authselect is a utility that allows you to configure system identity and authentication sources by selecting a specific profile. Profile is a set of files that describes how the resulting Pluggable Authentication Modules (PAM) and Network Security Services (NSS) configuration will look like. You can choose the default profile set or create a custom profile.
2.1.What is authselect used for
You can use the authselect utility to configure user authentication on a RedHat EnterpriseLinux 8 host.
You can configure identity information and authentication sources and providers by selecting one of the ready-made profiles:
- The default
sssdprofile enables the System Security Services Daemon (SSSD) for systems that use LDAP authentication. - The
winbindprofile enables the Winbind utility for systems directly integrated with Microsoft Active Directory. - The
nisprofile ensures compatibility with legacy Network Information Service (NIS) systems. - The
minimalprofile serves only local users and groups directly from system files, which allows administrators to remove network authentication services that are no longer needed.
After selecting an authselect profile for a given host, the profile is applied to every user logging into the host.
Red Hat recommends using authselect in semi-centralized identity management environments, for example if your organization utilizes LDAP, Winbind, or NIS databases to authenticate users to use services in your domain.
Warning
You do not need to use authselect if:
- Your host is part of RedHat EnterpriseLinux IdentityManagement (IdM). Joining your host to an IdM domain with the
ipa-client-installcommand automatically configures SSSD authentication on your host. - Your host is part of ActiveDirectory via SSSD. Calling the
realm joincommand to join your host to an ActiveDirectory domain automatically configures SSSD authentication on your host.
Red Hat recommends against changing the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary:
$ authselect currentProfile ID: sssdEnabled features:- with-sudo- with-mkhomedir- with-smartcard2.1.1.Files and directories authselect modifies
The authconfig utility, used in previous RedHat EnterpriseLinux versions, created and modified many different configuration files, making troubleshooting more difficult. Authselect simplifies testing and troubleshooting because it only modifies the following files and directories:
|
| The GNU C Library and other applications use this Name Service Switch (NSS) configuration file to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name. |
|
| Linux-PAM (Pluggable Authentication Modules) is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users. The configuration files in the Among other things, these files contain information about:
|
|
| This directory holds configuration profiles for the |
2.1.2.Data providers in /etc/nsswitch.conf
The default sssd profile establishes SSSD as a source of information by creating sss entries in /etc/nsswitch.conf:
passwd: sss filesgroup: sss filesnetgroup: sss filesautomount: sss filesservices: sss files...
This means that the system first looks to SSSD if information concerning one of those items is requested:
passwdfor user informationgroupfor user group informationnetgroupfor NISnetgroupinformationautomountfor NFS automount informationservicesfor information regarding services
Only if the requested information is not found in the sssd cache and on the server providing authentication, or if sssd is not running, the system looks at the local files, that is /etc/*.
For example, if information is requested about a user ID, the user ID is first searched in the sssd cache. If it is not found there, the /etc/passwd file is consulted. Analogically, if a user’s group affiliation is requested, it is first searched in the sssd cache and only if not found there, the /etc/group file is consulted.
In practice, the local files database is not normally consulted. The most important exception is the case of the root user, which is never handled by sssd but by files.
2.2.Choosing an authselect profile
As a system administrator, you can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host.
Prerequisites
- You need
rootcredentials to runauthselectcommands
Procedure
Select the
authselectprofile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choosesssd.# authselect select
sssd(Optional) You can modify the default profile settings by adding the following options to the
authselect select sssdorauthselect select winbindcommand, for example:with-faillockwith-smartcardwith-fingerprint
To see the full list of available options, see Converting your scripts from authconfig to authselect or the
authselect-migration(7)man page.
Note
Make sure that the configuration files that are relevant for your profile are configured properly before finishing the authselect select procedure. For example, if the sssd daemon is not configured correctly and active, running authselect select results in only local users being able to authenticate, using pam_unix.
Verification Steps
Verify
sssentries for SSSD are present in/etc/nsswitch.conf:passwd: sss filesgroup: sss filesnetgroup: sss filesautomount: sss filesservices: sss files...
Review the contents of the
/etc/pam.d/system-authfile forpam_sss.soentries:# Generated by authselect on Tue Sep 11 22:59:06 2018# Do not modify this file manually.auth required pam_env.soauth required pam_faildelay.so delay=2000000auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quietauth [default=1 ignore=ignore success=ok] pam_localuser.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 1000 quiet_successauth sufficient pam_sss.so forward_passauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.so...
