[thirdparty/systemd.git] / man / systemd.system-credentials.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd.system-credentials</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.system-credentials</refentrytitle>
    <manvolnum>7</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.system-credentials</refname>
    <refpurpose>System Credentials</refpurpose>
  </refnamediv>

  <refsect1>
    <title>Description</title>

    <para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects
    that may be passed into booted systems or system services as they are invoked. They can be acquired from
    various external sources, and propagated into the system and from there into system services. Credentials
    may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are
    only decrypted when the consuming service is invoked.</para>

    <para>System credentials may be used to provision and configure various aspects of the system. Depending
    on the consuming component credentials are only used on initial invocations or are needed for all
    invocations.</para>

    <para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets,
    certificates, cryptographic key material, identity information, configuration, and more.</para>
  </refsect1>

  <refsect1>
    <title>Well known system credentials</title>

    <variablelist class='system-credentials'>
      <varlistentry>
        <term><varname>firstboot.keymap</varname></term>
        <listitem>
          <para>The console key mapping to set (e.g. <literal>de</literal>).  Read by
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no console keymap has been configured before.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.locale</varname></term>
        <term><varname>firstboot.locale-messages</varname></term>
        <listitem>
          <para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets
          <literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets
          <literal>LC_MESSAGES</literal>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.timezone</varname></term>
        <listitem>
          <para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>).  Read by
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no system timezone has been configured before.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>login.issue</varname></term>
        <listitem>
          <para>The data of this credential is written to
          <filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet.
          <citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          reads this file and shows its contents at the login prompt of terminal logins. See
          <citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>login.motd</varname></term>
        <listitem>
          <para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>,
          if the file doesn't exist yet.
          <citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          reads this file and shows its contents as "message of the day" during terminal logins. See
          <citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>network.hosts</varname></term>
        <listitem>
          <para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file
          doesn't exist yet. See
          <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>network.dns</varname></term>
        <term><varname>network.search_domains</varname></term>
        <listitem>
          <para>DNS server information and search domains. Read by
          <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>passwd.hashed-password.root</varname></term>
        <term><varname>passwd.plaintext-password.root</varname></term>
        <listitem>
          <para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users.
          Read by both
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
          and
          <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no root password has been configured before.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>passwd.shell.root</varname></term>
        <listitem>
          <para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user.  Read by
          both
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
          and
          <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no root shell has been configured before.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>ssh.authorized_keys.root</varname></term>
        <listitem>
          <para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if
          the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>sysusers.extra</varname></term>
        <listitem>
          <para>Additional
          <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          lines to process during boot.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>sysctl.extra</varname></term>
        <listitem>
          <para>Additional
          <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines
          to process during boot.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>tmpfiles.extra</varname></term>
        <listitem>
          <para>Additional
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          lines to process during boot.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>fstab.extra</varname></term>

        <listitem>
          <para>Additional mounts to establish at boot. For details, see
          <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>vconsole.keymap</varname></term>
        <term><varname>vconsole.keymap_toggle</varname></term>
        <term><varname>vconsole.font</varname></term>
        <term><varname>vconsole.font_map</varname></term>
        <term><varname>vconsole.font_unimap</varname></term>
        <listitem>
          <para>Console settings to apply, see
          <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>getty.ttys.serial</varname></term>
        <term><varname>getty.ttys.container</varname></term>

        <listitem><para>Used for spawning additional login prompts, see
        <citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>vmm.notify_socket</varname></term>
        <listitem>
          <para>Configures an
          <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
          compatible <constant>AF_VSOCK</constant> socket the service manager will report status information,
          ready notification and exit status on. For details see
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>system.machine_id</varname></term>
        <listitem>
          <para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
          the service manager (PID 1). For details see
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
      <title>See Also</title>
      <para>
        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
        <citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry>
      </para>
  </refsect1>

