| <?xml version='1.0'?> <!--*-nxml-*--> |
| <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
| |
| <refentry id="systemd-homed.service" conditional='ENABLE_HOMED'> |
| |
| <refentryinfo> |
| <title>systemd-homed.service</title> |
| <productname>systemd</productname> |
| </refentryinfo> |
| |
| <refmeta> |
| <refentrytitle>systemd-homed.service</refentrytitle> |
| <manvolnum>8</manvolnum> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>systemd-homed.service</refname> |
| <refname>systemd-homed</refname> |
| <refpurpose>Home Area/User Account Manager</refpurpose> |
| </refnamediv> |
| |
| <refsynopsisdiv> |
| <para><filename>systemd-homed.service</filename></para> |
| <para><filename>/usr/lib/systemd/systemd-homed</filename></para> |
| </refsynopsisdiv> |
| |
| <refsect1> |
| <title>Description</title> |
| |
| <para><command>systemd-homed</command> is a system service that may be used to create, remove, change or |
| inspect home areas (directories and network mounts and real or loopback block devices with a filesystem, |
| optionally encrypted).</para> |
| |
| <para>Most of <command>systemd-homed</command>'s functionality is accessible through the |
| <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> command.</para> |
| |
| <para>See the <ulink url="https://systemd.io/HOME_DIRECTORY">Home Directories</ulink> documentation for |
| details about the format and design of home areas managed by |
| <filename>systemd-homed.service</filename>.</para> |
| |
| <para>Each home directory managed by <filename>systemd-homed.service</filename> synthesizes a local user |
| and group. These are made available to the system using the <ulink |
| url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>, and thus may be |
| browsed with |
| <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Key Management</title> |
| |
| <para>User records are cryptographically signed with a public/private key pair (the signature is part of |
| the JSON record itself). For a user to be permitted to log in locally the public key matching the |
| signature of their user record must be installed. For a user record to be modified locally the private |
| key matching the signature must be installed locally, too. The keys are stored in the |
| <filename>/var/lib/systemd/home/</filename> directory:</para> |
| |
| <variablelist> |
| |
| <varlistentry> |
| <term><filename>/var/lib/systemd/home/local.private</filename></term> |
| |
| <listitem><para>The private key of the public/private key pair used for local records. Currently, |
| only a single such key may be installed.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><filename>/var/lib/systemd/home/local.public</filename></term> |
| |
| <listitem><para>The public key of the public/private key pair used for local records. Currently, |
| only a single such key may be installed.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><filename>/var/lib/systemd/home/*.public</filename></term> |
| |
| <listitem><para>Additional public keys. Any users whose user records are signed with any of these keys |
| are permitted to log in locally. An arbitrary number of keys may be installed this |
| way.</para></listitem> |
| </varlistentry> |
| </variablelist> |
| |
| <para>All key files listed above are in PEM format.</para> |
| |
| <para>In order to migrate a home directory from a host <literal>foobar</literal> to another host |
| <literal>quux</literal> it is hence sufficient to copy |
| <filename>/var/lib/systemd/home/local.public</filename> from the host <literal>foobar</literal> to |
| <literal>quux</literal>, maybe calling the file on the destination |
| <filename>/var/lib/systemd/home/foobar.public</filename>, reflecting the origin of the key. If the user |
| record should be modifiable on <literal>quux</literal> the pair |
| <filename>/var/lib/systemd/home/local.public</filename> and |
| <filename>/var/lib/systemd/home/local.private</filename> need to be copied from <literal>foobar</literal> |
| to <literal>quux</literal>, and placed under the identical paths there, as currently only a single |
| private key is supported per host. Note of course that the latter means that user records |
| generated/signed before the key pair is copied in, lose their validity.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>See Also</title> |
| <para> |
| <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>org.freedesktop.home1</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| </para> |
| </refsect1> |
| </refentry> |