Additional Resources
- What is authselect used for
- Modifying a ready-made authselect profile
- Creating and deploying your own authselect profile
2.3.Modifying a ready-made authselect profile
As a system administrator, you can modify one of the default profiles to suit your needs.
You can modify any of the items in the /etc/authselect/user-nsswitch.conf file with the exception of:
passwdgroupnetgroupautomountservices
Running authselect select profile_name afterwards will result in transferring permissible changes from /etc/authselect/user-nsswitch.conf to the /etc/nsswitch.conf file. Unacceptable changes are overwritten by the default profile configuration.
Important
Do not modify the /etc/nsswitch.conf file directly.
Procedure
Select an
authselectprofile, for example:#
authselect selectsssd- Edit the
/etc/authselect/user-nsswitch.conffile with your desired changes. Apply the changes from the
/etc/authselect/user-nsswitch.conffile:#
authselect apply-changes
Verification steps
- Review the
/etc/nsswitch.conffile to verify that the changes from/etc/authselect/user-nsswitch.confhave been propagated there.
Additional Resources
- What is authselect used for
2.4.Creating and deploying your own authselect profile
As a system administrator, you can create and deploy a custom profile by making a customized copy of one of the default profiles.
This is particularly useful if Modifying a ready-made authselect profile is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host.
Procedure
Create your custom profile by using the
authselect create-profilecommand. For example, to create a custom profile calleduser-profilebased on the ready-madesssdprofile but one in which you can configure the items in the/etc/nsswitch.conffile yourself:#
authselect create-profileuser-profile-bsssd--symlink-meta--symlink-pamNew profile was created at /etc/authselect/custom/user-profileWarning
If you are planning to modify
/etc/authselect/custom/user-profile/{password-auth,system-auth,fingerprint-auth,smartcard-auth,postlogin}, then enter the command above without the--symlink-pamoption. This is to ensure that the modification persists during the upgrade ofauthselect-libs.Including the
--symlink-pamoption in the command means that PAM templates will be symbolic links to the origin profile files instead of their copy; including the--symlink-metaoption means that meta files, such as README and REQUIREMENTS will be symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.The command creates a copy of the
/etc/nsswitch.conffile in the/etc/authselect/custom/user-profile/directory.- Configure the
/etc/authselect/custom/user-profile/nsswitch.conffile. Select the custom profile by running the
authselect selectcommand, and addingcustom/name_of_the_profileas a parameter. For example, to select theuser-profileprofile:#
authselect selectcustom/user-profileSelecting the
user-profileprofile for your machine means that if thesssdprofile is subsequently updated by RedHat, you will benefit from all the updates with the exception of updates made to the/etc/nsswitch.conffile.Example2.1.Creating a profile
The following procedure shows how to create a profile based on the
sssdprofile which only consults the local static table lookup for hostnames in the/etc/hostsfile, not in thednsormyhostnamedatabases.Edit the
/etc/nsswitch.conffile by editing the following line:hosts: files
Create a custom profile based on
sssdthat excludes changes to/etc/nsswitch.conf:#
authselect create-profileuser-profile-bsssd--symlink-meta --symlink-pamSelect the profile:
#
authselect selectcustom/user-profileOptionally, check that selecting the custom profile has
- created the
/etc/pam.d/system-authfile according to the chosensssdprofile left the configuration in the
/etc/nsswitch.confunchanged:hosts: files
Note
Running
authselect selectsssdwould, in contrast, result inhosts: files dns myhostname
- created the
Additional Resources
- What is authselect used for
2.5.Converting your scripts from authconfig to authselect
If you use ipa-client-install or realm join to join a domain, you can safely remove any authconfig call in your scripts. If this is not possible, replace each authconfig call with its equivalent authselect call. In doing that, select the correct profile and the appropriate options. In addition, edit the necessary configuration files:
/etc/krb5.conf/etc/sssd/sssd.conf(for thesssdprofile) or/etc/samba/smb.conf(for thewinbindprofile)
Relation of authconfig options to authselect profiles and Authselect profile option equivalents of authconfig options show the authselect equivalents of authconfig options.
| Authconfig options | Authselect profile |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Authconfig option | Authselect profile feature |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Examples of authselect command equivalents to authconfig commands shows example transformations of Kickstart calls to authconfig into Kickstart calls to authselect.
| authconfig command | authselect equivalent |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
2.6.Additional resources
- Set Password Policy/Complexity in Red Hat Enterprise Linux 8
