| <?xml version='1.0'?> <!--*-nxml-*--> |
| <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
| |
| <refentry id="systemd.system-credentials"> |
| |
| <refentryinfo> |
| <title>systemd.system-credentials</title> |
| <productname>systemd</productname> |
| </refentryinfo> |
| |
| <refmeta> |
| <refentrytitle>systemd.system-credentials</refentrytitle> |
| <manvolnum>7</manvolnum> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>systemd.system-credentials</refname> |
| <refpurpose>System Credentials</refpurpose> |
| </refnamediv> |
| |
| <refsect1> |
| <title>Description</title> |
| |
| <para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects |
| that may be passed into booted systems or system services as they are invoked. They can be acquired from |
| various external sources, and propagated into the system and from there into system services. Credentials |
| may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are |
| only decrypted when the consuming service is invoked.</para> |
| |
| <para>System credentials may be used to provision and configure various aspects of the system. Depending |
| on the consuming component credentials are only used on initial invocations or are needed for all |
| invocations.</para> |
| |
| <para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets, |
| certificates, cryptographic key material, identity information, configuration, and more.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Well known system credentials</title> |
| |
| <variablelist> |
| <varlistentry> |
| <term><varname>firstboot.keymap</varname></term> |
| <listitem> |
| <para>The console key mapping to set (e.g. <literal>de</literal>). Read by |
| <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| and only honoured if no console keymap has been configured before.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>firstboot.locale</varname></term> |
| <term><varname>firstboot.locale-message</varname></term> |
| <listitem> |
| <para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by |
| <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets |
| <literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets |
| <literal>LC_MESSAGES</literal>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>firstboot.timezone</varname></term> |
| <listitem> |
| <para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by |
| <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| and only honoured if no system timezone has been configured before.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>login.issue</varname></term> |
| <listitem> |
| <para>The data of this credential is written to |
| <filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet. |
| <citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| reads this file and shows its contents at the login prompt of terminal logins. See |
| <citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| for details.</para> |
| |
| <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>login.motd</varname></term> |
| <listitem> |
| <para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>, |
| if the file doesn't exist yet. |
| <citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| reads this file and shows its contents as "message of the day" during terminal logins. See |
| <citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| for details.</para> |
| |
| <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>network.hosts</varname></term> |
| <listitem> |
| <para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file |
| doesn't exist yet. See |
| <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| for details.</para> |
| |
| <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>network.dns</varname></term> |
| <term><varname>network.search_domains</varname></term> |
| <listitem> |
| <para>DNS server information and search domains. Read by |
| <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>passwd.hashed-password.root</varname></term> |
| <term><varname>passwd.plaintext-password.root</varname></term> |
| <listitem> |
| <para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users. |
| Read by both |
| <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
| and |
| <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| and only honoured if no root password has been configured before.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>passwd.shell.root</varname></term> |
| <listitem> |
| <para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by |
| both |
| <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
| and |
| <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| and only honoured if no root shell has been configured before.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>ssh.authorized_keys.root</varname></term> |
| <listitem> |
| <para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if |
| the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para> |
| |
| <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>sysusers.extra</varname></term> |
| <listitem> |
| <para>Additional |
| <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| lines to process during boot.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>sysctl.extra</varname></term> |
| <listitem> |
| <para>Additional |
| <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines |
| to process during boot.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>tmpfiles.extra</varname></term> |
| <listitem> |
| <para>Additional |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| lines to process during boot.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>vconsole.keymap</varname></term> |
| <term><varname>vconsole.keymap_toggle</varname></term> |
| <term><varname>vconsole.font</varname></term> |
| <term><varname>vconsole.font_map</varname></term> |
| <term><varname>vconsole.font_unimap</varname></term> |
| <listitem> |
| <para>Console settings to apply, see |
| <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para> |
| </listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>vmm.notify_socket</varname></term> |
| <listitem> |
| <para>This credential is parsed looking for an <constant>AF_VSOCK</constant> or |
| <constant>AF_UNIX</constant> address where to send a <constant>READY=1</constant> |
| notification datagram when the system has finished booting. See: |
| <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> |
| This is useful for hypervisors/VMMs or other processes on the host |
| to receive a notification via VSOCK when a virtual machine has finished booting. |
| Note that in case the hypervisor does not support <constant>SOCK_DGRAM</constant> |
| over <constant>AF_VSOCK</constant>, <constant>SOCK_SEQPACKET</constant> will be |
| tried instead. The credential payload for <constant>AF_VSOCK</constant> should be |
| in the form: <literal>vsock:CID:PORT</literal>.</para> |
| </listitem> |
| </varlistentry> |
| |
| </variablelist> |
| </refsect1> |
| |
| <refsect1> |
| <title>See Also</title> |
| <para> |
| <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
| </para> |
| </refsect1> |
| |
| </refentry> |