systemd-homed.service
systemd
systemd-homed.service
8
systemd-homed.service
systemd-homed
Home Area/User Account Manager
systemd-homed.service
/usr/lib/systemd/systemd-homed
Description
systemd-homed is a system service that may be used to create, remove, change or
inspect home areas (directories and network mounts and real or loopback block devices with a filesystem,
optionally encrypted).
Most of systemd-homed's functionality is accessible through the
homectl1 command.
See the Home Directories documentation for
details about the format and design of home areas managed by
systemd-homed.service.
Each home directory managed by systemd-homed.service synthesizes a local user
and group. These are made available to the system using the User/Group Record Lookup API via Varlink, and thus may be
browsed with
userdbctl1.
systemd-homed.service also manages blob directories for each home directory
it manages. See User Record Blob Directories
for more details.
Key Management
User records are cryptographically signed with a public/private key pair (the signature is part of
the JSON record itself). For a user to be permitted to log in locally the public key matching the
signature of their user record must be installed. For a user record to be modified locally the private
key matching the signature must be installed locally, too. The keys are stored in the
/var/lib/systemd/home/ directory:
/var/lib/systemd/home/local.private
The private key of the public/private key pair used for local records. Currently,
only a single such key may be installed.
/var/lib/systemd/home/local.public
The public key of the public/private key pair used for local records. Currently,
only a single such key may be installed.
/var/lib/systemd/home/*.public
Additional public keys. Any users whose user records are signed with any of these keys
are permitted to log in locally. An arbitrary number of keys may be installed this
way.
All key files listed above are in PEM format.
In order to migrate a home directory from a host foobar to another host
quux it is hence sufficient to copy
/var/lib/systemd/home/local.public from the host foobar to
quux, maybe calling the file on the destination /var/lib/systemd/home/foobar.public, reflecting the origin of the key. If the
user record should be modifiable on quux the pair
/var/lib/systemd/home/local.public and
/var/lib/systemd/home/local.private need to be copied from foobar
to quux, and placed under the identical paths there, as currently only a single
private key is supported per host. Note of course that the latter means that user records
generated/signed before the key pair is copied in, lose their validity.
See Also
systemd1
homed.conf5
homectl1
pam_systemd_home8
userdbctl1
org.freedesktop.home15