]>
Commit | Line | Data |
---|---|---|
0bbc5a56 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> | |
5 | ||
4623eecb | 6 | <refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude"> |
0bbc5a56 LP |
7 | |
8 | <refentryinfo> | |
9 | <title>systemd.system-credentials</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>systemd.system-credentials</refentrytitle> | |
15 | <manvolnum>7</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>systemd.system-credentials</refname> | |
20 | <refpurpose>System Credentials</refpurpose> | |
21 | </refnamediv> | |
22 | ||
23 | <refsect1> | |
24 | <title>Description</title> | |
25 | ||
26 | <para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects | |
27 | that may be passed into booted systems or system services as they are invoked. They can be acquired from | |
28 | various external sources, and propagated into the system and from there into system services. Credentials | |
29 | may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are | |
30 | only decrypted when the consuming service is invoked.</para> | |
31 | ||
32 | <para>System credentials may be used to provision and configure various aspects of the system. Depending | |
33 | on the consuming component credentials are only used on initial invocations or are needed for all | |
34 | invocations.</para> | |
35 | ||
36 | <para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets, | |
37 | certificates, cryptographic key material, identity information, configuration, and more.</para> | |
38 | </refsect1> | |
39 | ||
40 | <refsect1> | |
41 | <title>Well known system credentials</title> | |
42 | ||
8914f7e8 | 43 | <variablelist class='system-credentials'> |
0bbc5a56 LP |
44 | <varlistentry> |
45 | <term><varname>firstboot.keymap</varname></term> | |
46 | <listitem> | |
47 | <para>The console key mapping to set (e.g. <literal>de</literal>). Read by | |
48 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
49 | and only honoured if no console keymap has been configured before.</para> | |
ec07c3c8 AK |
50 | |
51 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
52 | </listitem> |
53 | </varlistentry> | |
54 | ||
55 | <varlistentry> | |
56 | <term><varname>firstboot.locale</varname></term> | |
8914f7e8 | 57 | <term><varname>firstboot.locale-messages</varname></term> |
0bbc5a56 LP |
58 | <listitem> |
59 | <para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by | |
60 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
61 | and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets | |
62 | <literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets | |
63 | <literal>LC_MESSAGES</literal>.</para> | |
aefdc112 AK |
64 | |
65 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
66 | </listitem> |
67 | </varlistentry> | |
68 | ||
69 | <varlistentry> | |
70 | <term><varname>firstboot.timezone</varname></term> | |
71 | <listitem> | |
72 | <para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by | |
73 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
74 | and only honoured if no system timezone has been configured before.</para> | |
ec07c3c8 AK |
75 | |
76 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
77 | </listitem> |
78 | </varlistentry> | |
79 | ||
80 | <varlistentry> | |
81 | <term><varname>login.issue</varname></term> | |
82 | <listitem> | |
83 | <para>The data of this credential is written to | |
f37f0f35 ZJS |
84 | <filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet. |
85 | <citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
86 | reads this file and shows its contents at the login prompt of terminal logins. See | |
87 | <citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
88 | for details.</para> | |
0bbc5a56 LP |
89 | |
90 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
91 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
92 | |
93 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
94 | </listitem> |
95 | </varlistentry> | |
96 | ||
97 | <varlistentry> | |
98 | <term><varname>login.motd</varname></term> | |
99 | <listitem> | |
100 | <para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>, | |
f37f0f35 ZJS |
101 | if the file doesn't exist yet. |
102 | <citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
0bbc5a56 | 103 | reads this file and shows its contents as "message of the day" during terminal logins. See |
f37f0f35 ZJS |
104 | <citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
105 | for details.</para> | |
0bbc5a56 LP |
106 | |
107 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
108 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
109 | |
110 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
111 | </listitem> |
112 | </varlistentry> | |
113 | ||
114 | <varlistentry> | |
115 | <term><varname>network.hosts</varname></term> | |
116 | <listitem> | |
117 | <para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file | |
f37f0f35 ZJS |
118 | doesn't exist yet. See |
119 | <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
120 | for details.</para> | |
0bbc5a56 LP |
121 | |
122 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
123 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
124 | |
125 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
126 | </listitem> |
127 | </varlistentry> | |
128 | ||
116687f2 LP |
129 | <varlistentry> |
130 | <term><varname>network.dns</varname></term> | |
131 | <term><varname>network.search_domains</varname></term> | |
132 | <listitem> | |
133 | <para>DNS server information and search domains. Read by | |
134 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
135 | |
136 | <xi:include href="version-info.xml" xpointer="v253"/> | |
116687f2 LP |
137 | </listitem> |
138 | </varlistentry> | |
139 | ||
0bbc5a56 LP |