</refentry>
Commit	Line	Data
0bbc5a56 LP	1	<?xml version='1.0'?> <!---nxml--->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
	5
4623eecb	6	<refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude">
0bbc5a56 LP	7
	8	<refentryinfo>
	9	<title>systemd.system-credentials</title>
	10	<productname>systemd</productname>
	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>systemd.system-credentials</refentrytitle>
	15	<manvolnum>7</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>systemd.system-credentials</refname>
	20	<refpurpose>System Credentials</refpurpose>
	21	</refnamediv>
	22
	23	<refsect1>
	24	<title>Description</title>
	25
	26	<para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects
	27	that may be passed into booted systems or system services as they are invoked. They can be acquired from
	28	various external sources, and propagated into the system and from there into system services. Credentials
	29	may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are
	30	only decrypted when the consuming service is invoked.</para>
	31
	32	<para>System credentials may be used to provision and configure various aspects of the system. Depending
	33	on the consuming component credentials are only used on initial invocations or are needed for all
	34	invocations.</para>
	35
	36	<para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets,
	37	certificates, cryptographic key material, identity information, configuration, and more.</para>
	38	</refsect1>
	39
	40	<refsect1>
	41	<title>Well known system credentials</title>
	42
8914f7e8	43	<variablelist class='system-credentials'>
0bbc5a56 LP	44	<varlistentry>
	45	<term><varname>firstboot.keymap</varname></term>
	46	<listitem>
	47	<para>The console key mapping to set (e.g. <literal>de</literal>). Read by
	48	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	49	and only honoured if no console keymap has been configured before.</para>
	50	</listitem>
	51	</varlistentry>
	52
	53	<varlistentry>
	54	<term><varname>firstboot.locale</varname></term>
8914f7e8	55	<term><varname>firstboot.locale-messages</varname></term>
0bbc5a56 LP	56	<listitem>
	57	<para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by
	58	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	59	and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets
	60	<literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets
	61	<literal>LC_MESSAGES</literal>.</para>
	62	</listitem>
	63	</varlistentry>
	64
	65	<varlistentry>
	66	<term><varname>firstboot.timezone</varname></term>
	67	<listitem>
	68	<para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by
	69	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	70	and only honoured if no system timezone has been configured before.</para>
	71	</listitem>
	72	</varlistentry>
	73
	74	<varlistentry>
	75	<term><varname>login.issue</varname></term>
	76	<listitem>
	77	<para>The data of this credential is written to
f37f0f35 ZJS	78	<filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet.
	79	<citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	80	reads this file and shows its contents at the login prompt of terminal logins. See
	81	<citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	82	for details.</para>
0bbc5a56 LP	83
	84	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	85	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
	86	</listitem>
	87	</varlistentry>
	88
	89	<varlistentry>
	90	<term><varname>login.motd</varname></term>
	91	<listitem>
	92	<para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>,
f37f0f35 ZJS	93	if the file doesn't exist yet.
f37f0f35 ZJS	94	<citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
0bbc5a56	95	reads this file and shows its contents as "message of the day" during terminal logins. See
f37f0f35 ZJS	96	<citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
f37f0f35 ZJS	97	for details.</para>
0bbc5a56 LP	98
	99	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	100	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
	101	</listitem>
	102	</varlistentry>
	103
	104	<varlistentry>
	105	<term><varname>network.hosts</varname></term>
	106	<listitem>
	107	<para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file
f37f0f35 ZJS	108	doesn't exist yet. See
	109	<citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	110	for details.</para>
0bbc5a56 LP	111
	112	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	113	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
	114	</listitem>
	115	</varlistentry>
	116
116687f2 LP	117	<varlistentry>
	118	<term><varname>network.dns</varname></term>
	119	<term><varname>network.search_domains</varname></term>
	120	<listitem>
	121	<para>DNS server information and search domains. Read by
	122	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
	123	</listitem>
	124	</varlistentry>
	125
0bbc5a56 LP	126	<varlistentry>
	127	<term><varname>passwd.hashed-password.root</varname></term>
	128	<term><varname>passwd.plaintext-password.root</varname></term>
	129	<listitem>
	130	<para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users.
	131	Read by both
	132	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	133	and
	134	<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	135	and only honoured if no root password has been configured before.</para>
	136	</listitem>
	137	</varlistentry>
	138
	139	<varlistentry>
	140	<term><varname>passwd.shell.root</varname></term>
	141	<listitem>
	142	<para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by
	143	both
	144	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	145	and
	146	<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	147	and only honoured if no root shell has been configured before.</para>
	148	</listitem>
	149	</varlistentry>
	150
	151	<varlistentry>
	152	<term><varname>ssh.authorized_keys.root</varname></term>
	153	<listitem>
	154	<para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if
	155	the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para>
	156
	157	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	158	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
	159	</listitem>
	160	</varlistentry>
	161
	162	<varlistentry>
	163	<term><varname>sysusers.extra</varname></term>
	164	<listitem>
	165	<para>Additional
	166	<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	167	lines to process during boot.</para>
	168	</listitem>
	169	</varlistentry>
	170
	171	<varlistentry>
	172	<term><varname>sysctl.extra</varname></term>
	173	<listitem>
	174	<para>Additional
	175	<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines
	176	to process during boot.</para>
	177	</listitem>
	178	</varlistentry>
	179
	180	<varlistentry>
	181	<term><varname>tmpfiles.extra</varname></term>
	182	<listitem>
	183	<para>Additional
	184	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	185	lines to process during boot.</para>
	186	</listitem>
	187	</varlistentry>
	188
6ac62485 LP	189	<varlistentry>
	190	<term><varname>fstab.extra</varname></term>
	191
	192	<listitem>
	193	<para>Additional mounts to establish at boot. For details, see
	194	<citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
	195	</listitem>
	196	</varlistentry>
	197
ea575e17 LP	198	<varlistentry>
	199	<term><varname>vconsole.keymap</varname></term>
	200	<term><varname>vconsole.keymap_toggle</varname></term>
	201	<term><varname>vconsole.font</varname></term>
	202	<term><varname>vconsole.font_map</varname></term>
	203	<term><varname>vconsole.font_unimap</varname></term>
	204	<listitem>
	205	<para>Console settings to apply, see
	206	<citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
	207	</listitem>
	208	</varlistentry>
	209
cdd133b3 LP	210	<varlistentry>
	211	<term><varname>getty.ttys.serial</varname></term>
	212	<term><varname>getty.ttys.container</varname></term>
	213
	214	<listitem><para>Used for spawning additional login prompts, see
	215	<citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para></listitem>
	216	</varlistentry>
	217
4a91ace5 LB	218	<varlistentry>
	219	<term><varname>vmm.notify_socket</varname></term>
	220	<listitem>
452cfd98 LP	221	<para>Configures an
	222	<citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
	223	compatible <constant>AF_VSOCK</constant> socket the service manager will report status information,
	224	ready notification and exit status on. For details see
	225	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
4a91ace5 LB	226	</listitem>
4a91ace5 LB	227	</varlistentry>
deb0d489 LP	228
	229	<varlistentry>
	230	<term><varname>system.machine_id</varname></term>
	231	<listitem>
	232	<para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
	233	the service manager (PID 1). For details see
	234	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
	235	</listitem>
	236	</varlistentry>
0bbc5a56 LP	237	</variablelist>
	238	</refsect1>
	239
	240	<refsect1>
	241	<title>See Also</title>
	242	<para>
	243	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
eb99c459 LP	244	<citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
eb99c459 LP	245	<citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry>
0bbc5a56 LP	246	</para>
	247	</refsect1>
	248
	249	</refentry>