]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd.system-credentials.xml
projects / thirdparty / systemd.git / blob
? search:


b473a580a6794dfa027878bcd24d99a246b12f2d
[thirdparty/systemd.git] / man / systemd.system-credentials.xml
1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6 <refentry id="systemd.system-credentials">
7
8 <refentryinfo>
9 <title>systemd.system-credentials</title>
10 <productname>systemd</productname>
11 </refentryinfo>
12
13 <refmeta>
14 <refentrytitle>systemd.system-credentials</refentrytitle>
15 <manvolnum>7</manvolnum>
16 </refmeta>
17
18 <refnamediv>
19 <refname>systemd.system-credentials</refname>
20 <refpurpose>System Credentials</refpurpose>
21 </refnamediv>
22
23 <refsect1>
24 <title>Description</title>
25
26 <para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects
27 that may be passed into booted systems or system services as they are invoked. They can be acquired from
28 various external sources, and propagated into the system and from there into system services. Credentials
29 may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are
30 only decrypted when the consuming service is invoked.</para>
31
32 <para>System credentials may be used to provision and configure various aspects of the system. Depending
33 on the consuming component credentials are only used on initial invocations or are needed for all
34 invocations.</para>
35
36 <para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets,
37 certificates, cryptographic key material, identity information, configuration, and more.</para>
38 </refsect1>
39
40 <refsect1>
41 <title>Well known system credentials</title>
42
43 <variablelist>
44 <varlistentry>
45 <term><varname>firstboot.keymap</varname></term>
46 <listitem>
47 <para>The console key mapping to set (e.g. <literal>de</literal>). Read by
48 <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
49 and only honoured if no console keymap has been configured before.</para>
50 </listitem>
51 </varlistentry>
52
53 <varlistentry>
54 <term><varname>firstboot.locale</varname></term>
55 <term><varname>firstboot.locale-message</varname></term>
56 <listitem>
57 <para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by
58 <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
59 and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets
60 <literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets
61 <literal>LC_MESSAGES</literal>.</para>
62 </listitem>
63 </varlistentry>
64
65 <varlistentry>
66 <term><varname>firstboot.timezone</varname></term>
67 <listitem>
68 <para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by
69 <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
70 and only honoured if no system timezone has been configured before.</para>
71 </listitem>
72 </varlistentry>
73
74 <varlistentry>
75 <term><varname>login.issue</varname></term>
76 <listitem>
77 <para>The data of this credential is written to
78 <filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet.
79 <citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>
80 reads this file and shows its contents at the login prompt of terminal logins. See
81 <citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry>
82 for details.</para>
83
84 <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
85 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
86 </listitem>
87 </varlistentry>
88
89 <varlistentry>
90 <term><varname>login.motd</varname></term>
91 <listitem>
92 <para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>,
93 if the file doesn't exist yet.
94 <citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
95 reads this file and shows its contents as "message of the day" during terminal logins. See
96 <citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
97 for details.</para>
98
99 <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
100 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
101 </listitem>
102 </varlistentry>
103
104 <varlistentry>
105 <term><varname>network.hosts</varname></term>
106 <listitem>
107 <para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file
108 doesn't exist yet. See
109 <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>
110 for details.</para>
111
112 <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
113 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
114 </listitem>
115 </varlistentry>
116
117 <varlistentry>
118 <term><varname>network.dns</varname></term>
119 <term><varname>network.search_domains</varname></term>
120 <listitem>
121 <para>DNS server information and search domains. Read by
122 <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
123 </listitem>
124 </varlistentry>
125
126 <varlistentry>
127 <term><varname>passwd.hashed-password.root</varname></term>
128 <term><varname>passwd.plaintext-password.root</varname></term>
129 <listitem>
130 <para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users.
131 Read by both
132 <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
133 and
134 <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
135 and only honoured if no root password has been configured before.</para>
136 </listitem>
137 </varlistentry>
138
139 <varlistentry>
140 <term><varname>passwd.shell.root</varname></term>
141 <listitem>
142 <para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by
143 both
144 <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
145 and
146 <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
147 and only honoured if no root shell has been configured before.</para>
148 </listitem>
149 </varlistentry>
150
151 <varlistentry>
152 <term><varname>ssh.authorized_keys.root</varname></term>
153 <listitem>
154 <para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if
155 the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para>
156
157 <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
158 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
159 </listitem>
160 </varlistentry>
161
162 <varlistentry>
163 <term><varname>sysusers.extra</varname></term>
164 <listitem>
165 <para>Additional
166 <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
167 lines to process during boot.</para>
168 </listitem>
169 </varlistentry>
170
171 <varlistentry>
172 <term><varname>sysctl.extra</varname></term>
173 <listitem>
174 <para>Additional
175 <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines
176 to process during boot.</para>
177 </listitem>
178 </varlistentry>
179
180 <varlistentry>
181 <term><varname>tmpfiles.extra</varname></term>
182 <listitem>
183 <para>Additional
184 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
185 lines to process during boot.</para>
186 </listitem>
187 </varlistentry>
188
189 <varlistentry>
190 <term><varname>vconsole.keymap</varname></term>
191 <term><varname>vconsole.keymap_toggle</varname></term>
192 <term><varname>vconsole.font</varname></term>
193 <term><varname>vconsole.font_map</varname></term>
194 <term><varname>vconsole.font_unimap</varname></term>
195 <listitem>
196 <para>Console settings to apply, see
197 <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
198 </listitem>
199 </varlistentry>
200
201 <varlistentry>
202 <term><varname>vmm.notify_socket</varname></term>
203 <listitem>
204 <para>This credential is parsed looking for an <constant>AF_VSOCK</constant> or
205 <constant>AF_UNIX</constant> address where to send a <constant>READY=1</constant>
206 notification datagram when the system has finished booting. See:
207 <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
208 This is useful for hypervisors/VMMs or other processes on the host
209 to receive a notification via VSOCK when a virtual machine has finished booting.
210 Note that in case the hypervisor does not support <constant>SOCK_DGRAM</constant>
211 over <constant>AF_VSOCK</constant>, <constant>SOCK_SEQPACKET</constant> will be
212 tried instead. The credential payload for <constant>AF_VSOCK</constant> should be
213 in the form: <literal>vsock:CID:PORT</literal>.</para>
214 </listitem>
215 </varlistentry>
216
217 </variablelist>
218 </refsect1>
219
220 <refsect1>
221 <title>See Also</title>
222 <para>
223 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
224 <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>
225 </para>
226 </refsect1>
227
228 </refentry>
Unnamed repository; edit this file 'description' to name the repository.