]>
Commit | Line | Data |
---|---|---|
0bbc5a56 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
5 | ||
4623eecb | 6 | <refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude"> |
0bbc5a56 LP |
7 | |
8 | <refentryinfo> | |
9 | <title>systemd.system-credentials</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd.system-credentials</refentrytitle> | |
15 | <manvolnum>7</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd.system-credentials</refname> | |
20 | <refpurpose>System Credentials</refpurpose> | |
21 | </refnamediv> | |
22 | ||
23 | <refsect1> | |
24 | <title>Description</title> | |
25 | ||
26 | <para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects | |
27 | that may be passed into booted systems or system services as they are invoked. They can be acquired from | |
28 | various external sources, and propagated into the system and from there into system services. Credentials | |
29 | may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are | |
30 | only decrypted when the consuming service is invoked.</para> | |
31 | ||
32 | <para>System credentials may be used to provision and configure various aspects of the system. Depending | |
33 | on the consuming component credentials are only used on initial invocations or are needed for all | |
34 | invocations.</para> | |
35 | ||
36 | <para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets, | |
37 | certificates, cryptographic key material, identity information, configuration, and more.</para> | |
38 | </refsect1> | |
39 | ||
40 | <refsect1> | |
41 | <title>Well known system credentials</title> | |
42 | ||
8914f7e8 | 43 | <variablelist class='system-credentials'> |
0bbc5a56 LP |
44 | <varlistentry> |
45 | <term><varname>firstboot.keymap</varname></term> | |
46 | <listitem> | |
47 | <para>The console key mapping to set (e.g. <literal>de</literal>). Read by | |
48 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
49 | and only honoured if no console keymap has been configured before.</para> | |
50 | </listitem> | |
51 | </varlistentry> | |
52 | ||
53 | <varlistentry> | |
54 | <term><varname>firstboot.locale</varname></term> | |
8914f7e8 | 55 | <term><varname>firstboot.locale-messages</varname></term> |
0bbc5a56 LP |
56 | <listitem> |
57 | <para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by | |
58 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
59 | and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets | |
60 | <literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets | |
61 | <literal>LC_MESSAGES</literal>.</para> | |
62 | </listitem> | |
63 | </varlistentry> | |
64 | ||
65 | <varlistentry> | |
66 | <term><varname>firstboot.timezone</varname></term> | |
67 | <listitem> | |
68 | <para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by | |
69 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
70 | and only honoured if no system timezone has been configured before.</para> | |
71 | </listitem> | |
72 | </varlistentry> | |
73 | ||
74 | <varlistentry> | |
75 | <term><varname>login.issue</varname></term> | |
76 | <listitem> | |
77 | <para>The data of this credential is written to | |
f37f0f35 ZJS |
78 | <filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet. |
79 | <citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
80 | reads this file and shows its contents at the login prompt of terminal logins. See | |
81 | <citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
82 | for details.</para> | |
0bbc5a56 LP |
83 | |
84 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
85 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
86 | </listitem> | |
87 | </varlistentry> | |
88 | ||
89 | <varlistentry> | |
90 | <term><varname>login.motd</varname></term> | |
91 | <listitem> | |
92 | <para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>, | |
f37f0f35 ZJS |
93 | if the file doesn't exist yet. |
94 | <citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
0bbc5a56 | 95 | reads this file and shows its contents as "message of the day" during terminal logins. See |
f37f0f35 ZJS |
96 | <citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
97 | for details.</para> | |
0bbc5a56 LP |
98 | |
99 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
100 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
101 | </listitem> | |
102 | </varlistentry> | |
103 | ||
104 | <varlistentry> | |
105 | <term><varname>network.hosts</varname></term> | |
106 | <listitem> | |
107 | <para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file | |
f37f0f35 ZJS |
108 | doesn't exist yet. See |
109 | <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
110 | for details.</para> | |
0bbc5a56 LP |
111 | |
112 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
113 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
114 | </listitem> | |
115 | </varlistentry> | |
116 | ||
116687f2 LP |
117 | <varlistentry> |
118 | <term><varname>network.dns</varname></term> | |
119 | <term><varname>network.search_domains</varname></term> | |
120 | <listitem> | |
