially reported against did. /var/lib/systemd/home is XFS |
Is there anything else we can do to see if there's way to migrate the USB stick to a different machine? It seems the information asked for has been provided. |
I'll add some code that erases invalid files like that if it encounters them. And that syncs everything to disk whenver we change the files. And that generates better error messages. |
…ation defined We can't log into home entries that have no password or PKCS#11 token. Return a proper, useful error in that case. See: systemd#15178
Apparently xfs needs us to sync explicitly, see systemd#15178.
homed maintains two or three copies of the user's identity record per home directory: one on the host, one inside the LUKS header, and one embedded in the home directory. Previously we'd insist that if a user logs in they have to authenticate against all three, as a safety feature. This broke logging into unfixated records however, since in that case the host version is synthetic and thus does not carry any authentication data. Let's hence losen the strictness here: accept authentication against host records that carry no auth data. This should be safe as we know after all that the second/third record will catch invalid accesses. Fixes: systemd#15178
Fix waiting in #15869 |
…ation defined We can't log into home entries that have no password or PKCS#11 token. Return a proper, useful error in that case. See: systemd#15178
Apparently xfs needs us to sync explicitly, see systemd#15178.
homed maintains two or three copies of the user's identity record per home directory: one on the host, one inside the LUKS header, and one embedded in the home directory. Previously we'd insist that if a user logs in they have to authenticate against all three, as a safety feature. This broke logging into unfixated records however, since in that case the host version is synthetic and thus does not carry any authentication data. Let's hence losen the strictness here: accept authentication against host records that carry no auth data. This should be safe as we know after all that the second/third record will catch invalid accesses. Fixes: systemd#15178
…ation defined We can't log into home entries that have no password or PKCS#11 token. Return a proper, useful error in that case. See: systemd#15178
Apparently xfs needs us to sync explicitly, see systemd#15178.
homed maintains two or three copies of the user's identity record per home directory: one on the host, one inside the LUKS header, and one embedded in the home directory. Previously we'd insist that if a user logs in they have to authenticate against all three, as a safety feature. This broke logging into unfixated records however, since in that case the host version is synthetic and thus does not carry any authentication data. Let's hence losen the strictness here: accept authentication against host records that carry no auth data. This should be safe as we know after all that the second/third record will catch invalid accesses. Fixes: systemd#15178
Apparently xfs needs us to sync explicitly, see systemd#15178. (cherry picked from commit e4005ff)
systemd version the issue has been seen with
v245
Used distribution
Arch
Expected behaviour you didn't see
The ability to login
Unexpected behaviour you saw
Can't login via gdm or via tty
Steps to reproduce the problem
When sshing in via classic user channel:
This was a functional well loved autostarting libvirtd VM, which was working before I briefly migrated to linux-ck, which prevented this exact VM from successfully running a graphical interface hence my backtracking. On return to a stock kernel, the VM resumed working but I was unable to login to my homectl governed user.
The text was updated successfully, but these errors were encountered: