mirror of
https://github.com/systemd/systemd.git
synced 2024-12-04 15:53:41 +08:00
462 lines
21 KiB
XML
462 lines
21 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
|
|
<refentryinfo>
|
|
<title>systemd.system-credentials</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd.system-credentials</refentrytitle>
|
|
<manvolnum>7</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd.system-credentials</refname>
|
|
<refpurpose>System Credentials</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects
|
|
that may be passed into booted systems or system services as they are invoked. They can be acquired from
|
|
various external sources, and propagated into the system and from there into system services. Credentials
|
|
may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are
|
|
only decrypted when the consuming service is invoked.</para>
|
|
|
|
<para>System credentials may be used to provision and configure various aspects of the system. Depending
|
|
on the consuming component credentials are only used on initial invocations or are needed for all
|
|
invocations.</para>
|
|
|
|
<para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets,
|
|
certificates, cryptographic key material, identity information, configuration, and more.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Well known system credentials</title>
|
|
|
|
<variablelist class='system-credentials'>
|
|
<varlistentry>
|
|
<term><varname>firstboot.keymap</varname></term>
|
|
<listitem>
|
|
<para>The console key mapping to set (e.g. <literal>de</literal>). Read by
|
|
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
and only honoured if no console keymap has been configured before.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>firstboot.locale</varname></term>
|
|
<term><varname>firstboot.locale-messages</varname></term>
|
|
<listitem>
|
|
<para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by
|
|
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets
|
|
<literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets
|
|
<literal>LC_MESSAGES</literal>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>firstboot.timezone</varname></term>
|
|
<listitem>
|
|
<para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by
|
|
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
and only honoured if no system timezone has been configured before.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>login.issue</varname></term>
|
|
<listitem>
|
|
<para>The data of this credential is written to
|
|
<filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet.
|
|
<citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
reads this file and shows its contents at the login prompt of terminal logins. See
|
|
<citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>login.motd</varname></term>
|
|
<listitem>
|
|
<para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>,
|
|
if the file doesn't exist yet.
|
|
<citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
reads this file and shows its contents as "message of the day" during terminal logins. See
|
|
<citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>network.hosts</varname></term>
|
|
<listitem>
|
|
<para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file
|
|
doesn't exist yet. See
|
|
<citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>network.dns</varname></term>
|
|
<term><varname>network.search_domains</varname></term>
|
|
<listitem>
|
|
<para>DNS server information and search domains. Read by
|
|
<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>network.conf.*</varname></term>
|
|
<term><varname>network.link.*</varname></term>
|
|
<term><varname>network.netdev.*</varname></term>
|
|
<term><varname>network.network.*</varname></term>
|
|
<listitem>
|
|
<para>Configures network devices. Read by
|
|
<citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
|
These credentials should contain valid
|
|
<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
configuration data. From each matching credential a separate file is created. Example: the contents
|
|
of a credential <filename>network.link.50-foobar</filename> will be copied into a file
|
|
<filename>50-foobar.link</filename>.</para>
|
|
|
|
<para>Note that the resulting files are created world-readable, it's hence recommended to not include
|
|
secrets in these credentials, but supply them via separate credentials directly to
|
|
<filename>systemd-networkd.service</filename>, e.g. <varname>network.wireguard.*</varname>
|
|
as described below.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>network.wireguard.*</varname></term>
|
|
<listitem>
|
|
<para>Configures secrets for WireGuard netdevs. Read by
|
|
<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
|
For more information, refer to the <option>[WireGuard]</option> section of
|
|
<citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>passwd.hashed-password.root</varname></term>
|
|
<term><varname>passwd.plaintext-password.root</varname></term>
|
|
<listitem>
|
|
<para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users.
|
|
Read by both
|
|
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
and only honoured if no root password has been configured before.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>passwd.shell.root</varname></term>
|
|
<listitem>
|
|
<para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by
|
|
both
|
|
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
and
|
|
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
and only honoured if no root shell has been configured before.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ssh.authorized_keys.root</varname></term>
|
|
<listitem>
|
|
<para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if
|
|
the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para>
|
|
|
|
<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>ssh.listen</varname></term>
|
|
<listitem>
|
|
<para>May be used to configure SSH sockets the system shall be reachable on. See
|
|
<citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>sysusers.extra</varname></term>
|
|
<listitem>
|
|
<para>Additional
|
|
<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
lines to process during boot.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>sysctl.extra</varname></term>
|
|
<listitem>
|
|
<para>Additional
|
|
<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines
|
|
to process during boot.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>tmpfiles.extra</varname></term>
|
|
<listitem>
|
|
<para>Additional
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
lines to process during boot.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>fstab.extra</varname></term>
|
|
|
|
<listitem>
|
|
<para>Additional mounts to establish at boot. For details, see
|
|
<citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v254"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>vconsole.keymap</varname></term>
|
|
<term><varname>vconsole.keymap_toggle</varname></term>
|
|
<term><varname>vconsole.font</varname></term>
|
|
<term><varname>vconsole.font_map</varname></term>
|
|
<term><varname>vconsole.font_unimap</varname></term>
|
|
<listitem>
|
|
<para>Console settings to apply, see
|
|
<citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>getty.ttys.serial</varname></term>
|
|
<term><varname>getty.ttys.container</varname></term>
|
|
|
|
<listitem><para>Used for spawning additional login prompts, see
|
|
<citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>journal.forward_to_socket</varname></term>
|
|
<listitem>
|
|
<para>Used by
|
|
<citerefentry><refentrytitle>systemd-journald</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
to determine where to forward log messages for socket forwarding, see
|
|
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>journal.storage</varname></term>
|
|
<listitem>
|
|
<para>Used by
|
|
<citerefentry><refentrytitle>systemd-journald</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
to determine where to store journal files, see
|
|
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>vmm.notify_socket</varname></term>
|
|
<listitem>
|
|
<para>Configures an
|
|
<citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
compatible <constant>AF_VSOCK</constant> socket the service manager will report status information,
|
|
ready notification and exit status on. For details see
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>shell.prompt.prefix</varname></term>
|
|
<term><varname>shell.prompt.suffix</varname></term>
|
|
<listitem>
|
|
<para>Defines strings to prefix and suffix any interactive UNIX shell prompt with. For details see
|
|
<citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>shell.welcome</varname></term>
|
|
<listitem>
|
|
<para>Define a string to print when an interactive UNIX shell initializes. For details see
|
|
<citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>system.machine_id</varname></term>
|
|
<listitem>
|
|
<para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
|
|
the service manager (PID 1). For details see
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v254"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>system.hostname</varname></term>
|
|
<listitem>
|
|
<para>Accepts a (transient) hostname to configure during early boot. The static hostname specified
|
|
in <filename>/etc/hostname</filename>, if configured, takes precedence over this setting.
|
|
Interpreted by the service manager (PID 1). For details see
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v254"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>home.create.*</varname></term>
|
|
<listitem>
|
|
<para>Creates a home area for the specified user with the user record data passed in. For details see
|
|
<citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>cryptsetup.passphrase</varname></term>
|
|
<term><varname>cryptsetup.tpm2-pin</varname></term>
|
|
<term><varname>cryptsetup.fido2-pin</varname></term>
|
|
<term><varname>cryptsetup.pkcs11-pin</varname></term>
|
|
<term><varname>cryptsetup.luks2-pin</varname></term>
|
|
<listitem>
|
|
<para>Specifies the passphrase/PINs to use for unlock encrypted storage volumes. For details see
|
|
<citerefentry><refentrytitle>systemd-cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>systemd.extra-unit.*</varname></term>
|
|
<term><varname>systemd.unit-dropin.*</varname></term>
|
|
|
|
<listitem><para>These credentials specify extra units and drop-ins to add to the system. For details
|
|
see <citerefentry><refentrytitle>systemd-debug-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>udev.conf.*</varname></term>
|
|
<term><varname>udev.rules.*</varname></term>
|
|
|
|
<listitem>
|
|
<para>Configures udev configuration file and udev rules. Read by
|
|
<filename>systemd-udev-load-credentials.service</filename>, which invokes
|
|
<command>udevadm control --load-credentials</command>. These credentials directly translate to a
|
|
matching
|
|
<citerefentry><refentrytitle>udev.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> or
|
|
<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rules
|
|
file. Example: the contents of a credential
|
|
<filename>udev.conf.50-foobar</filename> will be copied into a file
|
|
<filename>/run/udev/udev.conf.d/50-foobar.conf</filename>, and
|
|
<filename>udev.rules.50-foobar</filename> will be copied into a file
|
|
<filename>/run/udev/rules.d/50-foobar.rules</filename>. See
|
|
<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>udev.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
|
|
<citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v256"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>import.pull</varname></term>
|
|
<listitem>
|
|
<para>Specified disk images (tarballs and DDIs) to automatically download and install at boot. For details see
|
|
<citerefentry><refentrytitle>systemd-import-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><simplelist type="inline">
|
|
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
|
<member><citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
|
</simplelist></para>
|
|
</refsect1>
|
|
|
|
</refentry>
|