I'm sick and tired of people not being able to detect the slightest hint of ironic sarcasm, even when the words they're reading are drenched in it. The +0 post you replied to should actually be marked +5, Insightful; I'm sure it would be if it ended in </sarcasm>.

You certainly know your English curses; you must have missed the rest of the class, though, if that's the best reply you can come up with. I certainly hope you don't speak like that around your children; I'm sure you do, though, so thank you for proving my point.

Open your eyes... Reddit is all around us. It's everywhere. And underneath? Just more Reddit. It's Reddit all the way down.

Eh?

How about SMELT, since it allows us to extract metal (in the form of productive results) from ore (in the form of people)?

No such thing as what? The antichrist?

This is correct; the NSA suspects we're all terrorists.

Well, if you can't figure out how to spell "fridge", perhaps your frig *should* be turned off, so you don't procreate.

First of all, parsing error... after reading your response a few times, I think I've deciphered it, though, so here goes...

You do realize that Ubuntu does, in fact, already have a systemd unit for NSS, right? I'm not the only one having this issue and both Debian and Ubuntu maintainers don't seem to know what to do to fix it, but go on ahead and assume it's my failing; deity-forbid you take 2 seconds to google the issue.

Dumbass.

Good for you? Is your NSS configured to require LDAP (other than the fact that the only local user account with a shell is root)? Otherwise, if NSS will fall back to "files" if LDAP fails, it sounds like your configuration and my workaround are one and the same.

Right here.

No. Read what I wrote.

In other words, the scripts aren't broken, they don't exist; the workaround is to create them. It's actually the sysv compatibility layer that allows the fix.

At least I know I went in the right direction with this. Thanks for the confirmation.

Like missing the sarcasm?

Even worse, try requiring LDAP (not just making it an option when an account isn't found locally, actually requiring it) for logins on a system booting via SystemD. Have your recovery media handy, you'll have to boot from it in order to remove the LDAP requirement when SystemD can't su because the network isn't up yet (or, if the LDAP server is localhost, slapd hasn't started because, guess what, it needs to su to its configured user during its init process).

Major issue affecting Ubuntu and, as far as I know, all Debian-based systems. The workaround should be simple: allow local account logins right up until TTYs actually become available, regardless of configuration. But, apparently, LDAP isn't considered important, so this has been an issue for as long as Debian has used SystemD and will likely remain so until Debian moves on to something else.

The current "recommended" workaround is a pair of ifup/down scripts that requires LDAP when the interface is up and makes it optional when it interface is down, which is great until your system crashes or you lose power and the "optional" config doesn't get applied. Then, it's time to whip out the recovery media so you can manually change the config and have a bootable system again. Needless to say, I refuse to implement that hack of a fix.

Instead, I ended up leaving LDAP optional, with a single user able to sign in, locally only, who can only su, and a local admin account that can only sudo and su, but can't log in. At least that minimizes the risk of not being able to unilaterally change either user's password across multiple systems in a timely manner; an attacker knowing the password for the user who can log in locally would have to be at the machine, and they still couldn't do anything without also knowing the username and password of the user who can sudo+su. In the end, I guess I get the benefit of being able to log in to said machines even when the LDAP server is unavailable, but it still shouldn't be necessary to implement such workarounds.

The key is derived from the passcode, if I recall correctly.

Or, you put a USB port on the keyboard and design it so that, when the receiver dongle is plugged into the keyboard, the two exchange keys. Allow only one receiver pairing per device and only one device pairing per receiver, per type of device.

Even better, disable the radio when the receiver dongle is plugged into the keyboard for pairing, no data is transmitted wirelessly, require a password for the key exchange, require that the password be changed with every exchange, generate the key from a passphrase typed by the user, salted with the password (such that the same passphrase will generate a different key if reused), and optionally allow the key itself to be encrypted with a passphrase in the keyboard's storage.

The key exchange process would go something like this:
1) Plug dongle into keyboard; "Ready" light illuminates
2) Type current password and press ENTER; password is encrypted with current private key and sent to dongle, dongle decrypts password and replies with the password plaintext re-encrypted with public key, keyboard decrypts reply with private key and compares result with known plaintext (just typed); on success (e.g. plaintexts match), "Password" light illuminates
3) Type new password and press ENTER; password is stored temporarily in keyboard's RAM; on success "Exchange" light illuminates
4) Type passphrase to be used for new key (suggest random keystrokes) and press ENTER; all lights illuminate, "Exchange" light blinks
5) Keyboard begins generating an RSA keypair; and sends the public key, encrypted with the current private key, to the dongle, which then decrypts the key and replies with the plaintext key; on success, all lights illuminate, "Ready" light blinks
6) Keyboard encrypts the new public key with the new private key and sends to dongle, dongle decrypts using the new public key and compares the result; on success (e.g. both keys match) it discards the old key and records the new key before encrypting the plaintext password from step 2 and sending the result to the keyboard for verification; dongle then discards plaintext password
7) Keyboard decrypts password and compares with original plaintext; on success (e.g. passwords match), keyboard discards old key and password, encrypts new password with private key, then stores the result, all lights illuminate, "Password" light blinks
8) Type key passphrase and press ENTER, or simply press ENTER; if passphrase is entered, generate a hash of the passphrase, having the same length as the private key, and XOR the key against the result; if no passphrase is entered, key remains plaintext; on success, keyboard records the resulting key, all lights blink
9) Remove dongle from keyboard
10) Insert dongle into computer

If a the private key is encrypted with a passphrase, require the passphrase every time the keyboard is powered on; generate a key-length hash (which will be identical to the hash used in step 8 if the passphrase is correct) and XOR the stored key against that hash; this is the key the keyboard encrypts its transmissions with.

This whole post is long enough without going into detail about why certain steps are necessary; perhaps I'll do a full writeup sometime. If I do, I'll reply to this post with a link. Of course, this solution is also imperfect, as an attacker could disassemble the dongle and read the public key directly from the dongle's flash; it would have to be designed in such a way that the dongle could not be opened to that degree without damaging the flash beyond readability. Layering several different kinds of epoxy over it should do the trick in most circumstances.