• Comments
  • Using `realm join` with custom `authselect`profiles

    Posted on

    In the process of updating out hardening-automation to update configuration of

    /etc/pam.d
    files to leverage
    authselect
    vice direct-editing of files and am running into issues.

    Specifically, one of the security controls I need to implement states that the

    pam_lastlog.so
    module must be set as
    required
    (rather than the
    optional
    that comes in the default
    sssd
    profile for
    authselect
    ). Neither
    pam_lastlog.so
    seems to have an
    /etc/security/*.config
    file (like pam_faillock and pam_pwhistory do), nor does
    authselect
    seem to let me change the
    optional
    to
    required
    .

    I thought I'd try cloning the default

    sssd
    profile (and create an
    sssd-hardened
    profile) and select that custom profile as my active profile. However, when I issue my
    realm join …
    , it pretty much says, "screw that custom profile you're using, we're going to select the default
    sssd
    profile as the active profile" ...which (effectively) clobbers the
    pam_lastlog
    fixes that I'd enabled in my custom authselect profile and the changes that I'd used authselect to make prior the running of
    realm join
    . But, "nope".

    Figured I'd ask if anyone's run into this scenario and found a path past it before trying to open up a Bugzilla about it.

    by

    points

    Responses

    Red Hat
    © 2025 Red Hat, Inc.