]>
Commit | Line | Data |
---|---|---|
38e7b808 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> | |
5 | ||
6 | <refentry id="systemd-homed.service" conditional='ENABLE_HOMED'> | |
7 | ||
8 | <refentryinfo> | |
9 | <title>systemd-homed.service</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd-homed.service</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd-homed.service</refname> | |
20 | <refname>systemd-homed</refname> | |
b5947b5b | 21 | <refpurpose>Home Area/User Account Manager</refpurpose> |
38e7b808 LP |
22 | </refnamediv> |
23 | ||
24 | <refsynopsisdiv> | |
25 | <para><filename>systemd-homed.service</filename></para> | |
26 | <para><filename>/usr/lib/systemd/systemd-homed</filename></para> | |
27 | </refsynopsisdiv> | |
28 | ||
29 | <refsect1> | |
30 | <title>Description</title> | |
31 | ||
32 | <para><command>systemd-homed</command> is a system service that may be used to create, remove, change or | |
b5947b5b ZJS |
33 | inspect home areas (directories and network mounts and real or loopback block devices with a filesystem, |
34 | optionally encrypted).</para> | |
38e7b808 LP |
35 | |
36 | <para>Most of <command>systemd-homed</command>'s functionality is accessible through the | |
37 | <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> command.</para> | |
38 | ||
39 | <para>See the <ulink url="https://systemd.io/HOME_DIRECTORY">Home Directories</ulink> documentation for | |
b5947b5b | 40 | details about the format and design of home areas managed by |
38e7b808 LP |
41 | <filename>systemd-homed.service</filename>.</para> |
42 | ||
43 | <para>Each home directory managed by <filename>systemd-homed.service</filename> synthesizes a local user | |
44 | and group. These are made available to the system using the <ulink | |
45 | url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>, and thus may be | |
46 | browsed with | |
47 | <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |
48 | </refsect1> | |
49 | ||
6d68a0b3 LP |
50 | <refsect1> |
51 | <title>Key Management</title> | |
52 | ||
53 | <para>User records are cryptographically signed with a public/private key pair (the signature is part of | |
54 | the JSON record itself). For a user to be permitted to log in locally the public key matching the | |
55 | signature of their user record must be installed. For a user record to be modified locally the private | |
56 | key matching the signature must be installed locally, too. The keys are stored in the | |
57 | <filename>/var/lib/systemd/home/</filename> directory:</para> | |
58 | ||
59 | <variablelist> | |
60 | ||
61 | <varlistentry> | |
62 | <term><filename>/var/lib/systemd/home/local.private</filename></term> | |
63 | ||
64 | <listitem><para>The private key of the public/private key pair used for local records. Currently, | |
65 | only a single such key may be installed.</para></listitem> | |
66 | </varlistentry> | |
67 | ||
68 | <varlistentry> | |
69 | <term><filename>/var/lib/systemd/home/local.public</filename></term> | |
70 | ||
71 | <listitem><para>The public key of the public/private key pair used for local records. Currently, | |
72 | only a single such key may be installed.</para></listitem> | |
73 | </varlistentry> | |
74 | ||
75 | <varlistentry> | |
76 | <term><filename>/var/lib/systemd/home/*.public</filename></term> | |
77 | ||
78 | <listitem><para>Additional public keys. Any users whose user records are signed with any of these keys | |
79 | are permitted to log in locally. An arbitrary number of keys may be installed this | |
80 | way.</para></listitem> | |
81 | </varlistentry> | |
82 | </variablelist> | |
83 | ||
84 | <para>All key files listed above are in PEM format.</para> | |
85 | ||
86 | <para>In order to migrate a home directory from a host <literal>foobar</literal> to another host | |
87 | <literal>quux</literal> it is hence sufficient to copy | |
88 | <filename>/var/lib/systemd/home/local.public</filename> from the host <literal>foobar</literal> to | |
89 | <literal>quux</literal>, maybe calling the file on the destination | |
90 | <filename>/var/lib/systemd/home/foobar.public</filename>, reflecting the origin of the key. If the user | |
91 | record should be modifiable on <literal>quux</literal> the pair | |
92 | <filename>/var/lib/systemd/home/local.public</filename> and | |
93 | <filename>/var/lib/systemd/home/local.private</filename> need to be copied from <literal>foobar</literal> | |
94 | to <literal>quux</literal>, and placed under the identical paths there, as currently only a single | |
95 | private key is supported per host. Note of course that the latter means that user records | |
96 | generated/signed before the key pair is copied in, lose their validity.</para> | |
97 | </refsect1> | |
98 | ||
38e7b808 LP |
99 | <refsect1> |
100 | <title>See Also</title> | |
101 | <para> | |
102 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
feb86ca9 | 103 | <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
38e7b808 | 104 | <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
f4cfdf07 | 105 | <citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
2dffb323 LP |
106 | <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
107 | <citerefentry><refentrytitle>org.freedesktop.home1</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
38e7b808 LP |
108 | </para> |
109 | </refsect1> | |
110 | </refentry> |