Chapter 23. Using authselect
23.1. Explaining authselect
Authselect is a utility that simplifies the configuration of user authentication on a Red Hat Enterprise Linux host.
Authselect offers two ready-made profiles that can be universally used with all modern identity management systems:
For legacy compatibility reasons, the
nis profile is also available.
Red Hat recommends using
authselect in semi-centralized identity management environments, for example if your company utilizes the LDAP, winbind or nis databases to authenticate users to use services in your domain.
Do not use
authselect if your host is part of Red Hat Enterprise Linux Identity Management or Active Directory. The
ipa-client-install command, called when joining your host to a Red Hat Identity Management domain, takes full care of configuring authentication on your host. Similarly the
realm join command, called when joining your host to an Active Directory domain, takes full care of configuring authentication on your host.
authconfig utility, used in previous Red Hat Enterprise Linux versions, created and modified many different configuration files, making troubleshooting a difficult task.
Authselect makes testing and troubleshooting easy because it only modifies files in these directories:
The Name Service Switch (NSS) configuration file,
/etc/nsswitch.conf, is used by the GNU C Library and certain other applications to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name.
Linux-PAM is a system of libraries that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users. This dynamic configuration is set by the contents of the configuration files in the
/etc/pam.d/ directory, which list the PAMs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM-API in the event that individual PAMs fail.
authselect profile is selected for a given host, the profile will be applied to every user logging into the host.
23.2. Choosing an authselect profile
As a system administrator, you can select a profile for the
authselect utility for a specific host. The profile will be applied to every user logging into the host.
authselectprofile that is appropriate for your authentication provider. For example, for logging into the network of a company that uses LDAP, choose
sssd. Run the command as root:
# authselect select
Optionally, review the contents of the
passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files ...
The content of the
/etc/nsswitch.conffile shows that selecting the
sssdprofile means that the system first uses
sssdif information concerning one of the first five items is requested. Only if the requested information is not found in the
sssdcache and on the server providing authentication, or if
sssdis not running, the system looks at the local files, that is
For example, if information is requested about a user id, the user id is first searched in the
sssdcache. If it is not found there, the local
/etc/passwdfile is consulted. Analogically, if a user’s group affiliation is requested, it is first searched in the
sssdcache and only if not found there, the
/etc/groupfile is consulted.
In practice, the local
filesdatabase does not normally get consulted at all. The only exception is the case of the
rootuser, which is never handled by
Optionally, review the contents of the
# Generated by authselect on Tue Sep 11 22:59:06 2018 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so ...
Among other things, the
/etc/pam.d/system-authfile contains information about:
- user password lockout condition
- the possibility to authenticate with a smart card
the possibility to authenticate with fingerprints
You can modify the default profile settings by adding the following options to the
authselect select sssdor
authselect select winbindcommand, for example:
To see the full list of available options, see Section 23.5, “Converting your scripts from authconfig to authselect” or the authselect-migration(7) man page.
Make sure that the configuration files that are relevant for your profile are configured properly before finishing the
authselect select procedure. For example, if the
sssd daemon is not configured correctly and active, running
authselect select results in only local users being able to authenticate, using pam_unix.
If adjusting a ready-made profile by adding one of the
authselect select command-line options described above is not enough for your use case, you can:
modify a ready-made profile by changing the
/etc/authselect/user-nsswitch.conffile. For details, see Section 23.3, “Modifying a ready-made authselect profile”.
- create your own custom profile. For details, see Section 23.4, “Creating and deploying your own custom authselect profile”.
23.3. Modifying a ready-made authselect profile
As a system administrator, you can modify one of the default profiles, the
winbind, or the
nis profile, to suit your needs. You can modify any of the items in the
/etc/authselect/user-nsswitch.conf file with the exception of:
profile_name afterwards will result in permissible changes to the profile being transferred from
/etc/authselect/user-nsswitch.conf to the
/etc/nsswitch.conf file but unacceptable changes being overwritten by the default profile configuration.
Do not modify the
/etc/nsswitch.conf file directly.
authselectprofile, for example:
Apply the changes from the
Optionally, review the
/etc/nsswitch.conffile to verify that the changes from
/etc/authselect/user-nsswitch.confhave been propagated there.
23.4. Creating and deploying your own custom authselect profile
As a system administrator, you can create and deploy a custom profile by customizing one of the default profiles, the
winbind, or the
nis profile. This is particularly useful if Section 23.3, “Modifying a ready-made authselect profile” is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host.
Create your custom profile by using the
authselect create-profilecommand. For example, to create a custom profile called
user-profilebased on the ready-made
sssdprofile but one in which you can configure the items in the
--symlink-pamNew profile was created at /etc/authselect/custom/user-profile
--symlink-pamoption in the command means that PAM templates will be symbolic links to the origin profile files instead of their copy; including the
--symlink-metaoption means that meta files, such as README and REQUIREMENTS will be symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.
The command has created a copy of the
/etc/nsswitch.conffile in the
Select the custom profile by running the
authselect selectcommand, and adding custom/name_of_the_profile as a parameter. For example, to select the
user-profileprofile for your machine means that if the
sssdprofile is subsequently updated by Red Hat, you will benefit from all the updates with the exception of updates made to the
The following procedure shows how to create a profile based on the
sssd profile which only consults the local static table lookup for hostnames in the
/etc/hosts file, not in the
/etc/nsswitch.conffile by editing the following line:
Create a custom profile based on
sssdthat excludes changes to
Select the profile:
Optionally, check that selecting the custom profile has
/etc/pam.d/system-authfile according to the chosen
left the configuration in the
sssdwould, in contrast, result in
hosts: files dns myhostname
- created the
23.5. Converting your scripts from authconfig to authselect
If you use
realm join to join a domain, you can safely remove any
authconfig call in your scripts. If this is not possible, replace each
authconfig call with its equivalent
authselect call. In doing that, select the correct profile and the appropriate options. In addition, edit the necessary configuration files:
Table 23.1, “Relation of authconfig options to authselect profiles” and Table 23.2, “Authselect profile option equivalents of authconfig options” show the
authselect equivalents of
Table 23.1. Relation of authconfig options to authselect profiles
Table 23.2. Authselect profile option equivalents of authconfig options
Authselect profile feature
Table 23.3, “Examples of authselect commands equivalents to authconfig commands” shows example transformations of Kickstart calls to
authconfig into Kickstart calls to
Table 23.3. Examples of authselect commands equivalents to authconfig commands
authconfig --enableldap --enableldapauth --enablefaillock --updateall
authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
authconfig --enableecryptfs --enablepamaccess --updateall
authselect select sssd with-ecryptfs with-pamaccess
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind