HackerTrans
TopNewTrendsCommentsPastAskShowJobs

moreentropy

no profile record

comments

moreentropy
·há 2 anos·discuss
How about just shipping a networkd.conf(.d) config snippet and .network file with the wanted defaults. This is just another instance of I-hate-systemd-for-no-reason whining
moreentropy
·há 2 anos·discuss
> P.S. I actually run systemd-nspawn in production, but I am probably the only person on earth to do so.

You're not alone, systemd-nspawn is very much underrated. I have used it a lot for machine containers, though I'm using podman+quadlet+systemd more right now. systemd-nspawn with mkosi for generating workload images is still a nice & powerful ecosystem.
moreentropy
·há 3 anos·discuss
I would consider PIV and SSH through PIV/OpenPGP legacy and undesired nowadays. If you're only interested in state of the art second factor instead of passwords for sensitive use cases, a simple FIDO2 security key w/o all the extra features on a yubikey 5 is enough.

You can solve most of those with only FIDO2 nowadays:

Webauthn with fido/u2f is supported on most websites and oidc providers.

SSH with FIDO and resident / non-resident keys is supported.

PAM -> as documented in the guide, although setting origin and type manually isn't necessary and you can save keys in ~/.config/Yubico so non-root users can manage their keys. I would recommend enabling PIN verification with pamu2fcfg --pin-verification.

LUKS hard disk encryption with FIDO2 for unlocking isn't covered but is possible, systemd-cryptenroll can set this up on modern linux distributions.