121 | <para>DNS server information and search domains. Read by | |
122 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
123 | </listitem> | |
124 | </varlistentry> | |
125 | ||
0bbc5a56 LP |
126 | <varlistentry> |
127 | <term><varname>passwd.hashed-password.root</varname></term> | |
128 | <term><varname>passwd.plaintext-password.root</varname></term> | |
129 | <listitem> | |
130 | <para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users. | |
131 | Read by both | |
132 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
133 | and | |
134 | <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
135 | and only honoured if no root password has been configured before.</para> | |
136 | </listitem> | |
137 | </varlistentry> | |
138 | ||
139 | <varlistentry> | |
140 | <term><varname>passwd.shell.root</varname></term> | |
141 | <listitem> | |
142 | <para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by | |
143 | both | |
144 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
145 | and | |
146 | <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
147 | and only honoured if no root shell has been configured before.</para> | |
148 | </listitem> | |
149 | </varlistentry> | |
150 | ||
151 | <varlistentry> | |
152 | <term><varname>ssh.authorized_keys.root</varname></term> | |
153 | <listitem> | |
154 | <para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if | |
155 | the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para> | |
156 | ||
157 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
158 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
159 | </listitem> | |
160 | </varlistentry> | |
161 | ||
162 | <varlistentry> | |
163 | <term><varname>sysusers.extra</varname></term> | |
164 | <listitem> | |
165 | <para>Additional | |
166 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
167 | lines to process during boot.</para> | |
168 | </listitem> | |
169 | </varlistentry> | |
170 | ||
171 | <varlistentry> | |
172 | <term><varname>sysctl.extra</varname></term> | |
173 | <listitem> | |
174 | <para>Additional | |
175 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines | |
176 | to process during boot.</para> | |
177 | </listitem> | |
178 | </varlistentry> | |
179 | ||
180 | <varlistentry> | |
181 | <term><varname>tmpfiles.extra</varname></term> | |
182 | <listitem> | |
183 | <para>Additional | |
184 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
185 | lines to process during boot.</para> | |
186 | </listitem> | |
187 | </varlistentry> | |
188 | ||
6ac62485 LP |
189 | <varlistentry> |
190 | <term><varname>fstab.extra</varname></term> | |
191 | ||
192 | <listitem> | |
193 | <para>Additional mounts to establish at boot. For details, see | |
194 | <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
195 | </listitem> | |
196 | </varlistentry> | |
197 | ||
ea575e17 LP |
198 | <varlistentry> |
199 | <term><varname>vconsole.keymap</varname></term> | |
200 | <term><varname>vconsole.keymap_toggle</varname></term> | |
201 | <term><varname>vconsole.font</varname></term> | |
202 | <term><varname>vconsole.font_map</varname></term> | |
203 | <term><varname>vconsole.font_unimap</varname></term> | |
204 | <listitem> | |
205 | <para>Console settings to apply, see | |
206 | <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para> | |
207 | </listitem> | |
208 | </varlistentry> | |
209 | ||
cdd133b3 LP |
210 | <varlistentry> |
211 | <term><varname>getty.ttys.serial</varname></term> | |
212 | <term><varname>getty.ttys.container</varname></term> | |
213 | ||
214 | <listitem><para>Used for spawning additional login prompts, see | |
215 | <citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para></listitem> | |
216 | </varlistentry> | |
217 | ||
4a91ace5 LB |
218 | <varlistentry> |
219 | <term><varname>vmm.notify_socket</varname></term> | |
220 | <listitem> | |
452cfd98 LP |
221 | <para>Configures an |
222 | <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
223 | compatible <constant>AF_VSOCK</constant> socket the service manager will report status information, | |
224 | ready notification and exit status on. For details see | |
225 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |
4a91ace5 LB |
226 | </listitem> |
227 | </varlistentry> | |
deb0d489 LP |
228 | |
229 | <varlistentry> | |
230 | <term><varname>system.machine_id</varname></term> | |
231 | <listitem> | |
232 | <para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by | |
233 | the service manager (PID 1). For details see | |
234 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |
235 | </listitem> | |
236 | </varlistentry> | |
0bbc5a56 LP |
237 | </variablelist> |
238 | </refsect1> | |
239 | ||
240 | <refsect1> | |
241 | <title>See Also</title> | |
242 | <para> | |
243 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
eb99c459 LP |
244 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
245 | <citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
0bbc5a56 LP |
246 | </para> |
247 | </refsect1> | |
248 | ||
249 | </refentry> |