140 | <varlistentry> |
141 | <term><varname>passwd.hashed-password.root</varname></term> | |
142 | <term><varname>passwd.plaintext-password.root</varname></term> | |
143 | <listitem> | |
144 | <para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users. | |
145 | Read by both | |
146 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
147 | and | |
148 | <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
149 | and only honoured if no root password has been configured before.</para> | |
ec07c3c8 AK |
150 | |
151 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
152 | </listitem> |
153 | </varlistentry> | |
154 | ||
155 | <varlistentry> | |
156 | <term><varname>passwd.shell.root</varname></term> | |
157 | <listitem> | |
158 | <para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by | |
159 | both | |
160 | <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
161 | and | |
162 | <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
163 | and only honoured if no root shell has been configured before.</para> | |
ec07c3c8 AK |
164 | |
165 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
166 | </listitem> |
167 | </varlistentry> | |
168 | ||
169 | <varlistentry> | |
170 | <term><varname>ssh.authorized_keys.root</varname></term> | |
171 | <listitem> | |
172 | <para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if | |
173 | the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para> | |
174 | ||
175 | <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see | |
176 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
177 | |
178 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
179 | </listitem> |
180 | </varlistentry> | |
181 | ||
182 | <varlistentry> | |
183 | <term><varname>sysusers.extra</varname></term> | |
184 | <listitem> | |
185 | <para>Additional | |
186 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
187 | lines to process during boot.</para> | |
ec07c3c8 AK |
188 | |
189 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
190 | </listitem> |
191 | </varlistentry> | |
192 | ||
193 | <varlistentry> | |
194 | <term><varname>sysctl.extra</varname></term> | |
195 | <listitem> | |
196 | <para>Additional | |
197 | <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines | |
198 | to process during boot.</para> | |
ec07c3c8 AK |
199 | |
200 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
201 | </listitem> |
202 | </varlistentry> | |
203 | ||
204 | <varlistentry> | |
205 | <term><varname>tmpfiles.extra</varname></term> | |
206 | <listitem> | |
207 | <para>Additional | |
208 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
209 | lines to process during boot.</para> | |
ec07c3c8 AK |
210 | |
211 | <xi:include href="version-info.xml" xpointer="v252"/> | |
0bbc5a56 LP |
212 | </listitem> |
213 | </varlistentry> | |
214 | ||
6ac62485 LP |
215 | <varlistentry> |
216 | <term><varname>fstab.extra</varname></term> | |
217 | ||
218 | <listitem> | |
219 | <para>Additional mounts to establish at boot. For details, see | |
220 | <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
221 | |
222 | <xi:include href="version-info.xml" xpointer="v254"/> | |
6ac62485 LP |
223 | </listitem> |
224 | </varlistentry> | |
225 | ||
ea575e17 LP |
226 | <varlistentry> |
227 | <term><varname>vconsole.keymap</varname></term> | |
228 | <term><varname>vconsole.keymap_toggle</varname></term> | |
229 | <term><varname>vconsole.font</varname></term> | |
230 | <term><varname>vconsole.font_map</varname></term> | |
231 | <term><varname>vconsole.font_unimap</varname></term> | |
232 | <listitem> | |
233 | <para>Console settings to apply, see | |
234 | <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para> | |
ec07c3c8 AK |
235 | |
236 | <xi:include href="version-info.xml" xpointer="v253"/> | |
ea575e17 LP |
237 | </listitem> |
238 | </varlistentry> | |
239 | ||
cdd133b3 LP |
240 | <varlistentry> |
241 | <term><varname>getty.ttys.serial</varname></term> | |
242 | <term><varname>getty.ttys.container</varname></term> | |
243 | ||
244 | <listitem><para>Used for spawning additional login prompts, see | |
ec07c3c8 AK |
245 | <citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para> |
246 | ||
247 | <xi:include href="version-info.xml" xpointer="v254"/></listitem> | |
cdd133b3 LP |
248 | </varlistentry> |
249 | ||
4a91ace5 LB |
250 | <varlistentry> |
251 | <term><varname>vmm.notify_socket</varname></term> | |
252 | <listitem> | |
452cfd98 LP |
253 | <para>Configures an |
254 | <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> | |
255 | compatible <constant>AF_VSOCK</constant> socket the service manager will report status information, | |
256 | ready notification and exit status on. For details see | |
257 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
258 | |
259 | <xi:include href="version-info.xml" xpointer="v253"/> | |
4a91ace5 LB |
260 | </listitem> |
261 | </varlistentry> | |
deb0d489 LP |
262 | |
263 | <varlistentry> | |
264 | <term><varname>system.machine_id</varname></term> | |
265 | <listitem> | |
266 | <para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by | |
267 | the service manager (PID 1). For details see | |
268 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> | |
ec07c3c8 AK |
269 | |
270 | <xi:include href="version-info.xml" xpointer="v254"/> | |
deb0d489 LP |
271 | </listitem> |
272 | </varlistentry> | |
0bbc5a56 LP |
273 | </variablelist> |
274 | </refsect1> | |
275 | ||
276 | <refsect1> | |
277 | <title>See Also</title> | |
278 | <para> | |
279 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
eb99c459 LP |
280 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
281 | <citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
0bbc5a56 LP |
282 | </para> |
283 | </refsect1> | |
284 | ||
285 | </refentry> |