diff options
-rw-r--r-- | man/systemd-homed.service.xml | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/man/systemd-homed.service.xml b/man/systemd-homed.service.xml index e4c520ff2f..a51bd36d41 100644 --- a/man/systemd-homed.service.xml +++ b/man/systemd-homed.service.xml @@ -48,6 +48,55 @@ </refsect1> <refsect1> + <title>Key Management</title> + + <para>User records are cryptographically signed with a public/private key pair (the signature is part of + the JSON record itself). For a user to be permitted to log in locally the public key matching the + signature of their user record must be installed. For a user record to be modified locally the private + key matching the signature must be installed locally, too. The keys are stored in the + <filename>/var/lib/systemd/home/</filename> directory:</para> + + <variablelist> + + <varlistentry> + <term><filename>/var/lib/systemd/home/local.private</filename></term> + + <listitem><para>The private key of the public/private key pair used for local records. Currently, + only a single such key may be installed.</para></listitem> + </varlistentry> + + <varlistentry> + <term><filename>/var/lib/systemd/home/local.public</filename></term> + + <listitem><para>The public key of the public/private key pair used for local records. Currently, + only a single such key may be installed.</para></listitem> + </varlistentry> + + <varlistentry> + <term><filename>/var/lib/systemd/home/*.public</filename></term> + + <listitem><para>Additional public keys. Any users whose user records are signed with any of these keys + are permitted to log in locally. An arbitrary number of keys may be installed this + way.</para></listitem> + </varlistentry> + </variablelist> + + <para>All key files listed above are in PEM format.</para> + + <para>In order to migrate a home directory from a host <literal>foobar</literal> to another host + <literal>quux</literal> it is hence sufficient to copy + <filename>/var/lib/systemd/home/local.public</filename> from the host <literal>foobar</literal> to + <literal>quux</literal>, maybe calling the file on the destination + <filename>/var/lib/systemd/home/foobar.public</filename>, reflecting the origin of the key. If the user + record should be modifiable on <literal>quux</literal> the pair + <filename>/var/lib/systemd/home/local.public</filename> and + <filename>/var/lib/systemd/home/local.private</filename> need to be copied from <literal>foobar</literal> + to <literal>quux</literal>, and placed under the identical paths there, as currently only a single + private key is supported per host. Note of course that the latter means that user records + generated/signed before the key pair is copied in, lose their validity.</para> + </refsect1> + + <refsect1> <title>See Also</title> <para> <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |