Red Hat SummitChapter 2. Configuring user authentication using authselect
The authselect utility simplifies system identity and authentication configuration. Utilize specific profiles to automatically manage PAM and NSS settings, ensuring consistent access controls for local and remote users.
2.1. What is authselect used for
Authselect simplifies system identity management by providing ready-made configuration profiles. Select a profile to automatically generate the necessary PAM and NSS settings, ensuring consistent authentication across local and remote sources.
You can use the default profile set or create a custom profile. Note that you must manually update custom profiles to keep them up to date with your system.
Authselect profiles
- local
-
Configures authentication to handle local users without SSSD by using traditional system files such as
/etc/passwdand/etc/shadow. This is the default profile. - sssd
- Enables SSSD for systems that use LDAP authentication. Use this profile to integrate remote identity providers and support features such as smart cards, GSSAPI, and session recording.
- winbind
- Enables the Winbind utility for systems directly integrated with Microsoft Active Directory.
After selecting an authselect profile for a given host, the profile applies to all users logging into the host.
Red Hat recommends using authselect to manage authentication settings in semi-centralized identity management environments, for example if your organization utilizes LDAP or Winbind databases to authenticate users to use services in your domain.
If the provided profile set is not sufficient, you can create a custom profile.
You do not need to use authselect if:
-
Your host is part of Red Hat Enterprise Linux Identity Management (IdM). Joining your host to an IdM domain with the
ipa-client-installcommand automatically configures SSSD authentication on your host. -
Your host is part of Active Directory via SSSD. Calling the
realm joincommand to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
Red Hat recommends against changing the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary:
$ authselect current
Profile ID: sssd
Enabled features:
- with-sudo
- with-mkhomedir
- with-smartcard2.1.1. Files and directories modified by authselect
authselect modifies only a limited set of configuration files, making it easier to manage and troubleshoot authentication settings.
|
| The GNU C Library and other applications use this Name Service Switch (NSS) configuration file to determine the sources from which to obtain name-service information in a range of categories, and in what order. Each category of information is identified by a database name. |
|
| Linux-PAM (Pluggable Authentication Modules) is a system of modules that handle the authentication tasks of applications (services) on the system. The nature of the authentication is dynamically configurable: the system administrator can choose how individual service-providing applications will authenticate users.
The configuration files in the Among other things, these files contain information about:
|
|
|
This directory holds configuration profiles for the |
2.2. Choosing an authselect profile
Select specific authselect profiles to enforce authentication policies on a host. This process configures the system to use the chosen identity provider for all user logins.
Prerequisites
-
You need
rootcredentials to runauthselectcommands
Make sure that the configuration files that are relevant for your profile are configured properly before finishing the authselect select procedure. For example, if the sssd daemon is not configured correctly and active, running authselect select results in only local users being able to authenticate, using pam_unix.
Procedure
Select the
authselectprofile that is appropriate for your authentication provider. Replace<profile>with the profile name that you want to use:# authselect select <profile>Optional: You can modify the default profile settings by enabling or disabling features that the selected profile provides.
# authselect select <profile> <feature>For example to select the
sssdprofile and enable smart card authentication in addition to password authentication:# authselect select sssd with-smartcard
Verification
Verify
sssentries for SSSD are present in/etc/nsswitch.conf:passwd: sss files group: sss files netgroup: sss files automount: sss files services: sss files ...Review the contents of the
/etc/pam.d/system-authfile forpam_sss.soentries:# Do not modify this file manually, use authselect instead. Any user changes will be overwritten. # You can stop authselect from managing your configuration by calling 'authselect opt-out'. # See authselect(8) for more details. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so ...
2.3. Creating and deploying your own authselect profile
Create custom profiles by duplicating default templates to accommodate specific requirements. This approach permits detailed configuration changes while maintaining system compatibility. Applying the profile enforces these settings for all users.
Procedure
To create your custom profile, run the
authselect create-profilecommand. Replace<custom_profile>with the desired profile name. For example, to create a profile based on the ready-madesssdprofile with the option to configure the items in the/etc/nsswitch.conffile yourself, use the following command:# authselect create-profile <custom_profile> -b sssd --symlink-meta --symlink-pamNew profile was created at /etc/authselect/custom/<custom_profile>WarningIf you are planning to modify
/etc/authselect/custom/<custom_profile>/{password-auth,system-auth,fingerprint-auth,smartcard-auth,postlogin}, then enter the command above without the--symlink-pamoption. This is to ensure that the modification persists during the upgrade ofauthselect-libs.Including the
--symlink-pamoption in the command means that PAM templates are symbolic links to the origin profile files instead of their copy; including the--symlink-metaoption means that meta files, such as README and REQUIREMENTS are symbolic links to the origin profile files instead of their copy. This ensures that all future updates to the PAM templates and meta files in the original profile are reflected in your custom profile, too.The command creates a copy of the
/etc/nsswitch.conffile in the/etc/authselect/custom/<custom_profile>/directory.-
Configure the
/etc/authselect/custom/<custom_profile>/nsswitch.conffile. Select the custom profile by running the
authselect selectcommand withcustom/<custom_profile>as a parameter:# authselect select custom/<custom_profile>Selecting the
<custom_profile>profile for your machine means that if thesssdprofile is subsequently updated by Red Hat, you benefit from all the updates with the exception of updates made to the/etc/nsswitch.conffile.Example creating a custom profile based on the sssd profile:
You can create a profile based on the
sssdprofile which only consults the local static table lookup for hostnames in the/etc/hostsfile, not in thednsormyhostnamedatabases.Edit the
/etc/nsswitch.conffile by editing the following line:hosts: filesCreate a custom profile based on
sssdthat excludes changes to/etc/nsswitch.conf:# authselect create-profile custom-sssd-profile -b sssd --symlink-meta --symlink-pamSelect the profile:
# authselect select custom/custom-sssd-profileOptional: Check that selecting the custom profile has
-
created the
/etc/pam.d/system-authfile according to the chosensssdprofile left the configuration in the
/etc/nsswitch.confunchanged:hosts: filesNoteRunning
authselect selectsssdwould, in contrast, result inhosts: files dns myhostname
-
created the
2.4. Opting out of using authselect
You cannot uninstall authselect but can opt out to stop it from managing configurations. This action restores PAM and NSS files to their default locations, returning full manual control over authentication settings.
Authselect ensures consistent and supported management of system authentication and identity configuration. Opting out might lead to unsupported or inconsistent configurations, which can cause authentication issues. If you require a special configuration, consider creating a custom profile within the authselect framework.
Procedure
To stop
authselectfrom managing your system’s configuration:# authselect opt-outTo start using
authselectagain, runauthselect select <profile_name>.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}